diff options
Diffstat (limited to 'ssh-keygen.0')
-rw-r--r-- | ssh-keygen.0 | 86 |
1 files changed, 51 insertions, 35 deletions
diff --git a/ssh-keygen.0 b/ssh-keygen.0 index 2b0e9a692..a69b37d67 100644 --- a/ssh-keygen.0 +++ b/ssh-keygen.0 | |||
@@ -19,8 +19,8 @@ SYNOPSIS | |||
19 | ssh-keygen -R hostname [-f known_hosts_file] | 19 | ssh-keygen -R hostname [-f known_hosts_file] |
20 | ssh-keygen -r hostname [-f input_keyfile] [-g] | 20 | ssh-keygen -r hostname [-f input_keyfile] [-g] |
21 | ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point] | 21 | ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point] |
22 | ssh-keygen -T output_file -f input_file [-v] [-a num_trials] | 22 | ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines] |
23 | [-J num_lines] [-j start_line] [-K checkpt] [-W generator] | 23 | [-j start_line] [-K checkpt] [-W generator] |
24 | ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals] | 24 | ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals] |
25 | [-O option] [-V validity_interval] [-z serial_number] file ... | 25 | [-O option] [-V validity_interval] [-z serial_number] file ... |
26 | ssh-keygen -L [-f input_keyfile] | 26 | ssh-keygen -L [-f input_keyfile] |
@@ -32,10 +32,10 @@ SYNOPSIS | |||
32 | DESCRIPTION | 32 | DESCRIPTION |
33 | ssh-keygen generates, manages and converts authentication keys for | 33 | ssh-keygen generates, manages and converts authentication keys for |
34 | ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 | 34 | ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 |
35 | and DSA, ECDSA or RSA keys for use by SSH protocol version 2. The type | 35 | and DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2. |
36 | of key to be generated is specified with the -t option. If invoked | 36 | The type of key to be generated is specified with the -t option. If |
37 | without any arguments, ssh-keygen will generate an RSA key for use in SSH | 37 | invoked without any arguments, ssh-keygen will generate an RSA key for |
38 | protocol 2 connections. | 38 | use in SSH protocol 2 connections. |
39 | 39 | ||
40 | ssh-keygen is also used to generate groups for use in Diffie-Hellman | 40 | ssh-keygen is also used to generate groups for use in Diffie-Hellman |
41 | group exchange (DH-GEX). See the MODULI GENERATION section for details. | 41 | group exchange (DH-GEX). See the MODULI GENERATION section for details. |
@@ -46,9 +46,9 @@ DESCRIPTION | |||
46 | 46 | ||
47 | Normally each user wishing to use SSH with public key authentication runs | 47 | Normally each user wishing to use SSH with public key authentication runs |
48 | this once to create the authentication key in ~/.ssh/identity, | 48 | this once to create the authentication key in ~/.ssh/identity, |
49 | ~/.ssh/id_ecdsa, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the | 49 | ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 or ~/.ssh/id_rsa. |
50 | system administrator may use this to generate host keys, as seen in | 50 | Additionally, the system administrator may use this to generate host |
51 | /etc/rc. | 51 | keys, as seen in /etc/rc. |
52 | 52 | ||
53 | Normally this program generates the key and asks for a file in which to | 53 | Normally this program generates the key and asks for a file in which to |
54 | store the private key. The public key is stored in a file with the same | 54 | store the private key. The public key is stored in a file with the same |
@@ -79,15 +79,22 @@ DESCRIPTION | |||
79 | 79 | ||
80 | The options are as follows: | 80 | The options are as follows: |
81 | 81 | ||
82 | -A For each of the key types (rsa1, rsa, dsa and ecdsa) for which | 82 | -A For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for |
83 | host keys do not exist, generate the host keys with the default | 83 | which host keys do not exist, generate the host keys with the |
84 | key file path, an empty passphrase, default bits for the key | 84 | default key file path, an empty passphrase, default bits for the |
85 | type, and default comment. This is used by /etc/rc to generate | 85 | key type, and default comment. This is used by /etc/rc to |
86 | new host keys. | 86 | generate new host keys. |
87 | 87 | ||
88 | -a trials | 88 | -a rounds |
89 | Specifies the number of primality tests to perform when screening | 89 | When saving a new-format private key (i.e. an ed25519 key or any |
90 | DH-GEX candidates using the -T command. | 90 | SSH protocol 2 key when the -o flag is set), this option |
91 | specifies the number of KDF (key derivation function) rounds | ||
92 | used. Higher numbers result in slower passphrase verification | ||
93 | and increased resistance to brute-force password cracking (should | ||
94 | the keys be stolen). | ||
95 | |||
96 | When screening DH-GEX candidates ( using the -T command). This | ||
97 | option specifies the number of primality tests to perform. | ||
91 | 98 | ||
92 | -B Show the bubblebabble digest of specified private or public key | 99 | -B Show the bubblebabble digest of specified private or public key |
93 | file. | 100 | file. |
@@ -100,7 +107,8 @@ DESCRIPTION | |||
100 | the -b flag determines the key length by selecting from one of | 107 | the -b flag determines the key length by selecting from one of |
101 | three elliptic curve sizes: 256, 384 or 521 bits. Attempting to | 108 | three elliptic curve sizes: 256, 384 or 521 bits. Attempting to |
