diff options
author | Colin Watson <cjwatson@debian.org> | 2017-10-04 11:23:58 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2017-10-04 11:23:58 +0100 |
commit | 62f54f20bf351468e0124f63cc2902ee40d9b0e9 (patch) | |
tree | 3e090f2711b94ca5029d3fa3e8047b1ed1448b1f /ssh-keygen.1 | |
parent | 6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874 (diff) | |
parent | 66bf74a92131b7effe49fb0eefe5225151869dc5 (diff) |
Import openssh_7.6p1.orig.tar.gz
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r-- | ssh-keygen.1 | 120 |
1 files changed, 70 insertions, 50 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index ce2213c78..5f1ec09b0 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.133 2016/06/16 06:10:45 jmc Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.144 2017/07/08 18:32:54 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -35,7 +35,7 @@ | |||
35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
37 | .\" | 37 | .\" |
38 | .Dd $Mdocdate: June 16 2016 $ | 38 | .Dd $Mdocdate: July 8 2017 $ |
39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -46,7 +46,7 @@ | |||
46 | .Nm ssh-keygen | 46 | .Nm ssh-keygen |
47 | .Op Fl q | 47 | .Op Fl q |
48 | .Op Fl b Ar bits | 48 | .Op Fl b Ar bits |
49 | .Op Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1 | 49 | .Op Fl t Cm dsa | ecdsa | ed25519 | rsa |
50 | .Op Fl N Ar new_passphrase | 50 | .Op Fl N Ar new_passphrase |
51 | .Op Fl C Ar comment | 51 | .Op Fl C Ar comment |
52 | .Op Fl f Ar output_keyfile | 52 | .Op Fl f Ar output_keyfile |
@@ -114,6 +114,8 @@ | |||
114 | .Fl s Ar ca_key | 114 | .Fl s Ar ca_key |
115 | .Fl I Ar certificate_identity | 115 | .Fl I Ar certificate_identity |
116 | .Op Fl h | 116 | .Op Fl h |
117 | .Op Fl U | ||
118 | .Op Fl D Ar pkcs11_provider | ||
117 | .Op Fl n Ar principals | 119 | .Op Fl n Ar principals |
118 | .Op Fl O Ar option | 120 | .Op Fl O Ar option |
119 | .Op Fl V Ar validity_interval | 121 | .Op Fl V Ar validity_interval |
@@ -124,6 +126,7 @@ | |||
124 | .Op Fl f Ar input_keyfile | 126 | .Op Fl f Ar input_keyfile |
125 | .Nm ssh-keygen | 127 | .Nm ssh-keygen |
126 | .Fl A | 128 | .Fl A |
129 | .Op Fl f Ar prefix_path | ||
127 | .Nm ssh-keygen | 130 | .Nm ssh-keygen |
128 | .Fl k | 131 | .Fl k |
129 | .Fl f Ar krl_file | 132 | .Fl f Ar krl_file |
@@ -141,18 +144,14 @@ | |||
141 | generates, manages and converts authentication keys for | 144 | generates, manages and converts authentication keys for |
142 | .Xr ssh 1 . | 145 | .Xr ssh 1 . |
143 | .Nm | 146 | .Nm |
144 | can create keys for use by SSH protocol versions 1 and 2. | 147 | can create keys for use by SSH protocol version 2. |
145 | Protocol 1 should not be used | ||
146 | and is only offered to support legacy devices. | ||
147 | It suffers from a number of cryptographic weaknesses | ||
148 | and doesn't support many of the advanced features available for protocol 2. | ||
149 | .Pp | 148 | .Pp |
150 | The type of key to be generated is specified with the | 149 | The type of key to be generated is specified with the |
151 | .Fl t | 150 | .Fl t |
152 | option. | 151 | option. |
153 | If invoked without any arguments, | 152 | If invoked without any arguments, |
154 | .Nm | 153 | .Nm |
155 | will generate an RSA key for use in SSH protocol 2 connections. | 154 | will generate an RSA key. |
156 | .Pp | 155 | .Pp |
157 | .Nm | 156 | .Nm |
158 | is also used to generate groups for use in Diffie-Hellman group | 157 | is also used to generate groups for use in Diffie-Hellman group |
@@ -172,7 +171,6 @@ section for details. | |||
172 | Normally each user wishing to use SSH | 171 | Normally each user wishing to use SSH |
