diff options
Diffstat (limited to 'ssh-keygen.0')
-rw-r--r-- | ssh-keygen.0 | 76 |
1 files changed, 45 insertions, 31 deletions
diff --git a/ssh-keygen.0 b/ssh-keygen.0 index 906a338c4..1fe19f0b6 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 | |||
@@ -6,7 +6,9 @@ NAME | |||
6 | SYNOPSIS | 6 | SYNOPSIS |
7 | ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa] | 7 | ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa] |
8 | [-N new_passphrase] [-C comment] [-f output_keyfile] | 8 | [-N new_passphrase] [-C comment] [-f output_keyfile] |
9 | [-m format] | ||
9 | ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] | 10 | ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] |
11 | [-m format] | ||
10 | ssh-keygen -i [-m key_format] [-f input_keyfile] | 12 | ssh-keygen -i [-m key_format] [-f input_keyfile] |
11 | ssh-keygen -e [-m key_format] [-f input_keyfile] | 13 | ssh-keygen -e [-m key_format] [-f input_keyfile] |
12 | ssh-keygen -y [-f input_keyfile] | 14 | ssh-keygen -y [-f input_keyfile] |
@@ -68,11 +70,17 @@ DESCRIPTION | |||
68 | or forgotten, a new key must be generated and the corresponding public | 70 | or forgotten, a new key must be generated and the corresponding public |
69 | key copied to other machines. | 71 | key copied to other machines. |
70 | 72 | ||
71 | For keys stored in the newer OpenSSH format, there is also a comment | 73 | ssh-keygen will by default write keys in an OpenSSH-specific format. |
72 | field in the key file that is only for convenience to the user to help | 74 | This format is preferred as it offers better protection for keys at rest |
73 | identify the key. The comment can tell what the key is for, or whatever | 75 | as well as allowing storage of key comments within the private key file |
74 | is useful. The comment is initialized to M-bM-^@M-^\user@hostM-bM-^@M-^] when the key is | 76 | itself. The key comment may be useful to help identify the key. The |
75 | created, but can be changed using the -c option. | 77 | comment is initialized to M-bM-^@M-^\user@hostM-bM-^@M-^] when the key is created, but can be |
78 | changed using the -c option. | ||
79 | |||
80 | It is still possible for ssh-keygen to write the previously-used PEM | ||
81 | format private keys using the -m flag. This may be used when generating | ||
82 | new keys, and existing new-format keys may be converted using this option | ||
83 | in conjunction with the -p (change passphrase) flag. | ||
76 | 84 | ||
77 | After a key is generated, instructions below detail where the keys should | 85 | After a key is generated, instructions below detail where the keys should |
78 | be placed to be activated. | 86 | be placed to be activated. |
@@ -119,10 +127,10 @@ DESCRIPTION | |||
119 | new comment. | 127 | new comment. |
120 | 128 | ||
121 | -D pkcs11 | 129 | -D pkcs11 |
122 | Download the RSA public keys provided by the PKCS#11 shared | 130 | Download the public keys provided by the PKCS#11 shared library |
123 | library pkcs11. When used in combination with -s, this option | 131 | pkcs11. When used in combination with -s, this option indicates |
124 | indicates that a CA key resides in a PKCS#11 token (see the | 132 | that a CA key resides in a PKCS#11 token (see the CERTIFICATES |
125 | CERTIFICATES section for details). | 133 | section for details). |
126 | 134 | ||
127 | -E fingerprint_hash | 135 | -E fingerprint_hash |
128 | Specifies the hash algorithm used when displaying key | 136 | Specifies the hash algorithm used when displaying key |
@@ -130,16 +138,17 @@ DESCRIPTION | |||
130 | default is M-bM-^@M-^\sha256M-bM-^@M-^]. | 138 | default is M-bM-^@M-^\sha256M-bM-^@M-^]. |
131 | 139 | ||
132 | -e This option will read a private or public OpenSSH key file and | 140 | -e This option will read a private or public OpenSSH key file and |
133 | print to stdout the key in one of the formats specified by the -m | 141 | print to stdout a public key in one of the formats specified by |
134 | option. The default export format is M-bM-^@M-^\RFC4716M-bM-^@M-^]. This option | 142 | the -m option. The default export format is M-bM-^@M-^\RFC4716M-bM-^@M-^]. This |
135 | allows exporting OpenSSH keys for use by other programs, | 143 | option allows exporting OpenSSH keys for use by other programs, |
136 | including several commercial SSH implementations. | 144 | including several commercial SSH implementations. |
