diff options
Diffstat (limited to 'ssh-keygen.0')
-rw-r--r-- | ssh-keygen.0 | 88 |
1 files changed, 80 insertions, 8 deletions
diff --git a/ssh-keygen.0 b/ssh-keygen.0 index 515d9f94c..2db957554 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 | |||
@@ -15,12 +15,18 @@ SYNOPSIS | |||
15 | ssh-keygen -B [-f input_keyfile] | 15 | ssh-keygen -B [-f input_keyfile] |
16 | ssh-keygen -D reader | 16 | ssh-keygen -D reader |
17 | ssh-keygen -U reader [-f input_keyfile] | 17 | ssh-keygen -U reader [-f input_keyfile] |
18 | ssh-keygen -r hostname [-f input_keyfile] [-g] | ||
19 | ssh-keygen -G output_file [-b bits] [-M memory] [-S start_point] | ||
20 | ssh-keygen -T output_file -f input_file [-a num_trials] [-W generator] | ||
18 | 21 | ||
19 | DESCRIPTION | 22 | DESCRIPTION |
20 | ssh-keygen generates, manages and converts authentication keys for | 23 | ssh-keygen generates, manages and converts authentication keys for |
21 | ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 | 24 | ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 |
22 | and RSA or DSA keys for use by SSH protocol version 2. The type of key to | 25 | and RSA or DSA keys for use by SSH protocol version 2. The type of key |
23 | be generated is specified with the -t option. | 26 | to be generated is specified with the -t option. |
27 | |||
28 | ssh-keygen is also used to generate groups for use in Diffie-Hellman | ||
29 | group exchange (DH-GEX). See the MODULI GENERATION section for details. | ||
24 | 30 | ||
25 | Normally each user wishing to use SSH with RSA or DSA authentication runs | 31 | Normally each user wishing to use SSH with RSA or DSA authentication runs |
26 | this once to create the authentication key in $HOME/.ssh/identity, | 32 | this once to create the authentication key in $HOME/.ssh/identity, |
@@ -56,6 +62,10 @@ DESCRIPTION | |||
56 | 62 | ||
57 | The options are as follows: | 63 | The options are as follows: |
58 | 64 | ||
65 | -a trials | ||
66 | Specifies the number of primality tests to perform when screening | ||
67 | DH-GEX candidates using the -T command. | ||
68 | |||
59 | -b bits | 69 | -b bits |
60 | Specifies the number of bits in the key to create. Minimum is | 70 | Specifies the number of bits in the key to create. Minimum is |
61 | 512 bits. Generally, 1024 bits is considered sufficient. The | 71 | 512 bits. Generally, 1024 bits is considered sufficient. The |
@@ -71,6 +81,8 @@ DESCRIPTION | |||
71 | This option allows exporting keys for use by several commercial | 81 | This option allows exporting keys for use by several commercial |
72 | SSH implementations. | 82 | SSH implementations. |
73 | 83 | ||
84 | -g Use generic DNS resource record format. | ||
85 | |||
74 | -f filename | 86 | -f filename |
75 | Specifies the filename of the key file. | 87 | Specifies the filename of the key file. |
76 | 88 | ||
@@ -108,15 +120,71 @@ DESCRIPTION | |||
108 | -D reader | 120 | -D reader |
109 | Download the RSA public key stored in the smartcard in reader. | 121 | Download the RSA public key stored in the smartcard in reader. |
110 | 122 | ||
123 | -G output_file | ||
124 | Generate candidate primes for DH-GEX. These primes must be | ||
125 | screened for safety (using the -T option) before use. | ||
126 | |||
127 | -M memory | ||
128 | Specify the amount of memory to use (in megabytes) when generat- | ||
129 | ing candidate moduli for DH-GEX. | ||
130 | |||
111 | -N new_passphrase | 131 | -N new_passphrase |
112 | Provides the new passphrase. | 132 | Provides the new passphrase. |
113 | 133 | ||
114 | -P passphrase | 134 | -P passphrase |
115 | Provides the (old) passphrase. | 135 | Provides the (old) passphrase. |
116 | 136 | ||
137 | -S start | ||
138 | Specify start point (in hex) when generating candidate moduli for | ||
139 | DH-GEX. | ||
140 | |||
141 | -T output_file | ||
142 | Test DH group exchange candidate primes (generated using the -G | ||
143 | option) for safety. | ||
144 | |||
145 | -W generator | ||
