diff options
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r-- | ssh-keygen.1 | 89 |
1 files changed, 65 insertions, 24 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 3e03a9bd0..9acd8f8c9 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.98 2010/08/04 06:07:11 djm Exp $ |
2 | .\" | 2 | .\" |
3 | .\" -*- nroff -*- | 3 | .\" -*- nroff -*- |
4 | .\" | 4 | .\" |
@@ -37,15 +37,15 @@ | |||
37 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 37 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
38 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 38 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
39 | .\" | 39 | .\" |
40 | .Dd $Mdocdate: March 13 2010 $ | 40 | .Dd $Mdocdate: August 4 2010 $ |
41 | .Dt SSH-KEYGEN 1 | 41 | .Dt SSH-KEYGEN 1 |
42 | .Os | 42 | .Os |
43 | .Sh NAME | 43 | .Sh NAME |
44 | .Nm ssh-keygen | 44 | .Nm ssh-keygen |
45 | .Nd authentication key generation, management and conversion | 45 | .Nd authentication key generation, management and conversion |
46 | .Sh SYNOPSIS | 46 | .Sh SYNOPSIS |
47 | .Nm ssh-keygen | ||
48 | .Bk -words | 47 | .Bk -words |
48 | .Nm ssh-keygen | ||
49 | .Op Fl q | 49 | .Op Fl q |
50 | .Op Fl b Ar bits | 50 | .Op Fl b Ar bits |
51 | .Fl t Ar type | 51 | .Fl t Ar type |
@@ -59,9 +59,11 @@ | |||
59 | .Op Fl f Ar keyfile | 59 | .Op Fl f Ar keyfile |
60 | .Nm ssh-keygen | 60 | .Nm ssh-keygen |
61 | .Fl i | 61 | .Fl i |
62 | .Op Fl m Ar key_format | ||
62 | .Op Fl f Ar input_keyfile | 63 | .Op Fl f Ar input_keyfile |
63 | .Nm ssh-keygen | 64 | .Nm ssh-keygen |
64 | .Fl e | 65 | .Fl e |
66 | .Op Fl m Ar key_format | ||
65 | .Op Fl f Ar input_keyfile | 67 | .Op Fl f Ar input_keyfile |
66 | .Nm ssh-keygen | 68 | .Nm ssh-keygen |
67 | .Fl y | 69 | .Fl y |
@@ -110,8 +112,9 @@ | |||
110 | .Fl I Ar certificate_identity | 112 | .Fl I Ar certificate_identity |
111 | .Op Fl h | 113 | .Op Fl h |
112 | .Op Fl n Ar principals | 114 | .Op Fl n Ar principals |
113 | .Op Fl O Ar constraint | 115 | .Op Fl O Ar option |
114 | .Op Fl V Ar validity_interval | 116 | .Op Fl V Ar validity_interval |
117 | .Op Fl z Ar serial_number | ||
115 | .Ar | 118 | .Ar |
116 | .Nm ssh-keygen | 119 | .Nm ssh-keygen |
117 | .Fl L | 120 | .Fl L |
@@ -212,13 +215,20 @@ the passphrase if the key has one, and for the new comment. | |||
212 | .It Fl D Ar pkcs11 | 215 | .It Fl D Ar pkcs11 |
213 | Download the RSA public keys provided by the PKCS#11 shared library | 216 | Download the RSA public keys provided by the PKCS#11 shared library |
214 | .Ar pkcs11 . | 217 | .Ar pkcs11 . |
218 | When used in combination with | ||
219 | .Fl s , | ||
220 | this option indicates that a CA key resides in a PKCS#11 token (see the | ||
221 | .Sx CERTIFICATES | ||
222 | section for details). | ||
215 | .It Fl e | 223 | .It Fl e |
216 | This option will read a private or public OpenSSH key file and | 224 | This option will read a private or public OpenSSH key file and |
217 | print the key in | 225 | print to stdout the key in one of the formats specified by the |
218 | RFC 4716 SSH Public Key File Format | 226 | .Fl m |
219 | to stdout. | 227 | option. |
220 | This option allows exporting keys for use by several commercial | 228 | The default export format is |
221 | SSH implementations. | 229 | .Dq RFC4716 . |
230 | This option allows exporting OpenSSH keys for use by other programs, including | ||
231 | several commercial SSH implementations. | ||
222 | .It Fl F Ar hostname | 232 | .It Fl F Ar hostname |
223 | Search for the specified | 233 | Search for the specified |
224 | .Ar hostname | 234 | .Ar hostname |
@@ -269,13 +279,14 @@ Please see the | |||
