summaryrefslogtreecommitdiff
path: root/ssh-keygen.0
diff options
context:
space:
mode:
Diffstat (limited to 'ssh-keygen.0')
-rw-r--r--ssh-keygen.076
1 files changed, 45 insertions, 31 deletions
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index 906a338c4..1fe19f0b6 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -6,7 +6,9 @@ NAME
6SYNOPSIS 6SYNOPSIS
7 ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa] 7 ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]
8 [-N new_passphrase] [-C comment] [-f output_keyfile] 8 [-N new_passphrase] [-C comment] [-f output_keyfile]
9 [-m format]
9 ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] 10 ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
11 [-m format]
10 ssh-keygen -i [-m key_format] [-f input_keyfile] 12 ssh-keygen -i [-m key_format] [-f input_keyfile]
11 ssh-keygen -e [-m key_format] [-f input_keyfile] 13 ssh-keygen -e [-m key_format] [-f input_keyfile]
12 ssh-keygen -y [-f input_keyfile] 14 ssh-keygen -y [-f input_keyfile]
@@ -68,11 +70,17 @@ DESCRIPTION
68 or forgotten, a new key must be generated and the corresponding public 70 or forgotten, a new key must be generated and the corresponding public
69 key copied to other machines. 71 key copied to other machines.
70 72
71 For keys stored in the newer OpenSSH format, there is also a comment 73 ssh-keygen will by default write keys in an OpenSSH-specific format.
72 field in the key file that is only for convenience to the user to help 74 This format is preferred as it offers better protection for keys at rest
73 identify the key. The comment can tell what the key is for, or whatever 75 as well as allowing storage of key comments within the private key file
74 is useful. The comment is initialized to M-bM-^@M-^\user@hostM-bM-^@M-^] when the key is 76 itself. The key comment may be useful to help identify the key. The
75 created, but can be changed using the -c option. 77 comment is initialized to M-bM-^@M-^\user@hostM-bM-^@M-^] when the key is created, but can be
78 changed using the -c option.
79
80 It is still possible for ssh-keygen to write the previously-used PEM
81 format private keys using the -m flag. This may be used when generating
82 new keys, and existing new-format keys may be converted using this option
83 in conjunction with the -p (change passphrase) flag.
76 84
77 After a key is generated, instructions below detail where the keys should 85 After a key is generated, instructions below detail where the keys should
78 be placed to be activated. 86 be placed to be activated.
@@ -119,10 +127,10 @@ DESCRIPTION
119 new comment. 127 new comment.
120 128
121 -D pkcs11 129 -D pkcs11
122 Download the RSA public keys provided by the PKCS#11 shared 130 Download the public keys provided by the PKCS#11 shared library
123 library pkcs11. When used in combination with -s, this option 131 pkcs11. When used in combination with -s, this option indicates
124 indicates that a CA key resides in a PKCS#11 token (see the 132 that a CA key resides in a PKCS#11 token (see the CERTIFICATES
125 CERTIFICATES section for details). 133 section for details).
126 134
127 -E fingerprint_hash 135 -E fingerprint_hash
128 Specifies the hash algorithm used when displaying key 136 Specifies the hash algorithm used when displaying key
@@ -130,16 +138,17 @@ DESCRIPTION
130 default is M-bM-^@M-^\sha256M-bM-^@M-^]. 138 default is M-bM-^@M-^\sha256M-bM-^@M-^].
131 139
132 -e This option will read a private or public OpenSSH key file and 140 -e This option will read a private or public OpenSSH key file and
133 print to stdout the key in one of the formats specified by the -m 141 print to stdout a public key in one of the formats specified by
134 option. The default export format is M-bM-^@M-^\RFC4716M-bM-^@M-^]. This option 142 the -m option. The default export format is M-bM-^@M-^\RFC4716M-bM-^@M-^]. This
135 allows exporting OpenSSH keys for use by other programs, 143 option allows exporting OpenSSH keys for use by other programs,
136 including several commercial SSH implementations. 144 including several commercial SSH implementations.
