diff options
Diffstat (limited to 'ssh-keygen.1')
-rw-r--r-- | ssh-keygen.1 | 57 |
1 files changed, 42 insertions, 15 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 151cab0ef..299ccf8dd 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.116 2013/06/27 14:05:37 jmc Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.119 2013/12/21 07:10:47 tedu Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -35,7 +35,7 @@ | |||
35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
37 | .\" | 37 | .\" |
38 | .Dd $Mdocdate: June 27 2013 $ | 38 | .Dd $Mdocdate: December 21 2013 $ |
39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -103,7 +103,7 @@ | |||
103 | .Fl T Ar output_file | 103 | .Fl T Ar output_file |
104 | .Fl f Ar input_file | 104 | .Fl f Ar input_file |
105 | .Op Fl v | 105 | .Op Fl v |
106 | .Op Fl a Ar num_trials | 106 | .Op Fl a Ar rounds |
107 | .Op Fl J Ar num_lines | 107 | .Op Fl J Ar num_lines |
108 | .Op Fl j Ar start_line | 108 | .Op Fl j Ar start_line |
109 | .Op Fl K Ar checkpt | 109 | .Op Fl K Ar checkpt |
@@ -139,8 +139,8 @@ | |||
139 | generates, manages and converts authentication keys for | 139 | generates, manages and converts authentication keys for |
140 | .Xr ssh 1 . | 140 | .Xr ssh 1 . |
141 | .Nm | 141 | .Nm |
142 | can create RSA keys for use by SSH protocol version 1 and DSA, ECDSA or RSA | 142 | can create RSA keys for use by SSH protocol version 1 and |
143 | keys for use by SSH protocol version 2. | 143 | DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2. |
144 | The type of key to be generated is specified with the | 144 | The type of key to be generated is specified with the |
145 | .Fl t | 145 | .Fl t |
146 | option. | 146 | option. |
@@ -167,8 +167,9 @@ Normally each user wishing to use SSH | |||
167 | with public key authentication runs this once to create the authentication | 167 | with public key authentication runs this once to create the authentication |
168 | key in | 168 | key in |
169 | .Pa ~/.ssh/identity , | 169 | .Pa ~/.ssh/identity , |
170 | .Pa ~/.ssh/id_dsa , | ||
170 | .Pa ~/.ssh/id_ecdsa , | 171 | .Pa ~/.ssh/id_ecdsa , |
171 | .Pa ~/.ssh/id_dsa | 172 | .Pa ~/.ssh/id_ed25519 |
172 | or | 173 | or |
173 | .Pa ~/.ssh/id_rsa . | 174 | .Pa ~/.ssh/id_rsa . |
174 | Additionally, the system administrator may use this to generate host keys. | 175 | Additionally, the system administrator may use this to generate host keys. |
@@ -214,15 +215,25 @@ should be placed to be activated. | |||
214 | The options are as follows: | 215 | The options are as follows: |
215 | .Bl -tag -width Ds | 216 | .Bl -tag -width Ds |
216 | .It Fl A | 217 | .It Fl A |
217 | For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys | 218 | For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) |
219 | for which host keys | ||
218 | do not exist, generate the host keys with the default key file path, | 220 | do not exist, generate the host keys with the default key file path, |
219 | an empty passphrase, default bits for the key type, and default comment. | 221 | an empty passphrase, default bits for the key type, and default comment. |
220 | This is used by system administration scripts to generate new host keys. | 222 | This is used by system administration scripts to generate new host keys. |
221 | .It Fl a Ar trials | 223 | .It Fl a Ar rounds |
222 | Specifies the number of primality tests to perform when screening DH-GEX | 224 | When saving a new-format private key (i.e. an ed25519 key or any SSH protocol |
223 | candidates using the | 225 | 2 key when the |
226 | .Fl o | ||
227 | flag is set), this option specifies the number of KDF (key derivation function) | ||
228 | rounds used. | ||
229 | Higher numbers result in slower passphrase verification and increased | ||
230 | resistance to brute-force password cracking (should the keys be stolen). | ||
231 | .Pp | ||
232 | When screening DH-GEX candidates ( | ||
233 | using the | ||
224 | .Fl T | 234 | .Fl T |
225 | command. | 235 | command). |
236 | This option specifies the number of primality tests to perform. | ||
226 | .It Fl B | 237 | .It Fl B |
227 | Show the bubblebabble digest of specified private or public key file. | 238 | Show the bubblebabble digest of specified private or public key file. |