137 | 145 | ||
138 | -F hostname | 146 | -F hostname | [hostname]:port |
139 | Search for the specified hostname in a known_hosts file, listing | 147 | Search for the specified hostname (with optional port number) in |
140 | any occurrences found. This option is useful to find hashed host | 148 | a known_hosts file, listing any occurrences found. This option |
141 | names or addresses and may also be used in conjunction with the | 149 | is useful to find hashed host names or addresses and may also be |
142 | -H option to print found keys in a hashed format. | 150 | used in conjunction with the -H option to print found keys in a |
151 | hashed format. | ||
143 | 152 | ||
144 | -f filename | 153 | -f filename |
145 | Specifies the filename of the key file. | 154 | Specifies the filename of the key file. |
@@ -206,13 +215,16 @@ DESCRIPTION | |||
206 | generating candidate moduli for DH-GEX. | 215 | generating candidate moduli for DH-GEX. |
207 | 216 | ||
208 | -m key_format | 217 | -m key_format |
209 | Specify a key format for the -i (import) or -e (export) | 218 | Specify a key format for key generation, the -i (import), -e |
210 | conversion options. The supported key formats are: M-bM-^@M-^\RFC4716M-bM-^@M-^] | 219 | (export) conversion options, and the -p change passphrase |
211 | (RFC 4716/SSH2 public or private key), M-bM-^@M-^\PKCS8M-bM-^@M-^] (PEM PKCS8 public | 220 | operation. The latter may be used to convert between OpenSSH |
212 | key) or M-bM-^@M-^\PEMM-bM-^@M-^] (PEM public key). The default conversion format is | 221 | private key and PEM private key formats. The supported key |
213 | M-bM-^@M-^\RFC4716M-bM-^@M-^]. Setting a format of M-bM-^@M-^\PEMM-bM-^@M-^] when generating or updating | 222 | formats are: M-bM-^@M-^\RFC4716M-bM-^@M-^] (RFC 4716/SSH2 public or private key), |
214 | a supported private key type will cause the key to be stored in | 223 | M-bM-^@M-^\PKCS8M-bM-^@M-^] (PEM PKCS8 public key) or M-bM-^@M-^\PEMM-bM-^@M-^] (PEM public key). The |
215 | the legacy PEM private key format. | 224 | default conversion format is M-bM-^@M-^\RFC4716M-bM-^@M-^]. Setting a format of |
225 | M-bM-^@M-^\PEMM-bM-^@M-^] when generating or updating a supported private key type | ||
226 | will cause the key to be stored in the legacy PEM private key | ||
227 | format. | ||
216 | 228 | ||
217 | -N new_passphrase | 229 | -N new_passphrase |
218 | Provides the new passphrase. | 230 | Provides the new passphrase. |
@@ -301,10 +313,10 @@ DESCRIPTION | |||
301 | 313 | ||
302 | -q Silence ssh-keygen. | 314 | -q Silence ssh-keygen. |
303 | 315 | ||
304 | -R hostname | 316 | -R hostname | [hostname]:port |
305 | Removes all keys belonging to hostname from a known_hosts file. | 317 | Removes all keys belonging to the specified hostname (with |
306 | This option is useful to delete hashed hosts (see the -H option | 318 | optional port number) from a known_hosts file. This option is |
307 | above). | 319 | useful to delete hashed hosts (see the -H option above). |
308 | 320 | ||
309 | -r hostname | 321 | -r hostname |
310 | Print the SSHFP fingerprint resource record named hostname for | 322 | Print the SSHFP fingerprint resource record named hostname for |
@@ -378,8 +390,10 @@ DESCRIPTION | |||
378 | 390 | ||
379 | -z serial_number | 391 | -z serial_number |
380 | Specifies a serial number to be embedded in the certificate to | 392 | Specifies a serial number to be embedded in the certificate to |
381 | distinguish this certificate from others from the same CA. The | 393 | distinguish this certificate from others from the same CA. If |
382 | default serial number is zero. | 394 | the serial_number is prefixed with a M-bM-^@M-^X+M-bM-^@M-^Y character, then the |
395 | serial number will be incremented for each certificate signed on | ||
396 | a single command-line. The default serial number is zero. | ||
383 | 397 | ||
384 | When generating a KRL, the -z flag is used to specify a KRL | 398 | When generating a KRL, the -z flag is used to specify a KRL |
385 | version number. | 399 | version number. |
@@ -582,4 +596,4 @@ AUTHORS | |||
582 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 596 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
583 | versions 1.5 and 2.0. | 597 | versions 1.5 and 2.0. |
584 | 598 | ||
585 | OpenBSD 6.4 September 12, 2018 OpenBSD 6.4 | 599 | OpenBSD 6.5 March 5, 2019 OpenBSD 6.5 |