summaryrefslogtreecommitdiff
path: root/ssh-keygen.1
diff options
context:
space:
mode:
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r--ssh-keygen.1131
1 files changed, 12 insertions, 119 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index dc4bcacd0..000e8ff2a 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.60 2003/07/28 09:49:56 djm Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.56 2003/03/28 10:11:43 jmc Exp $
2.\" 2.\"
3.\" -*- nroff -*- 3.\" -*- nroff -*-
4.\" 4.\"
@@ -83,38 +83,17 @@
83.Nm ssh-keygen 83.Nm ssh-keygen
84.Fl U Ar reader 84.Fl U Ar reader
85.Op Fl f Ar input_keyfile 85.Op Fl f Ar input_keyfile
86.Nm ssh-keygen
87.Fl r Ar hostname
88.Op Fl f Ar input_keyfile
89.Op Fl g
90.Nm ssh-keygen
91.Fl G Ar output_file
92.Op Fl b Ar bits
93.Op Fl M Ar memory
94.Op Fl S Ar start_point
95.Nm ssh-keygen
96.Fl T Ar output_file
97.Fl f Ar input_file
98.Op Fl a Ar num_trials
99.Op Fl W Ar generator
100.Sh DESCRIPTION 86.Sh DESCRIPTION
101.Nm 87.Nm
102generates, manages and converts authentication keys for 88generates, manages and converts authentication keys for
103.Xr ssh 1 . 89.Xr ssh 1 .
104.Nm 90.Nm
105can create RSA keys for use by SSH protocol version 1 and RSA or DSA 91can create RSA keys for use by SSH protocol version 1 and RSA or DSA
106keys for use by SSH protocol version 2. 92keys for use by SSH protocol version 2. The type of key to be generated
107The type of key to be generated is specified with the 93is specified with the
108.Fl t 94.Fl t
109option. 95option.
110.Pp 96.Pp
111.Nm
112is also used to generate groups for use in Diffie-Hellman group
113exchange (DH-GEX).
114See the
115.Sx MODULI GENERATION
116section for details.
117.Pp
118Normally each user wishing to use SSH 97Normally each user wishing to use SSH
119with RSA or DSA authentication runs this once to create the authentication 98with RSA or DSA authentication runs this once to create the authentication
120key in 99key in
@@ -167,11 +146,6 @@ should be placed to be activated.
167.Pp 146.Pp
168The options are as follows: 147The options are as follows:
169.Bl -tag -width Ds 148.Bl -tag -width Ds
170.It Fl a Ar trials
171Specifies the number of primality tests to perform when screening DH-GEX
172candidates using the
173.Fl T
174command.
175.It Fl b Ar bits 149.It Fl b Ar bits
176Specifies the number of bits in the key to create. 150Specifies the number of bits in the key to create.
177Minimum is 512 bits. 151Minimum is 512 bits.
@@ -189,8 +163,6 @@ print the key in a
189to stdout. 163to stdout.
190This option allows exporting keys for use by several commercial 164This option allows exporting keys for use by several commercial
191SSH implementations. 165SSH implementations.
192.It Fl g
193Use generic DNS resource record format.
194.It Fl f Ar filename 166.It Fl f Ar filename
195Specifies the filename of the key file. 167Specifies the filename of the key file.
196.It Fl i 168.It Fl i
@@ -239,88 +211,14 @@ Provides the new comment.
239.It Fl D Ar reader 211.It Fl D Ar reader
240Download the RSA public key stored in the smartcard in 212Download the RSA public key stored in the smartcard in
241.Ar reader . 213.Ar reader .
242.It Fl G Ar output_file
243Generate candidate primes for DH-GEX.
244These primes must be screened for
245safety (using the
246.Fl T
247option) before use.
248.It Fl M Ar memory
249Specify the amount of memory to use (in megabytes) when generating
250candidate moduli for DH-GEX.
251.It Fl N Ar new_passphrase 214.It Fl N Ar new_passphrase
252Provides the new passphrase. 215Provides the new passphrase.
253.It Fl P Ar passphrase 216.It Fl P Ar passphrase
254Provides the (old) passphrase. 217Provides the (old) passphrase.