173 | with public key authentication runs this once to create the authentication | 172 | with public key authentication runs this once to create the authentication |
174 | key in | 173 | key in |
175 | .Pa ~/.ssh/identity , | ||
176 | .Pa ~/.ssh/id_dsa , | 174 | .Pa ~/.ssh/id_dsa , |
177 | .Pa ~/.ssh/id_ecdsa , | 175 | .Pa ~/.ssh/id_ecdsa , |
178 | .Pa ~/.ssh/id_ed25519 | 176 | .Pa ~/.ssh/id_ed25519 |
@@ -207,7 +205,7 @@ There is no way to recover a lost passphrase. | |||
207 | If the passphrase is lost or forgotten, a new key must be generated | 205 | If the passphrase is lost or forgotten, a new key must be generated |
208 | and the corresponding public key copied to other machines. | 206 | and the corresponding public key copied to other machines. |
209 | .Pp | 207 | .Pp |
210 | For RSA1 keys and keys stored in the newer OpenSSH format, | 208 | For keys stored in the newer OpenSSH format, |
211 | there is also a comment field in the key file that is only for | 209 | there is also a comment field in the key file that is only for |
212 | convenience to the user to help identify the key. | 210 | convenience to the user to help identify the key. |
213 | The comment can tell what the key is for, or whatever is useful. | 211 | The comment can tell what the key is for, or whatever is useful. |
@@ -223,24 +221,26 @@ should be placed to be activated. | |||
223 | The options are as follows: | 221 | The options are as follows: |
224 | .Bl -tag -width Ds | 222 | .Bl -tag -width Ds |
225 | .It Fl A | 223 | .It Fl A |
226 | For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) | 224 | For each of the key types (rsa, dsa, ecdsa and ed25519) |
227 | for which host keys | 225 | for which host keys |
228 | do not exist, generate the host keys with the default key file path, | 226 | do not exist, generate the host keys with the default key file path, |
229 | an empty passphrase, default bits for the key type, and default comment. | 227 | an empty passphrase, default bits for the key type, and default comment. |
228 | If | ||
229 | .Fl f | ||
230 | has also been specified, its argument is used as a prefix to the | ||
231 | default path for the resulting host key files. | ||
230 | This is used by | 232 | This is used by |
231 | .Pa /etc/rc | 233 | .Pa /etc/rc |
232 | to generate new host keys. | 234 | to generate new host keys. |
233 | .It Fl a Ar rounds | 235 | .It Fl a Ar rounds |
234 | When saving a new-format private key (i.e. an ed25519 key or any SSH protocol | 236 | When saving a new-format private key (i.e. an ed25519 key or when the |
235 | 2 key when the | ||
236 | .Fl o | 237 | .Fl o |
237 | flag is set), this option specifies the number of KDF (key derivation function) | 238 | flag is set), this option specifies the number of KDF (key derivation function) |
238 | rounds used. | 239 | rounds used. |
239 | Higher numbers result in slower passphrase verification and increased | 240 | Higher numbers result in slower passphrase verification and increased |
240 | resistance to brute-force password cracking (should the keys be stolen). | 241 | resistance to brute-force password cracking (should the keys be stolen). |
241 | .Pp | 242 | .Pp |
242 | When screening DH-GEX candidates ( | 243 | When screening DH-GEX candidates (using the |
243 | using the | ||
244 | .Fl T | 244 | .Fl T |
245 | command). | 245 | command). |
246 | This option specifies the number of primality tests to perform. | 246 | This option specifies the number of primality tests to perform. |
@@ -264,7 +264,7 @@ flag will be ignored. | |||
264 | Provides a new comment. | 264 | Provides a new comment. |