269 | section for details. | 279 | section for details. |
270 | .It Fl i | 280 | .It Fl i |
271 | This option will read an unencrypted private (or public) key file | 281 | This option will read an unencrypted private (or public) key file |
272 | in SSH2-compatible format and print an OpenSSH compatible private | 282 | in the format specified by the |
283 | .Fl m | ||
284 | option and print an OpenSSH compatible private | ||
273 | (or public) key to stdout. | 285 | (or public) key to stdout. |
274 | .Nm | 286 | This option allows importing keys from other software, including several |
275 | also reads the | 287 | commercial SSH implementations. |
276 | RFC 4716 SSH Public Key File Format. | 288 | The default import format is |
277 | This option allows importing keys from several commercial | 289 | .Dq RFC4716 . |
278 | SSH implementations. | ||
279 | .It Fl L | 290 | .It Fl L |
280 | Prints the contents of a certificate. | 291 | Prints the contents of a certificate. |
281 | .It Fl l | 292 | .It Fl l |
@@ -290,6 +301,22 @@ an ASCII art representation of the key is supplied with the fingerprint. | |||
290 | .It Fl M Ar memory | 301 | .It Fl M Ar memory |
291 | Specify the amount of memory to use (in megabytes) when generating | 302 | Specify the amount of memory to use (in megabytes) when generating |
292 | candidate moduli for DH-GEX. | 303 | candidate moduli for DH-GEX. |
304 | .It Fl m Ar key_format | ||
305 | Specify a key format for the | ||
306 | .Fl i | ||
307 | (import) or | ||
308 | .Fl e | ||
309 | (export) conversion options. | ||
310 | The supported key formats are: | ||
311 | .Dq RFC4716 | ||
312 | (RFC 4716/SSH2 public or private key), | ||
313 | .Dq PKCS8 | ||
314 | (PEM PKCS8 public key) | ||
315 | or | ||
316 | .Dq PEM | ||
317 | (PEM public key). | ||
318 | The default conversion format is | ||
319 | .Dq RFC4716 . | ||
293 | .It Fl N Ar new_passphrase | 320 | .It Fl N Ar new_passphrase |
294 | Provides the new passphrase. | 321 | Provides the new passphrase. |
295 | .It Fl n Ar principals | 322 | .It Fl n Ar principals |
@@ -299,13 +326,13 @@ Multiple principals may be specified, separated by commas. | |||
299 | Please see the | 326 | Please see the |
300 | .Sx CERTIFICATES | 327 | .Sx CERTIFICATES |
301 | section for details. | 328 | section for details. |
302 | .It Fl O Ar constraint | 329 | .It Fl O Ar option |
303 | Specify a certificate constraint when signing a key. | 330 | Specify a certificate option when signing a key. |
304 | This option may be specified multiple times. | 331 | This option may be specified multiple times. |
305 | Please see the | 332 | Please see the |
306 | .Sx CERTIFICATES | 333 | .Sx CERTIFICATES |
307 | section for details. | 334 | section for details. |
308 | The constraints that are valid for user certificates are: | 335 | The options that are valid for user certificates are: |
309 | .Bl -tag -width Ds | 336 | .Bl -tag -width Ds |
310 | .It Ic clear | 337 | .It Ic clear |
311 | Clear all enabled permissions. | 338 | Clear all enabled permissions. |
@@ -355,7 +382,7 @@ is a comma-separated list of one or more address/netmask pairs in CIDR | |||
355 | format. | 382 | format. |
356 | .El | 383 | .El |
357 | .Pp | 384 | .Pp |
358 | At present, no constraints are valid for host keys. | 385 | At present, no options are valid for host keys. |
359 | .It Fl P Ar passphrase | 386 | .It Fl P Ar passphrase |
360 | Provides the (old) passphrase. | 387 | Provides the (old) passphrase. |
361 | .It Fl p | 388 | .It Fl p |
@@ -441,6 +468,10 @@ Specify desired generator when testing candidate moduli for DH-GEX. | |||
441 | .It Fl y | 468 | .It Fl y |