102 | use bit lengths other than these three values for ECDSA keys will | 109 | use bit lengths other than these three values for ECDSA keys will |
103 | fail. | 110 | fail. ED25519 keys have a fixed length and the -b flag will be |
111 | ignored. | ||
104 | 112 | ||
105 | -C comment | 113 | -C comment |
106 | Provides a new comment. | 114 | Provides a new comment. |
@@ -262,6 +270,12 @@ DESCRIPTION | |||
262 | 270 | ||
263 | At present, no options are valid for host keys. | 271 | At present, no options are valid for host keys. |
264 | 272 | ||
273 | -o Causes ssh-keygen to save SSH protocol 2 private keys using the | ||
274 | new OpenSSH format rather than the more compatible PEM format. | ||
275 | The new format has increased resistance to brute-force password | ||
276 | cracking but is not supported by versions of OpenSSH prior to | ||
277 | 6.5. Ed25519 keys always use the new private key format. | ||
278 | |||
265 | -P passphrase | 279 | -P passphrase |
266 | Provides the (old) passphrase. | 280 | Provides the (old) passphrase. |
267 | 281 | ||
@@ -301,8 +315,8 @@ DESCRIPTION | |||
301 | 315 | ||
302 | -t type | 316 | -t type |
303 | Specifies the type of key to create. The possible values are | 317 | Specifies the type of key to create. The possible values are |
304 | ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'' or ``rsa'' | 318 | ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'', |
305 | for protocol version 2. | 319 | ``ed25519'', or ``rsa'' for protocol version 2. |
306 | 320 | ||
307 | -u Update a KRL. When specified with -k, keys listed via the | 321 | -u Update a KRL. When specified with -k, keys listed via the |
308 | command line are added to the existing KRL rather than a new KRL | 322 | command line are added to the existing KRL rather than a new KRL |
@@ -441,7 +455,7 @@ CERTIFICATES | |||
441 | KEY REVOCATION LISTS | 455 | KEY REVOCATION LISTS |
442 | ssh-keygen is able to manage OpenSSH format Key Revocation Lists (KRLs). | 456 | ssh-keygen is able to manage OpenSSH format Key Revocation Lists (KRLs). |
443 | These binary files specify keys or certificates to be revoked using a | 457 | These binary files specify keys or certificates to be revoked using a |
444 | compact format, taking as little a one bit per certificate if they are | 458 | compact format, taking as little as one bit per certificate if they are |
445 | being revoked by serial number. | 459 | being revoked by serial number. |
446 | 460 | ||
447 | KRLs may be generated using the -k flag. This option reads one or more | 461 | KRLs may be generated using the -k flag. This option reads one or more |
@@ -508,24 +522,26 @@ FILES | |||
508 | 522 | ||
509 | ~/.ssh/id_dsa | 523 | ~/.ssh/id_dsa |
510 | ~/.ssh/id_ecdsa | 524 | ~/.ssh/id_ecdsa |
525 | ~/.ssh/id_ed25519 | ||
511 | ~/.ssh/id_rsa | 526 | ~/.ssh/id_rsa |
512 | Contains the protocol version 2 DSA, ECDSA or RSA authentication | 527 | Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA |
513 | identity of the user. This file should not be readable by anyone | 528 | authentication identity of the user. This file should not be |
514 | but the user. It is possible to specify a passphrase when | 529 | readable by anyone but the user. It is possible to specify a |
515 | generating the key; that passphrase will be used to encrypt the | 530 | passphrase when generating the key; that passphrase will be used |
516 | private part of this file using 128-bit AES. This file is not | 531 | to encrypt the private part of this file using 128-bit AES. This |
517 | automatically accessed by ssh-keygen but it is offered as the | 532 | file is not automatically accessed by ssh-keygen but it is |
518 | default file for the private key. ssh(1) will read this file | 533 | offered as the default file for the private key. ssh(1) will |
519 | when a login attempt is made. | 534 | read this file when a login attempt is made. |
520 | 535 | ||
521 | ~/.ssh/id_dsa.pub | 536 | ~/.ssh/id_dsa.pub |
522 | ~/.ssh/id_ecdsa.pub | 537 | ~/.ssh/id_ecdsa.pub |
538 | ~/.ssh/id_ed25519.pub | ||
523 | ~/.ssh/id_rsa.pub | 539 | ~/.ssh/id_rsa.pub |
524 | Contains the protocol version 2 DSA, ECDSA or RSA public key for | 540 | Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA public |
525 | authentication. The contents of this file should be added to | 541 | key for authentication. The contents of this file should be |
526 | ~/.ssh/authorized_keys on all machines where the user wishes to | 542 | added to ~/.ssh/authorized_keys on all machines where the user |
527 | log in using public key authentication. There is no need to keep | 543 | wishes to log in using public key authentication. There is no |
528 | the contents of this file secret. | 544 | need to keep the contents of this file secret. |
529 | 545 | ||
530 | /etc/moduli | 546 | /etc/moduli |
531 | Contains Diffie-Hellman groups used for DH-GEX. The file format | 547 | Contains Diffie-Hellman groups used for DH-GEX. The file format |
@@ -543,4 +559,4 @@ AUTHORS | |||
543 | created OpenSSH. Markus Friedl contributed the support for SSH protocol | 559 | created OpenSSH. Markus Friedl contributed the support for SSH protocol |
544 | versions 1.5 and 2.0. | 560 | versions 1.5 and 2.0. |
545 | 561 | ||
546 | OpenBSD 5.4 June 27, 2013 OpenBSD 5.4 | 562 | OpenBSD 5.4 December 21, 2013 OpenBSD 5.4 |