255.It Fl S Ar start
256Specify start point (in hex) when generating candidate moduli for DH-GEX.
257.It Fl T Ar output_file
258Test DH group exchange candidate primes (generated using the
259.Fl G
260option) for safety.
261.It Fl W Ar generator
262Specify desired generator when testing candidate moduli for DH-GEX.
263.It Fl U Ar reader 218.It Fl U Ar reader
264Upload an existing RSA private key into the smartcard in 219Upload an existing RSA private key into the smartcard in
265.Ar reader . 220.Ar reader .
266.It Fl r Ar hostname
267Print DNS resource record with the specified
268.Ar hostname .
269.El 221.El
270.Sh MODULI GENERATION
271.Nm
272may be used to generate groups for the Diffie-Hellman Group Exchange
273(DH-GEX) protocol.
274Generating these groups is a two-step process: first, candidate
275primes are generated using a fast, but memory intensive process.
276These candidate primes are then tested for suitability (a CPU-intensive
277process).
278.Pp
279Generation of primes is performed using the
280.Fl G
281option.
282The desired length of the primes may be specified by the
283.Fl b
284option.
285For example:
286.Pp
287.Dl ssh-keygen -G moduli-2048.candidates -b 2048
288.Pp
289By default, the search for primes begins at a random point in the
290desired length range.
291This may be overridden using the
292.Fl S
293option, which specifies a different start point (in hex).
294.Pp
295Once a set of candidates have been generated, they must be tested for
296suitability.
297This may be performed using the
298.Fl T
299option.
300In this mode
301.Nm
302will read candidates from standard input (or a file specified using the
303.Fl f
304option).
305For example:
306.Pp
307.Dl ssh-keygen -T moduli-2048 -f moduli-2048.candidates
308.Pp
309By default, each candidate will be subjected to 100 primality tests.
310This may be overridden using the
311.Fl a
312option.
313The DH generator value will be chosen automatically for the
314prime under consideration.
315If a specific generator is desired, it may be requested using the
316.Fl W
317option.
318Valid generator values are 2, 3 and 5.
319.Pp
320Screened DH groups may be installed in
321.Pa /etc/moduli .
322It is important that this file contains moduli of a range of bit lengths and
323that both ends of a connection share common moduli.
324.Sh FILES 222.Sh FILES
325.Bl -tag -width Ds 223.Bl -tag -width Ds
326.It Pa $HOME/.ssh/identity 224.It Pa $HOME/.ssh/identity
@@ -377,16 +275,20 @@ The contents of this file should be added to
377on all machines 275on all machines
378where the user wishes to log in using public key authentication. 276where the user wishes to log in using public key authentication.
379There is no need to keep the contents of this file secret. 277There is no need to keep the contents of this file secret.
380.It Pa /etc/moduli
381Contains Diffie-Hellman groups used for DH-GEX.
382The file format is described in
383.Xr moduli 5 .
384.El 278.El
279.Sh AUTHORS
280OpenSSH is a derivative of the original and free
281ssh 1.2.12 release by Tatu Ylonen.
282Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
283Theo de Raadt and Dug Song
284removed many bugs, re-added newer features and
285created OpenSSH.
286Markus Friedl contributed the support for SSH
287protocol versions 1.5 and 2.0.
385.Sh SEE ALSO 288.Sh SEE ALSO
386.Xr ssh 1 , 289.Xr ssh 1 ,
387.Xr ssh-add 1 , 290.Xr ssh-add 1 ,
388.Xr ssh-agent 1 , 291.Xr ssh-agent 1 ,
389.Xr moduli 5 ,
390.Xr sshd 8 292.Xr sshd 8
391.Rs 293.Rs
392.%A J. Galbraith 294.%A J. Galbraith
@@ -396,12 +298,3 @@ The file format is described in
396.%D March 2001 298.%D March 2001
397.%O work in progress material 299.%O work in progress material
398.Re 300.Re
399.Sh AUTHORS
400OpenSSH is a derivative of the original and free
401ssh 1.2.12 release by Tatu Ylonen.
402Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
403Theo de Raadt and Dug Song
404removed many bugs, re-added newer features and
405created OpenSSH.
406Markus Friedl contributed the support for SSH
407protocol versions 1.5 and 2.0.