265 | .It Fl c | 265 | .It Fl c |
266 | Requests changing the comment in the private and public key files. | 266 | Requests changing the comment in the private and public key files. |
267 | This operation is only supported for RSA1 keys and keys stored in the | 267 | This operation is only supported for keys stored in the |
268 | newer OpenSSH format. | 268 | newer OpenSSH format. |
269 | The program will prompt for the file containing the private keys, for | 269 | The program will prompt for the file containing the private keys, for |
270 | the passphrase if the key has one, and for the new comment. | 270 | the passphrase if the key has one, and for the new comment. |
@@ -384,7 +384,6 @@ section. | |||
384 | Prints the contents of one or more certificates. | 384 | Prints the contents of one or more certificates. |
385 | .It Fl l | 385 | .It Fl l |
386 | Show fingerprint of specified public key file. | 386 | Show fingerprint of specified public key file. |
387 | Private RSA1 keys are also supported. | ||
388 | For RSA and DSA keys | 387 | For RSA and DSA keys |
389 | .Nm | 388 | .Nm |
390 | tries to find the matching public key file and prints its fingerprint. | 389 | tries to find the matching public key file and prints its fingerprint. |
@@ -423,51 +422,81 @@ section for details. | |||
423 | .It Fl O Ar option | 422 | .It Fl O Ar option |
424 | Specify a certificate option when signing a key. | 423 | Specify a certificate option when signing a key. |
425 | This option may be specified multiple times. | 424 | This option may be specified multiple times. |
426 | Please see the | 425 | See also the |
427 | .Sx CERTIFICATES | 426 | .Sx CERTIFICATES |
428 | section for details. | 427 | section for further details. |
429 | The options that are valid for user certificates are: | 428 | The options that are valid for user certificates are: |
430 | .Bl -tag -width Ds | 429 | .Pp |
430 | .Bl -tag -width Ds -compact | ||
431 | .It Ic clear | 431 | .It Ic clear |
432 | Clear all enabled permissions. | 432 | Clear all enabled permissions. |
433 | This is useful for clearing the default set of permissions so permissions may | 433 | This is useful for clearing the default set of permissions so permissions may |
434 | be added individually. | 434 | be added individually. |
435 | .Pp | ||
436 | .It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents | ||
437 | .It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents | ||
438 | Includes an arbitrary certificate critical option or extension. | ||
439 | The specified | ||
440 | .Ar name | ||
441 | should include a domain suffix, e.g.\& | ||
442 | .Dq name@example.com . | ||
443 | If | ||
444 | .Ar contents | ||
445 | is specified then it is included as the contents of the extension/option | ||
446 | encoded as a string, otherwise the extension/option is created with no | ||
447 | contents (usually indicating a flag). | ||
448 | Extensions may be ignored by a client or server that does not recognise them, | ||
449 | whereas unknown critical options will cause the certificate to be refused. | ||
450 | .Pp | ||
451 | At present, no standard options are valid for host keys. | ||
452 | .Pp | ||
435 | .It Ic force-command Ns = Ns Ar command | 453 | .It Ic force-command Ns = Ns Ar command |
436 | Forces the execution of | 454 | Forces the execution of |
437 | .Ar command | 455 | .Ar command |
438 | instead of any shell or command specified by the user when | 456 | instead of any shell or command specified by the user when |
439 | the certificate is used for authentication. | 457 | the certificate is used for authentication. |