442 | This option will read a private | 469 | This option will read a private |
443 | OpenSSH format file and print an OpenSSH public key to stdout. | 470 | OpenSSH format file and print an OpenSSH public key to stdout. |
471 | .It Fl z Ar serial_number | ||
472 | Specifies a serial number to be embedded in the certificate to distinguish | ||
473 | this certificate from others from the same CA. | ||
474 | The default serial number is zero. | ||
444 | .El | 475 | .El |
445 | .Sh MODULI GENERATION | 476 | .Sh MODULI GENERATION |
446 | .Nm | 477 | .Nm |
@@ -501,7 +532,7 @@ that both ends of a connection share common moduli. | |||
501 | supports signing of keys to produce certificates that may be used for | 532 | supports signing of keys to produce certificates that may be used for |
502 | user or host authentication. | 533 | user or host authentication. |
503 | Certificates consist of a public key, some identity information, zero or | 534 | Certificates consist of a public key, some identity information, zero or |
504 | more principal (user or host) names and an optional set of constraints that | 535 | more principal (user or host) names and a set of options that |
505 | are signed by a Certification Authority (CA) key. | 536 | are signed by a Certification Authority (CA) key. |
506 | Clients or servers may then trust only the CA key and verify its signature | 537 | Clients or servers may then trust only the CA key and verify its signature |
507 | on a certificate rather than trusting many user/host keys. | 538 | on a certificate rather than trusting many user/host keys. |
@@ -527,7 +558,17 @@ option: | |||
527 | .Pp | 558 | .Pp |
528 | The host certificate will be output to | 559 | The host certificate will be output to |
529 | .Pa /path/to/host_key-cert.pub . | 560 | .Pa /path/to/host_key-cert.pub . |
530 | In both cases, | 561 | .Pp |
562 | It is possible to sign using a CA key stored in a PKCS#11 token by | ||
563 | providing the token library using | ||
564 | .Fl D | ||
565 | and identifying the CA key by providing its public half as an argument | ||
566 | to | ||
567 | .Fl s : | ||
568 | .Pp | ||
569 | .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub | ||
570 | .Pp | ||
571 | In all cases, | ||
531 | .Ar key_id | 572 | .Ar key_id |
532 | is a "key identifier" that is logged by the server when the certificate | 573 | is a "key identifier" that is logged by the server when the certificate |
533 | is used for authentication. | 574 | is used for authentication. |
@@ -541,11 +582,11 @@ To generate a certificate for a specified set of principals: | |||
541 | .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" | 582 | .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" |
542 | .Pp | 583 | .Pp |
543 | Additional limitations on the validity and use of user certificates may | 584 | Additional limitations on the validity and use of user certificates may |
544 | be specified through certificate constraints. | 585 | be specified through certificate options. |
545 | A constrained certificate may disable features of the SSH session, may be | 586 | A certificate option may disable features of the SSH session, may be |
546 | valid only when presented from particular source addresses or may | 587 | valid only when presented from particular source addresses or may |
547 | force the use of a specific command. | 588 | force the use of a specific command. |
548 | For a list of valid certificate constraints, see the documentation for the | 589 | For a list of valid certificate options, see the documentation for the |
549 | .Fl O | 590 | .Fl O |
550 | option above. | 591 | option above. |
551 | .Pp | 592 | .Pp |