diff options
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r-- | ssh-keygen.1 | 125 |
1 files changed, 83 insertions, 42 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index c0f24dcd0..3987b1e66 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.63 2004/08/13 00:01:43 jmc Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.66 2005/03/01 18:15:56 jmc Exp $ |
2 | .\" | 2 | .\" |
3 | .\" -*- nroff -*- | 3 | .\" -*- nroff -*- |
4 | .\" | 4 | .\" |
@@ -81,6 +81,15 @@ | |||
81 | .Nm ssh-keygen | 81 | .Nm ssh-keygen |
82 | .Fl D Ar reader | 82 | .Fl D Ar reader |
83 | .Nm ssh-keygen | 83 | .Nm ssh-keygen |
84 | .Fl F Ar hostname | ||
85 | .Op Fl f Ar known_hosts_file | ||
86 | .Nm ssh-keygen | ||
87 | .Fl H | ||
88 | .Op Fl f Ar known_hosts_file | ||
89 | .Nm ssh-keygen | ||
90 | .Fl R Ar hostname | ||
91 | .Op Fl f Ar known_hosts_file | ||
92 | .Nm ssh-keygen | ||
84 | .Fl U Ar reader | 93 | .Fl U Ar reader |
85 | .Op Fl f Ar input_keyfile | 94 | .Op Fl f Ar input_keyfile |
86 | .Nm ssh-keygen | 95 | .Nm ssh-keygen |
@@ -174,16 +183,23 @@ Specifies the number of primality tests to perform when screening DH-GEX | |||
174 | candidates using the | 183 | candidates using the |
175 | .Fl T | 184 | .Fl T |
176 | command. | 185 | command. |
186 | .It Fl B | ||
187 | Show the bubblebabble digest of specified private or public key file. | ||
177 | .It Fl b Ar bits | 188 | .It Fl b Ar bits |
178 | Specifies the number of bits in the key to create. | 189 | Specifies the number of bits in the key to create. |
179 | Minimum is 512 bits. | 190 | Minimum is 512 bits. |
180 | Generally, 1024 bits is considered sufficient. | 191 | Generally, 1024 bits is considered sufficient. |
181 | The default is 1024 bits. | 192 | The default is 1024 bits. |
193 | .It Fl C Ar comment | ||
194 | Provides a new comment. | ||
182 | .It Fl c | 195 | .It Fl c |
183 | Requests changing the comment in the private and public key files. | 196 | Requests changing the comment in the private and public key files. |
184 | This operation is only supported for RSA1 keys. | 197 | This operation is only supported for RSA1 keys. |
185 | The program will prompt for the file containing the private keys, for | 198 | The program will prompt for the file containing the private keys, for |
186 | the passphrase if the key has one, and for the new comment. | 199 | the passphrase if the key has one, and for the new comment. |
200 | .It Fl D Ar reader | ||
201 | Download the RSA public key stored in the smartcard in | ||
202 | .Ar reader . | ||
187 | .It Fl e | 203 | .It Fl e |
188 | This option will read a private or public OpenSSH key file and | 204 | This option will read a private or public OpenSSH key file and |
189 | print the key in a | 205 | print the key in a |
@@ -191,12 +207,41 @@ print the key in a | |||
191 | to stdout. | 207 | to stdout. |
192 | This option allows exporting keys for use by several commercial | 208 | This option allows exporting keys for use by several commercial |
193 | SSH implementations. | 209 | SSH implementations. |
210 | .It Fl F Ar hostname | ||
211 | Search for the specified | ||
212 | .Ar hostname | ||
213 | in a | ||
214 | .Pa known_hosts | ||
215 | file, listing any occurrences found. | ||
216 | This option is useful to find hashed host names or addresses and may also be | ||
217 | used in conjunction with the | ||
218 | .Fl H | ||
219 | option to print found keys in a hashed format. | ||
220 | .It Fl f Ar filename | ||
221 | Specifies the filename of the key file. | ||
222 | .It Fl G Ar output_file | ||
223 | Generate candidate primes for DH-GEX. | ||
224 | These primes must be screened for | ||
225 | safety (using the | ||
