diff options
Diffstat (limited to 'ssh-keygen.0')
-rw-r--r-- | ssh-keygen.0 | 161 |
1 files changed, 82 insertions, 79 deletions
diff --git a/ssh-keygen.0 b/ssh-keygen.0 index 569297da4..fb2c02fe7 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 | |||
@@ -4,7 +4,7 @@ NAME | |||
4 | ssh-keygen M-bM-^@M-^S authentication key generation, management and conversion | 4 | ssh-keygen M-bM-^@M-^S authentication key generation, management and conversion |
5 | 5 | ||
6 | SYNOPSIS | 6 | SYNOPSIS |
7 | ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1] | 7 | ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa] |
8 | [-N new_passphrase] [-C comment] [-f output_keyfile] | 8 | [-N new_passphrase] [-C comment] [-f output_keyfile] |
9 | ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] | 9 | ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] |
10 | ssh-keygen -i [-m key_format] [-f input_keyfile] | 10 | ssh-keygen -i [-m key_format] [-f input_keyfile] |
@@ -21,24 +21,21 @@ SYNOPSIS | |||
21 | ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point] | 21 | ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point] |
22 | ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines] | 22 | ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines] |
23 | [-j start_line] [-K checkpt] [-W generator] | 23 | [-j start_line] [-K checkpt] [-W generator] |
24 | ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals] | 24 | ssh-keygen -s ca_key -I certificate_identity [-h] [-U] |
25 | [-O option] [-V validity_interval] [-z serial_number] file ... | 25 | [-D pkcs11_provider] [-n principals] [-O option] |
26 | [-V validity_interval] [-z serial_number] file ... | ||
26 | ssh-keygen -L [-f input_keyfile] | 27 | ssh-keygen -L [-f input_keyfile] |
27 | ssh-keygen -A | 28 | ssh-keygen -A [-f prefix_path] |
28 | ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] | 29 | ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] |
29 | file ... | 30 | file ... |
30 | ssh-keygen -Q -f krl_file file ... | 31 | ssh-keygen -Q -f krl_file file ... |
31 | 32 | ||
32 | DESCRIPTION | 33 | DESCRIPTION |
33 | ssh-keygen generates, manages and converts authentication keys for | 34 | ssh-keygen generates, manages and converts authentication keys for |
34 | ssh(1). ssh-keygen can create keys for use by SSH protocol versions 1 | 35 | ssh(1). ssh-keygen can create keys for use by SSH protocol version 2. |
35 | and 2. Protocol 1 should not be used and is only offered to support | ||
36 | legacy devices. It suffers from a number of cryptographic weaknesses and | ||
37 | doesn't support many of the advanced features available for protocol 2. | ||
38 | 36 | ||
39 | The type of key to be generated is specified with the -t option. If | 37 | The type of key to be generated is specified with the -t option. If |
40 | invoked without any arguments, ssh-keygen will generate an RSA key for | 38 | invoked without any arguments, ssh-keygen will generate an RSA key. |
41 | use in SSH protocol 2 connections. | ||
42 | 39 | ||
43 | ssh-keygen is also used to generate groups for use in Diffie-Hellman | 40 | ssh-keygen is also used to generate groups for use in Diffie-Hellman |
44 | group exchange (DH-GEX). See the MODULI GENERATION section for details. | 41 | group exchange (DH-GEX). See the MODULI GENERATION section for details. |
@@ -48,10 +45,10 @@ DESCRIPTION | |||
48 | KEY REVOCATION LISTS section for details. | 45 | KEY REVOCATION LISTS section for details. |
49 | 46 | ||
50 | Normally each user wishing to use SSH with public key authentication runs | 47 | Normally each user wishing to use SSH with public key authentication runs |
51 | this once to create the authentication key in ~/.ssh/identity, | 48 | this once to create the authentication key in ~/.ssh/id_dsa, |
52 | ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 or ~/.ssh/id_rsa. | 49 | ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 or ~/.ssh/id_rsa. Additionally, the |
53 | Additionally, the system administrator may use this to generate host | 50 | system administrator may use this to generate host keys, as seen in |
54 | keys, as seen in /etc/rc. | 51 | /etc/rc. |
55 | 52 | ||
56 | Normally this program generates the key and asks for a file in which to | 53 | Normally this program generates the key and asks for a file in which to |
57 | store the private key. The public key is stored in a file with the same | 54 | store the private key. The public key is stored in a file with the same |
@@ -71,32 +68,33 @@ DESCRIPTION | |||
