1 | SSH-KEYGEN(1) System General Commands Manual SSH-KEYGEN(1) |
---|
2 | |
---|
3 | NAME |
---|
4 | ssh-keygen - authentication key generation, management and conversion |
---|
5 | |
---|
6 | SYNOPSIS |
---|
7 | ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment] |
---|
8 | [-f output_keyfile] |
---|
9 | ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] |
---|
10 | ssh-keygen -i [-f input_keyfile] |
---|
11 | ssh-keygen -e [-f input_keyfile] |
---|
12 | ssh-keygen -y [-f input_keyfile] |
---|
13 | ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile] |
---|
14 | ssh-keygen -l [-f input_keyfile] |
---|
15 | ssh-keygen -B [-f input_keyfile] |
---|
16 | ssh-keygen -D reader |
---|
17 | ssh-keygen -U reader [-f input_keyfile] |
---|
18 | |
---|
19 | DESCRIPTION |
---|
20 | ssh-keygen generates, manages and converts authentication keys for |
---|
21 | ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1 |
---|
22 | and RSA or DSA keys for use by SSH protocol version 2. The type of key to |
---|
23 | be generated is specified with the -t option. |
---|
24 | |
---|
25 | Normally each user wishing to use SSH with RSA or DSA authentication runs |
---|
26 | this once to create the authentication key in $HOME/.ssh/identity, |
---|
27 | $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa. Additionally, the system adminM-- |
---|
28 | istrator may use this to generate host keys, as seen in /etc/rc. |
---|
29 | |
---|
30 | Normally this program generates the key and asks for a file in which to |
---|
31 | store the private key. The public key is stored in a file with the same |
---|
32 | name but ``.pub'' appended. The program also asks for a passphrase. The |
---|
33 | passphrase may be empty to indicate no passphrase (host keys must have an |
---|
34 | empty passphrase), or it may be a string of arbitrary length. A |
---|
35 | passphrase is similar to a password, except it can be a phrase with a |
---|
36 | series of words, punctuation, numbers, whitespace, or any string of charM-- |
---|
37 | acters you want. Good passphrases are 10-30 characters long, are not |
---|
38 | simple sentences or otherwise easily guessable (English prose has only |
---|
39 | 1-2 bits of entropy per character, and provides very bad passphrases), |
---|
40 | and contain a mix of upper and lowercase letters, numbers, and non- |
---|
41 | alphanumeric characters. The passphrase can be changed later by using |
---|
42 | the -p option. |
---|
43 | |
---|
44 | There is no way to recover a lost passphrase. If the passphrase is lost |
---|
45 | or forgotten, a new key must be generated and copied to the corresponding |
---|
46 | public key to other machines. |
---|
47 | |
---|
48 | For RSA1 keys, there is also a comment field in the key file that is only |
---|
49 | for convenience to the user to help identify the key. The comment can |
---|
50 | tell what the key is for, or whatever is useful. The comment is initialM-- |
---|
51 | ized to ``user@host'' when the key is created, but can be changed using |
---|
52 | the -c option. |
---|
53 | |
---|
54 | After a key is generated, instructions below detail where the keys should |
---|
55 | be placed to be activated. |
---|
56 | |
---|
57 | The options are as follows: |
---|
58 | |
---|
59 | -b bits |
---|
60 | Specifies the number of bits in the key to create. Minimum is |
---|
61 | 512 bits. Generally 1024 bits is considered sufficient, and key |
---|
62 | sizes above that no longer improve security but make things |
---|
63 | slower. The default is 1024 bits. |
---|
64 | |
---|
65 | -c Requests changing the comment in the private and public key |
---|
66 | files. This operation is only supported for RSA1 keys. The proM-- |
---|
67 | gram will prompt for the file containing the private keys, for |
---|
68 | the passphrase if the key has one, and for the new comment. |
---|
69 | |
---|
70 | -e This option will read a private or public OpenSSH key file and |
---|
71 | print the key in a `SECSH Public Key File Format' to stdout. |
---|
72 | This option allows exporting keys for use by several commercial |
---|
73 | SSH implementations. |
---|
74 | |
---|
75 | -f filename |
---|
76 | Specifies the filename of the key file. |
---|
77 | |
---|
78 | -i This option will read an unencrypted private (or public) key file |
---|
79 | in SSH2-compatible format and print an OpenSSH compatible private |
---|
80 | (or public) key to stdout. ssh-keygen also reads the `SECSH |
---|
81 | Public Key File Format'. This option allows importing keys from |
---|
82 | several commercial SSH implementations. |
---|
83 | |
---|
84 | -l Show fingerprint of specified public key file. Private RSA1 keys |
---|
85 | are also supported. For RSA and DSA keys ssh-keygen tries to |
---|
86 | find the matching public key file and prints its fingerprint. |
---|
87 | |
---|
88 | -p Requests changing the passphrase of a private key file instead of |
