summaryrefslogtreecommitdiff
path: root/ssh-keygen.1
diff options
context:
space:
mode:
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r--ssh-keygen.189
1 files changed, 65 insertions, 24 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 64638aa9c..0845b4066 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $ 1.\" $OpenBSD: ssh-keygen.1,v 1.98 2010/08/04 06:07:11 djm Exp $
2.\" 2.\"
3.\" -*- nroff -*- 3.\" -*- nroff -*-
4.\" 4.\"
@@ -37,15 +37,15 @@
37.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 37.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 38.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39.\" 39.\"
40.Dd $Mdocdate: March 13 2010 $ 40.Dd $Mdocdate: August 4 2010 $
41.Dt SSH-KEYGEN 1 41.Dt SSH-KEYGEN 1
42.Os 42.Os
43.Sh NAME 43.Sh NAME
44.Nm ssh-keygen 44.Nm ssh-keygen
45.Nd authentication key generation, management and conversion 45.Nd authentication key generation, management and conversion
46.Sh SYNOPSIS 46.Sh SYNOPSIS
47.Nm ssh-keygen
48.Bk -words 47.Bk -words
48.Nm ssh-keygen
49.Op Fl q 49.Op Fl q
50.Op Fl b Ar bits 50.Op Fl b Ar bits
51.Fl t Ar type 51.Fl t Ar type
@@ -59,9 +59,11 @@
59.Op Fl f Ar keyfile 59.Op Fl f Ar keyfile
60.Nm ssh-keygen 60.Nm ssh-keygen
61.Fl i 61.Fl i
62.Op Fl m Ar key_format
62.Op Fl f Ar input_keyfile 63.Op Fl f Ar input_keyfile
63.Nm ssh-keygen 64.Nm ssh-keygen
64.Fl e 65.Fl e
66.Op Fl m Ar key_format
65.Op Fl f Ar input_keyfile 67.Op Fl f Ar input_keyfile
66.Nm ssh-keygen 68.Nm ssh-keygen
67.Fl y 69.Fl y
@@ -110,8 +112,9 @@
110.Fl I Ar certificate_identity 112.Fl I Ar certificate_identity
111.Op Fl h 113.Op Fl h
112.Op Fl n Ar principals 114.Op Fl n Ar principals
113.Op Fl O Ar constraint 115.Op Fl O Ar option
114.Op Fl V Ar validity_interval 116.Op Fl V Ar validity_interval
117.Op Fl z Ar serial_number
115.Ar 118.Ar
116.Nm ssh-keygen 119.Nm ssh-keygen
117.Fl L 120.Fl L
@@ -210,13 +213,20 @@ the passphrase if the key has one, and for the new comment.
210.It Fl D Ar pkcs11 213.It Fl D Ar pkcs11
211Download the RSA public keys provided by the PKCS#11 shared library 214Download the RSA public keys provided by the PKCS#11 shared library
212.Ar pkcs11 . 215.Ar pkcs11 .
216When used in combination with
217.Fl s ,
218this option indicates that a CA key resides in a PKCS#11 token (see the
219.Sx CERTIFICATES
220section for details).
213.It Fl e 221.It Fl e
214This option will read a private or public OpenSSH key file and 222This option will read a private or public OpenSSH key file and
215print the key in 223print to stdout the key in one of the formats specified by the
216RFC 4716 SSH Public Key File Format 224.Fl m
217to stdout. 225option.
218This option allows exporting keys for use by several commercial 226The default export format is
219SSH implementations. 227.Dq RFC4716 .
228This option allows exporting OpenSSH keys for use by other programs, including
229several commercial SSH implementations.
220.It Fl F Ar hostname 230.It Fl F Ar hostname
221Search for the specified 231Search for the specified
222.Ar hostname 232.Ar hostname
@@ -267,13 +277,14 @@ Please see the
267section for details. 277section for details.
268.It Fl i 278.It Fl i
269This option will read an unencrypted private (or public) key file 279This option will read an unencrypted private (or public) key file
270in SSH2-compatible format and print an OpenSSH compatible private 280in the format specified by the
281.Fl m
282option and print an OpenSSH compatible private
271(or public) key to stdout. 283(or public) key to stdout.
272.Nm 284This option allows importing keys from other software, including several
273also reads the 285commercial SSH implementations.
274RFC 4716 SSH Public Key File Format. 286The default import format is
275This option allows importing keys from several commercial 287.Dq RFC4716 .
276SSH implementations.
277.It Fl L 288.It Fl L
278Prints the contents of a certificate. 289Prints the contents of a certificate.
279.It Fl l 290.It Fl l
@@ -288,6 +299,22 @@ an ASCII art representation of the key is supplied with the fingerprint.