458 | .Pp | ||
440 | .It Ic no-agent-forwarding | 459 | .It Ic no-agent-forwarding |
441 | Disable | 460 | Disable |
442 | .Xr ssh-agent 1 | 461 | .Xr ssh-agent 1 |
443 | forwarding (permitted by default). | 462 | forwarding (permitted by default). |
463 | .Pp | ||
444 | .It Ic no-port-forwarding | 464 | .It Ic no-port-forwarding |
445 | Disable port forwarding (permitted by default). | 465 | Disable port forwarding (permitted by default). |
466 | .Pp | ||
446 | .It Ic no-pty | 467 | .It Ic no-pty |
447 | Disable PTY allocation (permitted by default). | 468 | Disable PTY allocation (permitted by default). |
469 | .Pp | ||
448 | .It Ic no-user-rc | 470 | .It Ic no-user-rc |
449 | Disable execution of | 471 | Disable execution of |
450 | .Pa ~/.ssh/rc | 472 | .Pa ~/.ssh/rc |
451 | by | 473 | by |
452 | .Xr sshd 8 | 474 | .Xr sshd 8 |
453 | (permitted by default). | 475 | (permitted by default). |
476 | .Pp | ||
454 | .It Ic no-x11-forwarding | 477 | .It Ic no-x11-forwarding |
455 | Disable X11 forwarding (permitted by default). | 478 | Disable X11 forwarding (permitted by default). |
479 | .Pp | ||
456 | .It Ic permit-agent-forwarding | 480 | .It Ic permit-agent-forwarding |
457 | Allows | 481 | Allows |
458 | .Xr ssh-agent 1 | 482 | .Xr ssh-agent 1 |
459 | forwarding. | 483 | forwarding. |
484 | .Pp | ||
460 | .It Ic permit-port-forwarding | 485 | .It Ic permit-port-forwarding |
461 | Allows port forwarding. | 486 | Allows port forwarding. |
487 | .Pp | ||
462 | .It Ic permit-pty | 488 | .It Ic permit-pty |
463 | Allows PTY allocation. | 489 | Allows PTY allocation. |
490 | .Pp | ||
464 | .It Ic permit-user-rc | 491 | .It Ic permit-user-rc |
465 | Allows execution of | 492 | Allows execution of |
466 | .Pa ~/.ssh/rc | 493 | .Pa ~/.ssh/rc |
467 | by | 494 | by |
468 | .Xr sshd 8 . | 495 | .Xr sshd 8 . |
496 | .Pp | ||
469 | .It Ic permit-x11-forwarding | 497 | .It Ic permit-x11-forwarding |
470 | Allows X11 forwarding. | 498 | Allows X11 forwarding. |
499 | .Pp | ||
471 | .It Ic source-address Ns = Ns Ar address_list | 500 | .It Ic source-address Ns = Ns Ar address_list |
472 | Restrict the source addresses from which the certificate is considered valid. | 501 | Restrict the source addresses from which the certificate is considered valid. |
473 | The | 502 | The |
@@ -475,8 +504,6 @@ The | |||
475 | is a comma-separated list of one or more address/netmask pairs in CIDR | 504 | is a comma-separated list of one or more address/netmask pairs in CIDR |
476 | format. | 505 | format. |
477 | .El | 506 | .El |
478 | .Pp | ||
479 | At present, no options are valid for host keys. | ||
480 | .It Fl o | 507 | .It Fl o |
481 | Causes | 508 | Causes |
482 | .Nm | 509 | .Nm |
@@ -530,17 +557,22 @@ section for details. | |||
530 | Test DH group exchange candidate primes (generated using the | 557 | Test DH group exchange candidate primes (generated using the |
531 | .Fl G | 558 | .Fl G |
532 | option) for safety. | 559 | option) for safety. |
533 | .It Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1 | 560 | .It Fl t Cm dsa | ecdsa | ed25519 | rsa |
534 | Specifies the type of key to create. | 561 | Specifies the type of key to create. |
535 | The possible values are | 562 | The possible values are |
536 | .Dq rsa1 | ||
537 | for protocol version 1 and | ||
538 | .Dq dsa , | 563 | .Dq dsa , |
539 | .Dq ecdsa , | 564 | .Dq ecdsa , |
540 | .Dq ed25519 , | 565 | .Dq ed25519 , |
541 | or | 566 | or |
542 | .Dq rsa | 567 | .Dq rsa . |
543 | for protocol version 2. | 568 | .It Fl U |
569 | When used in combination with | ||
570 | .Fl s , | ||
571 | this option indicates that a CA key resides in a | ||