71 | or forgotten, a new key must be generated and the corresponding public | 68 | or forgotten, a new key must be generated and the corresponding public |
72 | key copied to other machines. | 69 | key copied to other machines. |
73 | 70 | ||
74 | For RSA1 keys and keys stored in the newer OpenSSH format, there is also | 71 | For keys stored in the newer OpenSSH format, there is also a comment |
75 | a comment field in the key file that is only for convenience to the user | 72 | field in the key file that is only for convenience to the user to help |
76 | to help identify the key. The comment can tell what the key is for, or | 73 | identify the key. The comment can tell what the key is for, or whatever |
77 | whatever is useful. The comment is initialized to M-bM-^@M-^\user@hostM-bM-^@M-^] when the | 74 | is useful. The comment is initialized to M-bM-^@M-^\user@hostM-bM-^@M-^] when the key is |
78 | key is created, but can be changed using the -c option. | 75 | created, but can be changed using the -c option. |
79 | 76 | ||
80 | After a key is generated, instructions below detail where the keys should | 77 | After a key is generated, instructions below detail where the keys should |
81 | be placed to be activated. | 78 | be placed to be activated. |
82 | 79 | ||
83 | The options are as follows: | 80 | The options are as follows: |
84 | 81 | ||
85 | -A For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for | 82 | -A For each of the key types (rsa, dsa, ecdsa and ed25519) for which |
86 | which host keys do not exist, generate the host keys with the | 83 | host keys do not exist, generate the host keys with the default |
87 | default key file path, an empty passphrase, default bits for the | 84 | key file path, an empty passphrase, default bits for the key |
88 | key type, and default comment. This is used by /etc/rc to | 85 | type, and default comment. If -f has also been specified, its |
89 | generate new host keys. | 86 | argument is used as a prefix to the default path for the |
87 | resulting host key files. This is used by /etc/rc to generate | ||
88 | new host keys. | ||
90 | 89 | ||
91 | -a rounds | 90 | -a rounds |
92 | When saving a new-format private key (i.e. an ed25519 key or any | 91 | When saving a new-format private key (i.e. an ed25519 key or when |
93 | SSH protocol 2 key when the -o flag is set), this option | 92 | the -o flag is set), this option specifies the number of KDF (key |
94 | specifies the number of KDF (key derivation function) rounds | 93 | derivation function) rounds used. Higher numbers result in |
95 | used. Higher numbers result in slower passphrase verification | 94 | slower passphrase verification and increased resistance to brute- |
96 | and increased resistance to brute-force password cracking (should | 95 | force password cracking (should the keys be stolen). |
97 | the keys be stolen). | 96 | |
98 | 97 | When screening DH-GEX candidates (using the -T command). This | |
99 | When screening DH-GEX candidates ( using the -T command). This | ||
100 | option specifies the number of primality tests to perform. | 98 | option specifies the number of primality tests to perform. |
101 | 99 | ||
102 | -B Show the bubblebabble digest of specified private or public key | 100 | -B Show the bubblebabble digest of specified private or public key |
@@ -117,10 +115,10 @@ DESCRIPTION | |||
117 | Provides a new comment. | 115 | Provides a new comment. |
118 | 116 | ||
119 | -c Requests changing the comment in the private and public key | 117 | -c Requests changing the comment in the private and public key |
120 | files. This operation is only supported for RSA1 keys and keys | 118 | files. This operation is only supported for keys stored in the |
121 | stored in the newer OpenSSH format. The program will prompt for | 119 | newer OpenSSH format. The program will prompt for the file |
122 | the file containing the private keys, for the passphrase if the | 120 | containing the private keys, for the passphrase if the key has |
123 | key has one, and for the new comment. | 121 | one, and for the new comment. |
124 | 122 | ||
125 | -D pkcs11 | 123 | -D pkcs11 |
126 | Download the RSA public keys provided by the PKCS#11 shared | 124 | Download the RSA public keys provided by the PKCS#11 shared |
@@ -200,11 +198,10 @@ DESCRIPTION | |||
200 | 198 | ||
201 | -L Prints the contents of one or more certificates. | 199 | -L Prints the contents of one or more certificates. |
202 | 200 | ||
203 | -l Show fingerprint of specified public key file. Private RSA1 keys | 201 | -l Show fingerprint of specified public key file. For RSA and DSA |