---|
89 | creating a new private key. The program will prompt for the file |
---|
90 | containing the private key, for the old passphrase, and twice for |
---|
91 | the new passphrase. |
---|
92 | |
---|
93 | -q Silence ssh-keygen. Used by /etc/rc when creating a new key. |
---|
94 | |
---|
95 | -y This option will read a private OpenSSH format file and print an |
---|
96 | OpenSSH public key to stdout. |
---|
97 | |
---|
98 | -t type |
---|
99 | Specifies the type of the key to create. The possible values are |
---|
100 | ``rsa1'' for protocol version 1 and ``rsa'' or ``dsa'' for protoM-- |
---|
101 | col version 2. |
---|
102 | |
---|
103 | -B Show the bubblebabble digest of specified private or public key |
---|
104 | file. |
---|
105 | |
---|
106 | -C comment |
---|
107 | Provides the new comment. |
---|
108 | |
---|
109 | -D reader |
---|
110 | Download the RSA public key stored in the smartcard in reader. |
---|
111 | |
---|
112 | -N new_passphrase |
---|
113 | Provides the new passphrase. |
---|
114 | |
---|
115 | -P passphrase |
---|
116 | Provides the (old) passphrase. |
---|
117 | |
---|
118 | -U reader |
---|
119 | Upload an existing RSA private key into the smartcard in reader. |
---|
120 | |
---|
121 | FILES |
---|
122 | $HOME/.ssh/identity |
---|
123 | Contains the protocol version 1 RSA authentication identity of |
---|
124 | the user. This file should not be readable by anyone but the |
---|
125 | user. It is possible to specify a passphrase when generating the |
---|
126 | key; that passphrase will be used to encrypt the private part of |
---|
127 | this file using 3DES. This file is not automatically accessed by |
---|
128 | ssh-keygen but it is offered as the default file for the private |
---|
129 | key. ssh(1) will read this file when a login attempt is made. |
---|
130 | |
---|
131 | $HOME/.ssh/identity.pub |
---|
132 | Contains the protocol version 1 RSA public key for authenticaM-- |
---|
133 | tion. The contents of this file should be added to |
---|
134 | $HOME/.ssh/authorized_keys on all machines where the user wishes |
---|
135 | to log in using RSA authentication. There is no need to keep the |
---|
136 | contents of this file secret. |
---|
137 | |
---|
138 | $HOME/.ssh/id_dsa |
---|
139 | Contains the protocol version 2 DSA authentication identity of |
---|
140 | the user. This file should not be readable by anyone but the |
---|
141 | user. It is possible to specify a passphrase when generating the |
---|
142 | key; that passphrase will be used to encrypt the private part of |
---|
143 | this file using 3DES. This file is not automatically accessed by |
---|
144 | ssh-keygen but it is offered as the default file for the private |
---|
145 | key. ssh(1) will read this file when a login attempt is made. |
---|
146 | |
---|
147 | $HOME/.ssh/id_dsa.pub |
---|
148 | Contains the protocol version 2 DSA public key for authenticaM-- |
---|
149 | tion. The contents of this file should be added to |
---|
150 | $HOME/.ssh/authorized_keys on all machines where the user wishes |
---|
151 | to log in using public key authentication. There is no need to |
---|
152 | keep the contents of this file secret. |
---|
153 | |
---|
154 | $HOME/.ssh/id_rsa |
---|
155 | Contains the protocol version 2 RSA authentication identity of |
---|
156 | the user. This file should not be readable by anyone but the |
---|
157 | user. It is possible to specify a passphrase when generating the |
---|
158 | key; that passphrase will be used to encrypt the private part of |
---|
159 | this file using 3DES. This file is not automatically accessed by |
---|
160 | ssh-keygen but it is offered as the default file for the private |
---|
161 | key. ssh(1) will read this file when a login attempt is made. |
---|
162 | |
---|
163 | $HOME/.ssh/id_rsa.pub |
---|
164 | Contains the protocol version 2 RSA public key for authenticaM-- |
---|
165 | tion. The contents of this file should be added to |
---|
166 | $HOME/.ssh/authorized_keys on all machines where the user wishes |
---|
167 | to log in using public key authentication. There is no need to |
---|
168 | keep the contents of this file secret. |
---|
169 | |
---|
170 | AUTHORS |
---|
171 | OpenSSH is a derivative of the original and free ssh 1.2.12 release by |
---|
172 | Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo |
---|
173 | de Raadt and Dug Song removed many bugs, re-added newer features and creM-- |
---|
174 | ated OpenSSH. Markus Friedl contributed the support for SSH protocol |
---|
175 | versions 1.5 and 2.0. |
---|
176 | |
---|
177 | SEE ALSO |
---|
178 | ssh(1), ssh-add(1), ssh-agent(1), sshd(8) |
---|
179 | |
---|
180 | J. Galbraith and R. Thayer, SECSH Public Key File Format, draft-ietf- |
---|
181 | secsh-publickeyfile-01.txt, March 2001, work in progress material. |
---|
182 | |
---|
183 | BSD September 25, 1999 BSD |
---|