572 | .Xr ssh-agent 1 . | ||
573 | See the | ||
574 | .Sx CERTIFICATES | ||
575 | section for more information. | ||
544 | .It Fl u | 576 | .It Fl u |
545 | Update a KRL. | 577 | Update a KRL. |
546 | When specified with | 578 | When specified with |
@@ -688,6 +720,14 @@ to | |||
688 | .Pp | 720 | .Pp |
689 | .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub | 721 | .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub |
690 | .Pp | 722 | .Pp |
723 | Similarly, it is possible for the CA key to be hosted in a | ||
724 | .Xr ssh-agent 1 . | ||
725 | This is indicated by the | ||
726 | .Fl U | ||
727 | flag and, again, the CA key must be identified by its public half. | ||
728 | .Pp | ||
729 | .Dl $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub | ||
730 | .Pp | ||
691 | In all cases, | 731 | In all cases, |
692 | .Ar key_id | 732 | .Ar key_id |
693 | is a "key identifier" that is logged by the server when the certificate | 733 | is a "key identifier" that is logged by the server when the certificate |
@@ -795,31 +835,11 @@ will exit with a non-zero exit status. | |||
795 | A zero exit status will only be returned if no key was revoked. | 835 | A zero exit status will only be returned if no key was revoked. |
796 | .Sh FILES | 836 | .Sh FILES |
797 | .Bl -tag -width Ds -compact | 837 | .Bl -tag -width Ds -compact |
798 | .It Pa ~/.ssh/identity | ||
799 | Contains the protocol version 1 RSA authentication identity of the user. | ||
800 | This file should not be readable by anyone but the user. | ||
801 | It is possible to | ||
802 | specify a passphrase when generating the key; that passphrase will be | ||
803 | used to encrypt the private part of this file using 3DES. | ||
804 | This file is not automatically accessed by | ||
805 | .Nm | ||
806 | but it is offered as the default file for the private key. | ||
807 | .Xr ssh 1 | ||
808 | will read this file when a login attempt is made. | ||
809 | .Pp | ||
810 | .It Pa ~/.ssh/identity.pub | ||
811 | Contains the protocol version 1 RSA public key for authentication. | ||
812 | The contents of this file should be added to | ||
813 | .Pa ~/.ssh/authorized_keys | ||
814 | on all machines | ||
815 | where the user wishes to log in using RSA authentication. | ||
816 | There is no need to keep the contents of this file secret. | ||
817 | .Pp | ||
818 | .It Pa ~/.ssh/id_dsa | 838 | .It Pa ~/.ssh/id_dsa |
819 | .It Pa ~/.ssh/id_ecdsa | 839 | .It Pa ~/.ssh/id_ecdsa |
820 | .It Pa ~/.ssh/id_ed25519 | 840 | .It Pa ~/.ssh/id_ed25519 |
821 | .It Pa ~/.ssh/id_rsa | 841 | .It Pa ~/.ssh/id_rsa |
822 | Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA | 842 | Contains the DSA, ECDSA, Ed25519 or RSA |
823 | authentication identity of the user. | 843 | authentication identity of the user. |
824 | This file should not be readable by anyone but the user. | 844 | This file should not be readable by anyone but the user. |
825 | It is possible to | 845 | It is possible to |
@@ -835,7 +855,7 @@ will read this file when a login attempt is made. | |||
835 | .It Pa ~/.ssh/id_ecdsa.pub | 855 | .It Pa ~/.ssh/id_ecdsa.pub |
836 | .It Pa ~/.ssh/id_ed25519.pub | 856 | .It Pa ~/.ssh/id_ed25519.pub |
837 | .It Pa ~/.ssh/id_rsa.pub | 857 | .It Pa ~/.ssh/id_rsa.pub |
838 | Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA | 858 | Contains the DSA, ECDSA, Ed25519 or RSA |
839 | public key for authentication. | 859 | public key for authentication. |
840 | The contents of this file should be added to | 860 | The contents of this file should be added to |
841 | .Pa ~/.ssh/authorized_keys | 861 | .Pa ~/.ssh/authorized_keys |