228 | .It Fl b Ar bits | 239 | .It Fl b Ar bits |
@@ -236,6 +247,9 @@ flag determines the key length by selecting from one of three elliptic | |||
236 | curve sizes: 256, 384 or 521 bits. | 247 | curve sizes: 256, 384 or 521 bits. |
237 | Attempting to use bit lengths other than these three values for ECDSA keys | 248 | Attempting to use bit lengths other than these three values for ECDSA keys |
238 | will fail. | 249 | will fail. |
250 | ED25519 keys have a fixed length and the | ||
251 | .Fl b | ||
252 | flag will be ignored. | ||
239 | .It Fl C Ar comment | 253 | .It Fl C Ar comment |
240 | Provides a new comment. | 254 | Provides a new comment. |
241 | .It Fl c | 255 | .It Fl c |
@@ -443,6 +457,14 @@ format. | |||
443 | .El | 457 | .El |
444 | .Pp | 458 | .Pp |
445 | At present, no options are valid for host keys. | 459 | At present, no options are valid for host keys. |
460 | .It Fl o | ||
461 | Causes | ||
462 | .Nm | ||
463 | to save SSH protocol 2 private keys using the new OpenSSH format rather than | ||
464 | the more compatible PEM format. | ||
465 | The new format has increased resistance to brute-force password cracking | ||
466 | but is not supported by versions of OpenSSH prior to 6.5. | ||
467 | Ed25519 keys always use the new private key format. | ||
446 | .It Fl P Ar passphrase | 468 | .It Fl P Ar passphrase |
447 | Provides the (old) passphrase. | 469 | Provides the (old) passphrase. |
448 | .It Fl p | 470 | .It Fl p |
@@ -494,7 +516,8 @@ The possible values are | |||
494 | .Dq rsa1 | 516 | .Dq rsa1 |
495 | for protocol version 1 and | 517 | for protocol version 1 and |
496 | .Dq dsa , | 518 | .Dq dsa , |
497 | .Dq ecdsa | 519 | .Dq ecdsa , |
520 | .Dq ed25519 , | ||
498 | or | 521 | or |
499 | .Dq rsa | 522 | .Dq rsa |
500 | for protocol version 2. | 523 | for protocol version 2. |
@@ -687,7 +710,7 @@ Please refer to those manual pages for details. | |||
687 | .Nm | 710 | .Nm |
688 | is able to manage OpenSSH format Key Revocation Lists (KRLs). | 711 | is able to manage OpenSSH format Key Revocation Lists (KRLs). |
689 | These binary files specify keys or certificates to be revoked using a | 712 | These binary files specify keys or certificates to be revoked using a |
690 | compact format, taking as little a one bit per certificate if they are being | 713 | compact format, taking as little as one bit per certificate if they are being |
691 | revoked by serial number. | 714 | revoked by serial number. |
692 | .Pp | 715 | .Pp |
693 | KRLs may be generated using the | 716 | KRLs may be generated using the |
@@ -774,8 +797,10 @@ There is no need to keep the contents of this file secret. | |||
774 | .Pp | 797 | .Pp |
775 | .It Pa ~/.ssh/id_dsa | 798 | .It Pa ~/.ssh/id_dsa |
776 | .It Pa ~/.ssh/id_ecdsa | 799 | .It Pa ~/.ssh/id_ecdsa |
800 | .It Pa ~/.ssh/id_ed25519 | ||
777 | .It Pa ~/.ssh/id_rsa | 801 | .It Pa ~/.ssh/id_rsa |
778 | Contains the protocol version 2 DSA, ECDSA or RSA authentication identity of the user. | 802 | Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA |
803 | authentication identity of the user. | ||
779 | This file should not be readable by anyone but the user. | 804 | This file should not be readable by anyone but the user. |
780 | It is possible to | 805 | It is possible to |
781 | specify a passphrase when generating the key; that passphrase will be | 806 | specify a passphrase when generating the key; that passphrase will be |
@@ -788,8 +813,10 @@ will read this file when a login attempt is made. | |||
788 | .Pp | 813 | .Pp |
789 | .It Pa ~/.ssh/id_dsa.pub | 814 | .It Pa ~/.ssh/id_dsa.pub |
790 | .It Pa ~/.ssh/id_ecdsa.pub | 815 | .It Pa ~/.ssh/id_ecdsa.pub |
816 | .It Pa ~/.ssh/id_ed25519.pub | ||
791 | .It Pa ~/.ssh/id_rsa.pub | 817 | .It Pa ~/.ssh/id_rsa.pub |
792 | Contains the protocol version 2 DSA, ECDSA or RSA public key for authentication. | 818 | Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA |
819 | public key for authentication. | ||
793 | The contents of this file should be added to | 820 | The contents of this file should be added to |
794 | .Pa ~/.ssh/authorized_keys | 821 | .Pa ~/.ssh/authorized_keys |
795 | on all machines | 822 | on all machines |