146 | Specify desired generator when testing candidate moduli for DH- | ||
147 | GEX. | ||
148 | |||
117 | -U reader | 149 | -U reader |
118 | Upload an existing RSA private key into the smartcard in reader. | 150 | Upload an existing RSA private key into the smartcard in reader. |
119 | 151 | ||
152 | -r hostname | ||
153 | Print DNS resource record with the specified hostname. | ||
154 | |||
155 | MODULI GENERATION | ||
156 | ssh-keygen may be used to generate groups for the Diffie-Hellman Group | ||
157 | Exchange (DH-GEX) protocol. Generating these groups is a two-step pro- | ||
158 | cess: first, candidate primes are generated using a fast, but memory | ||
159 | intensive process. These candidate primes are then tested for suitabil- | ||
160 | ity (a CPU-intensive process). | ||
161 | |||
162 | Generation of primes is performed using the -G option. The desired | ||
163 | length of the primes may be specified by the -b option. For example: | ||
164 | |||
165 | ssh-keygen -G moduli-2048.candidates -b 2048 | ||
166 | |||
167 | By default, the search for primes begins at a random point in the desired | ||
168 | length range. This may be overridden using the -S option, which speci- | ||
169 | fies a different start point (in hex). | ||
170 | |||
171 | Once a set of candidates have been generated, they must be tested for | ||
172 | suitability. This may be performed using the -T option. In this mode | ||
173 | ssh-keygen will read candidates from standard input (or a file specified | ||
174 | using the -f option). For example: | ||
175 | |||
176 | ssh-keygen -T moduli-2048 -f moduli-2048.candidates | ||
177 | |||
178 | By default, each candidate will be subjected to 100 primality tests. | ||
179 | This may be overridden using the -a option. The DH generator value will | ||
180 | be chosen automatically for the prime under consideration. If a specific | ||
181 | generator is desired, it may be requested using the -W option. Valid | ||
182 | generator values are 2, 3 and 5. | ||
183 | |||
184 | Screened DH groups may be installed in /etc/moduli. It is important that | ||
185 | this file contains moduli of a range of bit lengths and that both ends of | ||
186 | a connection share common moduli. | ||
187 | |||
120 | FILES | 188 | FILES |
121 | $HOME/.ssh/identity | 189 | $HOME/.ssh/identity |
122 | Contains the protocol version 1 RSA authentication identity of | 190 | Contains the protocol version 1 RSA authentication identity of |
@@ -166,6 +234,16 @@ FILES | |||
166 | to log in using public key authentication. There is no need to | 234 | to log in using public key authentication. There is no need to |
167 | keep the contents of this file secret. | 235 | keep the contents of this file secret. |
168 | 236 | ||
237 | /etc/moduli | ||
238 | Contains Diffie-Hellman groups used for DH-GEX. The file format | ||
239 | is described in moduli(5). | ||
240 | |||
241 | SEE ALSO | ||
242 | ssh(1), ssh-add(1), ssh-agent(1), moduli(5), sshd(8) | ||
243 | |||
244 | J. Galbraith and R. Thayer, SECSH Public Key File Format, draft-ietf- | ||
245 | secsh-publickeyfile-01.txt, March 2001, work in progress material. | ||
246 | |||
169 | AUTHORS | 247 | AUTHORS |
170 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by | 248 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
171 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo | 249 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
@@ -173,10 +251,4 @@ AUTHORS | |||
173 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol | 251 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol |
174 | versions 1.5 and 2.0. | 252 | versions 1.5 and 2.0. |
175 | 253 | ||
176 | SEE ALSO | ||
177 | ssh(1), ssh-add(1), ssh-agent(1), sshd(8) | ||
178 | |||
179 | J. Galbraith and R. Thayer, SECSH Public Key File Format, draft-ietf- | ||
180 | secsh-publickeyfile-01.txt, March 2001, work in progress material. | ||
181 | |||
182 | BSD September 25, 1999 BSD | 254 | BSD September 25, 1999 BSD |