226 | .Fl T | ||
227 | option) before use. | ||
194 | .It Fl g | 228 | .It Fl g |
195 | Use generic DNS format when printing fingerprint resource records using the | 229 | Use generic DNS format when printing fingerprint resource records using the |
196 | .Fl r | 230 | .Fl r |
197 | command. | 231 | command. |
198 | .It Fl f Ar filename | 232 | .It Fl H |
199 | Specifies the filename of the key file. | 233 | Hash a |
234 | .Pa known_hosts | ||
235 | file, printing the result to standard output. | ||
236 | This replaces all hostnames and addresses with hashed representations. | ||
237 | These hashes may be used normally by | ||
238 | .Nm ssh | ||
239 | and | ||
240 | .Nm sshd , | ||
241 | but they do not reveal identifying information should the file's contents | ||
242 | be disclosed. | ||
243 | This option will not modify existing hashed hostnames and is therefore safe | ||
244 | to use on files that mix hashed and non-hashed names. | ||
200 | .It Fl i | 245 | .It Fl i |
201 | This option will read an unencrypted private (or public) key file | 246 | This option will read an unencrypted private (or public) key file |
202 | in SSH2-compatible format and print an OpenSSH compatible private | 247 | in SSH2-compatible format and print an OpenSSH compatible private |
@@ -212,6 +257,13 @@ Private RSA1 keys are also supported. | |||
212 | For RSA and DSA keys | 257 | For RSA and DSA keys |
213 | .Nm | 258 | .Nm |
214 | tries to find the matching public key file and prints its fingerprint. | 259 | tries to find the matching public key file and prints its fingerprint. |
260 | .It Fl M Ar memory | ||
261 | Specify the amount of memory to use (in megabytes) when generating | ||
262 | candidate moduli for DH-GEX. | ||
263 | .It Fl N Ar new_passphrase | ||
264 | Provides the new passphrase. | ||
265 | .It Fl P Ar passphrase | ||
266 | Provides the (old) passphrase. | ||
215 | .It Fl p | 267 | .It Fl p |
216 | Requests changing the passphrase of a private key file instead of | 268 | Requests changing the passphrase of a private key file instead of |
217 | creating a new private key. | 269 | creating a new private key. |
@@ -224,11 +276,27 @@ Silence | |||
224 | Used by | 276 | Used by |
225 | .Pa /etc/rc | 277 | .Pa /etc/rc |
226 | when creating a new key. | 278 | when creating a new key. |
227 | .It Fl y | 279 | .It Fl R Ar hostname |
228 | This option will read a private | 280 | Removes all keys belonging to |
229 | OpenSSH format file and print an OpenSSH public key to stdout. | 281 | .Ar hostname |
282 | from a | ||
283 | .Pa known_hosts | ||
284 | file. | ||
285 | This option is useful to delete hashed hosts (see the | ||
286 | .Fl H | ||
287 | option above). | ||
288 | .It Fl r Ar hostname | ||
289 | Print the SSHFP fingerprint resource record named | ||
290 | .Ar hostname | ||
291 | for the specified public key file. | ||
292 | .It Fl S Ar start | ||
293 | Specify start point (in hex) when generating candidate moduli for DH-GEX. | ||
294 | .It Fl T Ar output_file | ||
295 | Test DH group exchange candidate primes (generated using the | ||
296 | .Fl G | ||
297 | option) for safety. | ||
230 | .It Fl t Ar type | 298 | .It Fl t Ar type |
231 | Specifies the type of the key to create. | 299 | Specifies the type of key to create. |
232 | The possible values are | 300 | The possible values are |
233 | .Dq rsa1 | 301 | .Dq rsa1 |
234 | for protocol version 1 and | 302 | for protocol version 1 and |
@@ -236,34 +304,6 @@ for protocol version 1 and | |||
236 | or | 304 | or |
237 | .Dq dsa | 305 | .Dq dsa |
238 | for protocol version 2. | 306 | for protocol version 2. |
239 | .It Fl B | ||