288.It Fl M Ar memory 299.It Fl M Ar memory
289Specify the amount of memory to use (in megabytes) when generating 300Specify the amount of memory to use (in megabytes) when generating
290candidate moduli for DH-GEX. 301candidate moduli for DH-GEX.
302.It Fl m Ar key_format
303Specify a key format for the
304.Fl i
305(import) or
306.Fl e
307(export) conversion options.
308The supported key formats are:
309.Dq RFC4716
310(RFC 4716/SSH2 public or private key),
311.Dq PKCS8
312(PEM PKCS8 public key)
313or
314.Dq PEM
315(PEM public key).
316The default conversion format is
317.Dq RFC4716 .
291.It Fl N Ar new_passphrase 318.It Fl N Ar new_passphrase
292Provides the new passphrase. 319Provides the new passphrase.
293.It Fl n Ar principals 320.It Fl n Ar principals
@@ -297,13 +324,13 @@ Multiple principals may be specified, separated by commas.
297Please see the 324Please see the
298.Sx CERTIFICATES 325.Sx CERTIFICATES
299section for details. 326section for details.
300.It Fl O Ar constraint 327.It Fl O Ar option
301Specify a certificate constraint when signing a key. 328Specify a certificate option when signing a key.
302This option may be specified multiple times. 329This option may be specified multiple times.
303Please see the 330Please see the
304.Sx CERTIFICATES 331.Sx CERTIFICATES
305section for details. 332section for details.
306The constraints that are valid for user certificates are: 333The options that are valid for user certificates are:
307.Bl -tag -width Ds 334.Bl -tag -width Ds
308.It Ic clear 335.It Ic clear
309Clear all enabled permissions. 336Clear all enabled permissions.
@@ -353,7 +380,7 @@ is a comma-separated list of one or more address/netmask pairs in CIDR
353format. 380format.
354.El 381.El
355.Pp 382.Pp
356At present, no constraints are valid for host keys. 383At present, no options are valid for host keys.
357.It Fl P Ar passphrase 384.It Fl P Ar passphrase
358Provides the (old) passphrase. 385Provides the (old) passphrase.
359.It Fl p 386.It Fl p
@@ -437,6 +464,10 @@ Specify desired generator when testing candidate moduli for DH-GEX.
437.It Fl y 464.It Fl y
438This option will read a private 465This option will read a private
439OpenSSH format file and print an OpenSSH public key to stdout. 466OpenSSH format file and print an OpenSSH public key to stdout.
467.It Fl z Ar serial_number
468Specifies a serial number to be embedded in the certificate to distinguish
469this certificate from others from the same CA.
470The default serial number is zero.
440.El 471.El
441.Sh MODULI GENERATION 472.Sh MODULI GENERATION
442.Nm 473.Nm
@@ -497,7 +528,7 @@ that both ends of a connection share common moduli.
497supports signing of keys to produce certificates that may be used for 528supports signing of keys to produce certificates that may be used for
498user or host authentication. 529user or host authentication.
499Certificates consist of a public key, some identity information, zero or 530Certificates consist of a public key, some identity information, zero or
500more principal (user or host) names and an optional set of constraints that 531more principal (user or host) names and a set of options that
501are signed by a Certification Authority (CA) key. 532are signed by a Certification Authority (CA) key.
502Clients or servers may then trust only the CA key and verify its signature 533Clients or servers may then trust only the CA key and verify its signature
503on a certificate rather than trusting many user/host keys. 534on a certificate rather than trusting many user/host keys.
@@ -523,7 +554,17 @@ option:
523.Pp 554.Pp
524The host certificate will be output to 555The host certificate will be output to
525.Pa /path/to/host_key-cert.pub . 556.Pa /path/to/host_key-cert.pub .
526In both cases, 557.Pp
558It is possible to sign using a CA key stored in a PKCS#11 token by
559providing the token library using
560.Fl D
561and identifying the CA key by providing its public half as an argument
562to
563.Fl s :
564.Pp
565.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub
566.Pp
567In all cases,
527.Ar key_id 568.Ar key_id
528is a "key identifier" that is logged by the server when the certificate 569is a "key identifier" that is logged by the server when the certificate
529is used for authentication. 570is used for authentication.
@@ -537,11 +578,11 @@ To generate a certificate for a specified set of principals:
537.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" 578.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
538.Pp 579.Pp
539Additional limitations on the validity and use of user certificates may 580Additional limitations on the validity and use of user certificates may
540be specified through certificate constraints. 581be specified through certificate options.
541A constrained certificate may disable features of the SSH session, may be 582A certificate option may disable features of the SSH session, may be
542valid only when presented from particular source addresses or may 583valid only when presented from particular source addresses or may
543force the use of a specific command. 584force the use of a specific command.
544For a list of valid certificate constraints, see the documentation for the 585For a list of valid certificate options, see the documentation for the
545.Fl O 586.Fl O
546option above. 587option above.
547.Pp 588.Pp