204 | are also supported. For RSA and DSA keys ssh-keygen tries to | 202 | keys ssh-keygen tries to find the matching public key file and |
205 | find the matching public key file and prints its fingerprint. If | 203 | prints its fingerprint. If combined with -v, a visual ASCII art |
206 | combined with -v, a visual ASCII art representation of the key is | 204 | representation of the key is supplied with the fingerprint. |
207 | supplied with the fingerprint. | ||
208 | 205 | ||
209 | -M memory | 206 | -M memory |
210 | Specify the amount of memory to use (in megabytes) when | 207 | Specify the amount of memory to use (in megabytes) when |
@@ -228,14 +225,29 @@ DESCRIPTION | |||
228 | 225 | ||
229 | -O option | 226 | -O option |
230 | Specify a certificate option when signing a key. This option may | 227 | Specify a certificate option when signing a key. This option may |
231 | be specified multiple times. Please see the CERTIFICATES section | 228 | be specified multiple times. See also the CERTIFICATES section |
232 | for details. The options that are valid for user certificates | 229 | for further details. The options that are valid for user |
233 | are: | 230 | certificates are: |
234 | 231 | ||
235 | clear Clear all enabled permissions. This is useful for | 232 | clear Clear all enabled permissions. This is useful for |
236 | clearing the default set of permissions so permissions | 233 | clearing the default set of permissions so permissions |
237 | may be added individually. | 234 | may be added individually. |
238 | 235 | ||
236 | critical:name[=contents] | ||
237 | extension:name[=contents] | ||
238 | Includes an arbitrary certificate critical option or | ||
239 | extension. The specified name should include a domain | ||
240 | suffix, e.g. M-bM-^@M-^\name@example.comM-bM-^@M-^]. If contents is | ||
241 | specified then it is included as the contents of the | ||
242 | extension/option encoded as a string, otherwise the | ||
243 | extension/option is created with no contents (usually | ||
244 | indicating a flag). Extensions may be ignored by a | ||
245 | client or server that does not recognise them, whereas | ||
246 | unknown critical options will cause the certificate to be | ||
247 | refused. | ||
248 | |||
249 | At present, no standard options are valid for host keys. | ||
250 | |||
239 | force-command=command | 251 | force-command=command |
240 | Forces the execution of command instead of any shell or | 252 | Forces the execution of command instead of any shell or |
241 | command specified by the user when the certificate is | 253 | command specified by the user when the certificate is |
@@ -277,8 +289,6 @@ DESCRIPTION | |||
277 | separated list of one or more address/netmask pairs in | 289 | separated list of one or more address/netmask pairs in |
278 | CIDR format. | 290 | CIDR format. |
279 | 291 | ||
280 | At present, no options are valid for host keys. | ||
281 | |||
282 | -o Causes ssh-keygen to save private keys using the new OpenSSH | 292 | -o Causes ssh-keygen to save private keys using the new OpenSSH |
283 | format rather than the more compatible PEM format. The new | 293 | format rather than the more compatible PEM format. The new |
284 | format has increased resistance to brute-force password cracking | 294 | format has increased resistance to brute-force password cracking |
@@ -322,10 +332,13 @@ DESCRIPTION | |||
322 | Test DH group exchange candidate primes (generated using the -G | 332 | Test DH group exchange candidate primes (generated using the -G |
323 | option) for safety. | 333 | option) for safety. |
324 | 334 | ||
325 | -t dsa | ecdsa | ed25519 | rsa | rsa1 | 335 | -t dsa | ecdsa | ed25519 | rsa |
326 | Specifies the type of key to create. The possible values are | 336 | Specifies the type of key to create. The possible values are |
327 | M-bM-^@M-^\rsa1M-bM-^@M-^] for protocol version 1 and M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or | 337 | M-bM-^@M-^\dsaM-bM-^@M-^], M-bM-^@M-^\ecdsaM-bM-^@M-^], M-bM-^@M-^\ed25519M-bM-^@M-^], or M-bM-^@M-^\rsaM-bM-^@M-^]. |
328 | M-bM-^@M-^\rsaM-bM-^@M-^] for protocol version 2. | 338 | |
339 | -U When used in combination with -s, this option indicates that a CA | ||
340 | key resides in a ssh-agent(1). See the CERTIFICATES section for | ||
341 | more information. | ||
329 | 342 | ||
330 | -u Update a KRL. When specified with -k, keys listed via the | 343 | -u Update a KRL. When specified with -k, keys listed via the |