240 | Show the bubblebabble digest of specified private or public key file. | ||
241 | .It Fl C Ar comment | ||
242 | Provides the new comment. | ||
243 | .It Fl D Ar reader | ||
244 | Download the RSA public key stored in the smartcard in | ||
245 | .Ar reader . | ||
246 | .It Fl G Ar output_file | ||
247 | Generate candidate primes for DH-GEX. | ||
248 | These primes must be screened for | ||
249 | safety (using the | ||
250 | .Fl T | ||
251 | option) before use. | ||
252 | .It Fl M Ar memory | ||
253 | Specify the amount of memory to use (in megabytes) when generating | ||
254 | candidate moduli for DH-GEX. | ||
255 | .It Fl N Ar new_passphrase | ||
256 | Provides the new passphrase. | ||
257 | .It Fl P Ar passphrase | ||
258 | Provides the (old) passphrase. | ||
259 | .It Fl S Ar start | ||
260 | Specify start point (in hex) when generating candidate moduli for DH-GEX. | ||
261 | .It Fl T Ar output_file | ||
262 | Test DH group exchange candidate primes (generated using the | ||
263 | .Fl G | ||
264 | option) for safety. | ||
265 | .It Fl W Ar generator | ||
266 | Specify desired generator when testing candidate moduli for DH-GEX. | ||
267 | .It Fl U Ar reader | 307 | .It Fl U Ar reader |
268 | Upload an existing RSA private key into the smartcard in | 308 | Upload an existing RSA private key into the smartcard in |
269 | .Ar reader . | 309 | .Ar reader . |
@@ -277,10 +317,11 @@ Multiple | |||
277 | .Fl v | 317 | .Fl v |
278 | options increase the verbosity. | 318 | options increase the verbosity. |
279 | The maximum is 3. | 319 | The maximum is 3. |
280 | .It Fl r Ar hostname | 320 | .It Fl W Ar generator |
281 | Print the SSHFP fingerprint resource record named | 321 | Specify desired generator when testing candidate moduli for DH-GEX. |
282 | .Ar hostname | 322 | .It Fl y |
283 | for the specified public key file. | 323 | This option will read a private |
324 | OpenSSH format file and print an OpenSSH public key to stdout. | ||
284 | .El | 325 | .El |
285 | .Sh MODULI GENERATION | 326 | .Sh MODULI GENERATION |
286 | .Nm | 327 | .Nm |
@@ -299,7 +340,7 @@ The desired length of the primes may be specified by the | |||
299 | option. | 340 | option. |
300 | For example: | 341 | For example: |
301 | .Pp | 342 | .Pp |
302 | .Dl ssh-keygen -G moduli-2048.candidates -b 2048 | 343 | .Dl # ssh-keygen -G moduli-2048.candidates -b 2048 |
303 | .Pp | 344 | .Pp |
304 | By default, the search for primes begins at a random point in the | 345 | By default, the search for primes begins at a random point in the |
305 | desired length range. | 346 | desired length range. |
@@ -319,7 +360,7 @@ will read candidates from standard input (or a file specified using the | |||
319 | option). | 360 | option). |
320 | For example: | 361 | For example: |
321 | .Pp | 362 | .Pp |
322 | .Dl ssh-keygen -T moduli-2048 -f moduli-2048.candidates | 363 | .Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates |
323 | .Pp | 364 | .Pp |
324 | By default, each candidate will be subjected to 100 primality tests. | 365 | By default, each candidate will be subjected to 100 primality tests. |
325 | This may be overridden using the | 366 | This may be overridden using the |
@@ -330,7 +371,7 @@ prime under consideration. | |||
330 | If a specific generator is desired, it may be requested using the | 371 | If a specific generator is desired, it may be requested using the |
331 | .Fl W | 372 | .Fl W |
332 | option. | 373 | option. |
333 | Valid generator values are 2, 3 and 5. | 374 | Valid generator values are 2, 3, and 5. |
334 | .Pp | 375 | .Pp |
335 | Screened DH groups may be installed in | 376 | Screened DH groups may be installed in |
336 | .Pa /etc/moduli . | 377 | .Pa /etc/moduli . |