summaryrefslogtreecommitdiff
path: root/ssh-keygen.0
diff options
context:
space:
mode:
Diffstat (limited to 'ssh-keygen.0')
-rw-r--r--ssh-keygen.088
1 files changed, 80 insertions, 8 deletions
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index 515d9f94c..2db957554 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -15,12 +15,18 @@ SYNOPSIS
15 ssh-keygen -B [-f input_keyfile] 15 ssh-keygen -B [-f input_keyfile]
16 ssh-keygen -D reader 16 ssh-keygen -D reader
17 ssh-keygen -U reader [-f input_keyfile] 17 ssh-keygen -U reader [-f input_keyfile]
18 ssh-keygen -r hostname [-f input_keyfile] [-g]
19 ssh-keygen -G output_file [-b bits] [-M memory] [-S start_point]
20 ssh-keygen -T output_file -f input_file [-a num_trials] [-W generator]
18 21
19DESCRIPTION 22DESCRIPTION
20 ssh-keygen generates, manages and converts authentication keys for 23 ssh-keygen generates, manages and converts authentication keys for
21 ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 24 ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1
22 and RSA or DSA keys for use by SSH protocol version 2. The type of key to 25 and RSA or DSA keys for use by SSH protocol version 2. The type of key
23 be generated is specified with the -t option. 26 to be generated is specified with the -t option.
27
28 ssh-keygen is also used to generate groups for use in Diffie-Hellman
29 group exchange (DH-GEX). See the MODULI GENERATION section for details.
24 30
25 Normally each user wishing to use SSH with RSA or DSA authentication runs 31 Normally each user wishing to use SSH with RSA or DSA authentication runs
26 this once to create the authentication key in $HOME/.ssh/identity, 32 this once to create the authentication key in $HOME/.ssh/identity,
@@ -56,6 +62,10 @@ DESCRIPTION
56 62
57 The options are as follows: 63 The options are as follows:
58 64
65 -a trials
66 Specifies the number of primality tests to perform when screening
67 DH-GEX candidates using the -T command.
68
59 -b bits 69 -b bits
60 Specifies the number of bits in the key to create. Minimum is 70 Specifies the number of bits in the key to create. Minimum is
61 512 bits. Generally, 1024 bits is considered sufficient. The 71 512 bits. Generally, 1024 bits is considered sufficient. The
@@ -71,6 +81,8 @@ DESCRIPTION
71 This option allows exporting keys for use by several commercial 81 This option allows exporting keys for use by several commercial
72 SSH implementations. 82 SSH implementations.
73 83
84 -g Use generic DNS resource record format.
85
74 -f filename 86 -f filename
75 Specifies the filename of the key file. 87 Specifies the filename of the key file.
76 88
@@ -108,15 +120,71 @@ DESCRIPTION
108 -D reader 120 -D reader
109 Download the RSA public key stored in the smartcard in reader. 121 Download the RSA public key stored in the smartcard in reader.
110 122
123 -G output_file
124 Generate candidate primes for DH-GEX. These primes must be
125 screened for safety (using the -T option) before use.
126
127 -M memory
128 Specify the amount of memory to use (in megabytes) when generat-
129 ing candidate moduli for DH-GEX.
130
111 -N new_passphrase 131 -N new_passphrase
112 Provides the new passphrase. 132 Provides the new passphrase.
113 133
114 -P passphrase 134 -P passphrase
115 Provides the (old) passphrase. 135 Provides the (old) passphrase.
116 136
137 -S start
138 Specify start point (in hex) when generating candidate moduli for
139 DH-GEX.
140
141 -T output_file
142 Test DH group exchange candidate primes (generated using the -G
143 option) for safety.
144
145 -W generator
146 Specify desired generator when testing candidate moduli for DH-
147 GEX.
148
117 -U reader 149 -U reader
118 Upload an existing RSA private key into the smartcard in reader. 150 Upload an existing RSA private key into the smartcard in reader.
119 151
152 -r hostname
153 Print DNS resource record with the specified hostname.
154
155MODULI GENERATION
156 ssh-keygen may be used to generate groups for the Diffie-Hellman Group
157 Exchange (DH-GEX) protocol. Generating these groups is a two-step pro-
158 cess: first, candidate primes are generated using a fast, but memory
159 intensive process. These candidate primes are then tested for suitabil-
160 ity (a CPU-intensive process).
161
162 Generation of primes is performed using the -G option. The desired
163 length of the primes may be specified by the -b option. For example:
164
165 ssh-keygen -G moduli-2048.candidates -b 2048
166
167 By default, the search for primes begins at a random point in the desired
168 length range. This may be overridden using the -S option, which speci-
169 fies a different start point (in hex).
170
171 Once a set of candidates have been generated, they must be tested for
172 suitability. This may be performed using the -T option. In this mode
173 ssh-keygen will read candidates from standard input (or a file specified
174 using the -f option). For example:
175
176 ssh-keygen -T moduli-2048 -f moduli-2048.candidates
177
178 By default, each candidate will be subjected to 100 primality tests.
179 This may be overridden using the -a option. The DH generator value will
180 be chosen automatically for the prime under consideration. If a specific
181 generator is desired, it may be requested using the -W option. Valid
182 generator values are 2, 3 and 5.
183
184 Screened DH groups may be installed in /etc/moduli. It is important that
185 this file contains moduli of a range of bit lengths and that both ends of
186 a connection share common moduli.
187
120FILES 188FILES
121 $HOME/.ssh/identity 189 $HOME/.ssh/identity
122 Contains the protocol version 1 RSA authentication identity of 190 Contains the protocol version 1 RSA authentication identity of
@@ -166,6 +234,16 @@ FILES
166 to log in using public key authentication. There is no need to 234 to log in using public key authentication. There is no need to
167 keep the contents of this file secret. 235 keep the contents of this file secret.
168 236
237 /etc/moduli
238 Contains Diffie-Hellman groups used for DH-GEX. The file format
239 is described in moduli(5).
240
241SEE ALSO
242 ssh(1), ssh-add(1), ssh-agent(1), moduli(5), sshd(8)
243
244 J. Galbraith and R. Thayer, SECSH Public Key File Format, draft-ietf-
245 secsh-publickeyfile-01.txt, March 2001, work in progress material.
246
169AUTHORS 247AUTHORS
170 OpenSSH is a derivative of the original and free ssh 1.2.12 release by 248 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
171 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo 249 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
@@ -173,10 +251,4 @@ AUTHORS
173 ated OpenSSH. Markus Friedl contributed the support for SSH protocol 251 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
174 versions 1.5 and 2.0. 252 versions 1.5 and 2.0.
175 253
176SEE ALSO
177 ssh(1), ssh-add(1), ssh-agent(1), sshd(8)
178
179 J. Galbraith and R. Thayer, SECSH Public Key File Format, draft-ietf-
180 secsh-publickeyfile-01.txt, March 2001, work in progress material.
181
182BSD September 25, 1999 BSD 254BSD September 25, 1999 BSD