331 | command line are added to the existing KRL rather than a new KRL | 344 | command line are added to the existing KRL rather than a new KRL |
@@ -432,6 +445,12 @@ CERTIFICATES | |||
432 | 445 | ||
433 | $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub | 446 | $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub |
434 | 447 | ||
448 | Similarly, it is possible for the CA key to be hosted in a ssh-agent(1). | ||
449 | This is indicated by the -U flag and, again, the CA key must be | ||
450 | identified by its public half. | ||
451 | |||
452 | $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub | ||
453 | |||
435 | In all cases, key_id is a "key identifier" that is logged by the server | 454 | In all cases, key_id is a "key identifier" that is logged by the server |
436 | when the certificate is used for authentication. | 455 | when the certificate is used for authentication. |
437 | 456 | ||
@@ -512,44 +531,28 @@ KEY REVOCATION LISTS | |||
512 | was revoked. | 531 | was revoked. |
513 | 532 | ||
514 | FILES | 533 | FILES |
515 | ~/.ssh/identity | ||
516 | Contains the protocol version 1 RSA authentication identity of | ||
517 | the user. This file should not be readable by anyone but the | ||
518 | user. It is possible to specify a passphrase when generating the | ||
519 | key; that passphrase will be used to encrypt the private part of | ||
520 | this file using 3DES. This file is not automatically accessed by | ||
521 | ssh-keygen but it is offered as the default file for the private | ||
522 | key. ssh(1) will read this file when a login attempt is made. | ||
523 | |||
524 | ~/.ssh/identity.pub | ||
525 | Contains the protocol version 1 RSA public key for | ||
526 | authentication. The contents of this file should be added to | ||
527 | ~/.ssh/authorized_keys on all machines where the user wishes to | ||
528 | log in using RSA authentication. There is no need to keep the | ||
529 | contents of this file secret. | ||
530 | |||
531 | ~/.ssh/id_dsa | 534 | ~/.ssh/id_dsa |
532 | ~/.ssh/id_ecdsa | 535 | ~/.ssh/id_ecdsa |
533 | ~/.ssh/id_ed25519 | 536 | ~/.ssh/id_ed25519 |
534 | ~/.ssh/id_rsa | 537 | ~/.ssh/id_rsa |
535 | Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA | 538 | Contains the DSA, ECDSA, Ed25519 or RSA authentication identity |
536 | authentication identity of the user. This file should not be | 539 | of the user. This file should not be readable by anyone but the |
537 | readable by anyone but the user. It is possible to specify a | 540 | user. It is possible to specify a passphrase when generating the |
538 | passphrase when generating the key; that passphrase will be used | 541 | key; that passphrase will be used to encrypt the private part of |
539 | to encrypt the private part of this file using 128-bit AES. This | 542 | this file using 128-bit AES. This file is not automatically |
540 | file is not automatically accessed by ssh-keygen but it is | 543 | accessed by ssh-keygen but it is offered as the default file for |
541 | offered as the default file for the private key. ssh(1) will | 544 | the private key. ssh(1) will read this file when a login attempt |
542 | read this file when a login attempt is made. | 545 | is made. |
543 | 546 | ||
544 | ~/.ssh/id_dsa.pub | 547 | ~/.ssh/id_dsa.pub |
545 | ~/.ssh/id_ecdsa.pub | 548 | ~/.ssh/id_ecdsa.pub |
546 | ~/.ssh/id_ed25519.pub | 549 | ~/.ssh/id_ed25519.pub |
547 | ~/.ssh/id_rsa.pub | 550 | ~/.ssh/id_rsa.pub |
548 | Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA public | 551 | Contains the DSA, ECDSA, Ed25519 or RSA public key for |
549 | key for authentication. The contents of this file should be | 552 | authentication. The contents of this file should be added to |
550 | added to ~/.ssh/authorized_keys on all machines where the user | 553 | ~/.ssh/authorized_keys on all machines where the user wishes to |
551 | wishes to log in using public key authentication. There is no | 554 | log in using public key authentication. There is no need to keep |
552 | need to keep the contents of this file secret. | 555 | the contents of this file secret. |
553 | 556 | ||
554 | /etc/moduli | 557 | /etc/moduli |
555 | Contains Diffie-Hellman groups used for DH-GEX. The file format | 558 | Contains Diffie-Hellman groups used for DH-GEX. The file format |
@@ -567,4 +570,4 @@ AUTHORS | |||
567 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 570 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
568 | versions 1.5 and 2.0. | 571 | versions 1.5 and 2.0. |
569 | 572 | ||
570 | OpenBSD 6.0 June 16, 2016 OpenBSD 6.0 | 573 | OpenBSD 6.2 July 8, 2017 OpenBSD 6.2 |