137 145
138 -F hostname 146 -F hostname | [hostname]:port
139 Search for the specified hostname in a known_hosts file, listing 147 Search for the specified hostname (with optional port number) in
140 any occurrences found. This option is useful to find hashed host 148 a known_hosts file, listing any occurrences found. This option
141 names or addresses and may also be used in conjunction with the 149 is useful to find hashed host names or addresses and may also be
142 -H option to print found keys in a hashed format. 150 used in conjunction with the -H option to print found keys in a
151 hashed format.
143 152
144 -f filename 153 -f filename
145 Specifies the filename of the key file. 154 Specifies the filename of the key file.
@@ -206,13 +215,16 @@ DESCRIPTION
206 generating candidate moduli for DH-GEX. 215 generating candidate moduli for DH-GEX.
207 216
208 -m key_format 217 -m key_format
209 Specify a key format for the -i (import) or -e (export) 218 Specify a key format for key generation, the -i (import), -e
210 conversion options. The supported key formats are: M-bM-^@M-^\RFC4716M-bM-^@M-^] 219 (export) conversion options, and the -p change passphrase
211 (RFC 4716/SSH2 public or private key), M-bM-^@M-^\PKCS8M-bM-^@M-^] (PEM PKCS8 public 220 operation. The latter may be used to convert between OpenSSH
212 key) or M-bM-^@M-^\PEMM-bM-^@M-^] (PEM public key). The default conversion format is 221 private key and PEM private key formats. The supported key
213 M-bM-^@M-^\RFC4716M-bM-^@M-^]. Setting a format of M-bM-^@M-^\PEMM-bM-^@M-^] when generating or updating 222 formats are: M-bM-^@M-^\RFC4716M-bM-^@M-^] (RFC 4716/SSH2 public or private key),
214 a supported private key type will cause the key to be stored in 223 M-bM-^@M-^\PKCS8M-bM-^@M-^] (PEM PKCS8 public key) or M-bM-^@M-^\PEMM-bM-^@M-^] (PEM public key). The
215 the legacy PEM private key format. 224 default conversion format is M-bM-^@M-^\RFC4716M-bM-^@M-^]. Setting a format of
225 M-bM-^@M-^\PEMM-bM-^@M-^] when generating or updating a supported private key type
226 will cause the key to be stored in the legacy PEM private key
227 format.
216 228
217 -N new_passphrase 229 -N new_passphrase
218 Provides the new passphrase. 230 Provides the new passphrase.
@@ -301,10 +313,10 @@ DESCRIPTION
301 313
302 -q Silence ssh-keygen. 314 -q Silence ssh-keygen.
303 315
304 -R hostname 316 -R hostname | [hostname]:port
305 Removes all keys belonging to hostname from a known_hosts file. 317 Removes all keys belonging to the specified hostname (with
306 This option is useful to delete hashed hosts (see the -H option 318 optional port number) from a known_hosts file. This option is
307 above). 319 useful to delete hashed hosts (see the -H option above).
308 320
309 -r hostname 321 -r hostname
310 Print the SSHFP fingerprint resource record named hostname for 322 Print the SSHFP fingerprint resource record named hostname for
@@ -378,8 +390,10 @@ DESCRIPTION
378 390
379 -z serial_number 391 -z serial_number
380 Specifies a serial number to be embedded in the certificate to 392 Specifies a serial number to be embedded in the certificate to
381 distinguish this certificate from others from the same CA. The 393 distinguish this certificate from others from the same CA. If
382 default serial number is zero. 394 the serial_number is prefixed with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the
395 serial number will be incremented for each certificate signed on
396 a single command-line. The default serial number is zero.
383 397
384 When generating a KRL, the -z flag is used to specify a KRL 398 When generating a KRL, the -z flag is used to specify a KRL
385 version number. 399 version number.
@@ -582,4 +596,4 @@ AUTHORS
582 created OpenSSH. Markus Friedl contributed the support for SSH protocol 596 created OpenSSH. Markus Friedl contributed the support for SSH protocol
583 versions 1.5 and 2.0. 597 versions 1.5 and 2.0.
584 598
585OpenBSD 6.4 September 12, 2018 OpenBSD 6.4 599OpenBSD 6.5 March 5, 2019 OpenBSD 6.5