1 | .\" $OpenBSD: ssh-keygen.1,v 1.54 2002/06/19 00:27:55 deraadt Exp $ |
---|
2 | .\" |
---|
3 | .\" -*- nroff -*- |
---|
4 | .\" |
---|
5 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
---|
6 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
---|
7 | .\" All rights reserved |
---|
8 | .\" |
---|
9 | .\" As far as I am concerned, the code I have written for this software |
---|
10 | .\" can be used freely for any purpose. Any derived versions of this |
---|
11 | .\" software must be clearly marked as such, and if the derived work is |
---|
12 | .\" incompatible with the protocol description in the RFC file, it must be |
---|
13 | .\" called by a name other than "ssh" or "Secure Shell". |
---|
14 | .\" |
---|
15 | .\" |
---|
16 | .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. |
---|
17 | .\" Copyright (c) 1999 Aaron Campbell. All rights reserved. |
---|
18 | .\" Copyright (c) 1999 Theo de Raadt. All rights reserved. |
---|
19 | .\" |
---|
20 | .\" Redistribution and use in source and binary forms, with or without |
---|
21 | .\" modification, are permitted provided that the following conditions |
---|
22 | .\" are met: |
---|
23 | .\" 1. Redistributions of source code must retain the above copyright |
---|
24 | .\" notice, this list of conditions and the following disclaimer. |
---|
25 | .\" 2. Redistributions in binary form must reproduce the above copyright |
---|
26 | .\" notice, this list of conditions and the following disclaimer in the |
---|
27 | .\" documentation and/or other materials provided with the distribution. |
---|
28 | .\" |
---|
29 | .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
---|
30 | .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
---|
31 | .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
---|
32 | .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
---|
33 | .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
---|
34 | .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
---|
35 | .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
---|
36 | .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
---|
37 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
---|
38 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
---|
39 | .\" |
---|
40 | .Dd September 25, 1999 |
---|
41 | .Dt SSH-KEYGEN 1 |
---|
42 | .Os |
---|
43 | .Sh NAME |
---|
44 | .Nm ssh-keygen |
---|
45 | .Nd authentication key generation, management and conversion |
---|
46 | .Sh SYNOPSIS |
---|
47 | .Nm ssh-keygen |
---|
48 | .Op Fl q |
---|
49 | .Op Fl b Ar bits |
---|
50 | .Fl t Ar type |
---|
51 | .Op Fl N Ar new_passphrase |
---|
52 | .Op Fl C Ar comment |
---|
53 | .Op Fl f Ar output_keyfile |
---|
54 | .Nm ssh-keygen |
---|
55 | .Fl p |
---|
56 | .Op Fl P Ar old_passphrase |
---|
57 | .Op Fl N Ar new_passphrase |
---|
58 | .Op Fl f Ar keyfile |
---|
59 | .Nm ssh-keygen |
---|
60 | .Fl i |
---|
61 | .Op Fl f Ar input_keyfile |
---|
62 | .Nm ssh-keygen |
---|
63 | .Fl e |
---|
64 | .Op Fl f Ar input_keyfile |
---|
65 | .Nm ssh-keygen |
---|
66 | .Fl y |
---|
67 | .Op Fl f Ar input_keyfile |
---|
68 | .Nm ssh-keygen |
---|
69 | .Fl c |
---|
70 | .Op Fl P Ar passphrase |
---|
71 | .Op Fl C Ar comment |
---|
72 | .Op Fl f Ar keyfile |
---|
73 | .Nm ssh-keygen |
---|
74 | .Fl l |
---|
75 | .Op Fl f Ar input_keyfile |
---|
76 | .Nm ssh-keygen |
---|
77 | .Fl B |
---|
78 | .Op Fl f Ar input_keyfile |
---|
79 | .Nm ssh-keygen |
---|
80 | .Fl D Ar reader |
---|
81 | .Nm ssh-keygen |
---|
82 | .Fl U Ar reader |
---|
83 | .Op Fl f Ar input_keyfile |
---|
84 | .Sh DESCRIPTION |
---|
85 | .Nm |
---|
86 | generates, manages and converts authentication keys for |
---|
87 | .Xr ssh 1 . |
---|
88 | .Nm |
---|
89 | can create RSA keys for use by SSH protocol version 1 and RSA or DSA |
---|
90 | keys for use by SSH protocol version 2. The type of key to be generated |
---|
91 | is specified with the |
---|
92 | .Fl t |
---|
93 | option. |
---|
94 | .Pp |
---|
95 | Normally each user wishing to use SSH |
---|
96 | with RSA or DSA authentication runs this once to create the authentication |
---|
97 | key in |
---|
98 | .Pa $HOME/.ssh/identity , |
---|
99 | .Pa $HOME/.ssh/id_dsa |
---|
100 | or |
---|
101 | .Pa $HOME/.ssh/id_rsa . |
---|
102 | Additionally, the system administrator may use this to generate host keys, |
---|
103 | as seen in |
---|
104 | .Pa /etc/rc . |
---|
105 | .Pp |
---|
106 | Normally this program generates the key and asks for a file in which |
---|
107 | to store the private key. |
---|
108 | The public key is stored in a file with the same name but |
---|
109 | .Dq .pub |
---|
110 | appended. |
---|
111 | The program also asks for a passphrase. |
---|
112 | The passphrase may be empty to indicate no passphrase |
---|
113 | (host keys must have an empty passphrase), or it may be a string of |
---|
114 | arbitrary length. |
---|
115 | A passphrase is similar to a password, except it can be a phrase with a |
---|
116 | series of words, punctuation, numbers, whitespace, or any string of |
---|
117 | characters you want. |
---|
118 | Good passphrases are 10-30 characters long, are |
---|
119 | not simple sentences or otherwise easily guessable (English |
---|
120 | prose has only 1-2 bits of entropy per character, and provides very bad |
---|
121 | passphrases), and contain a mix of upper and lowercase letters, |
---|
122 | numbers, and non-alphanumeric characters. |
---|
123 | The passphrase can be changed later by using the |
---|
124 | .Fl p |
---|
125 | option. |
---|
126 | .Pp |
---|
127 | There is no way to recover a lost passphrase. |
---|
128 | If the passphrase is |
---|
129 | lost or forgotten, a new key must be generated and copied to the |
---|
130 | corresponding public key to other machines. |
---|
131 | .Pp |
---|
132 | For RSA1 keys, |
---|
133 | there is also a comment field in the key file that is only for |
---|
134 | convenience to the user to help identify the key. |
---|
135 | The comment can tell what the key is for, or whatever is useful. |
---|
136 | The comment is initialized to |
---|
137 | .Dq user@host |
---|
138 | when the key is created, but can be changed using the |
---|
139 | .Fl c |
---|
140 | option. |
---|
141 | .Pp |
---|
142 | After a key is generated, instructions below detail where the keys |
---|
143 | should be placed to be activated. |
---|
144 | .Pp |
---|
145 | The options are as follows: |
---|
146 | .Bl -tag -width Ds |
---|
147 | .It Fl b Ar bits |
---|
148 | Specifies the number of bits in the key to create. |
---|
149 | Minimum is 512 bits. |
---|
150 | Generally 1024 bits is considered sufficient, and key sizes |
---|
151 | above that no longer improve security but make things slower. |
---|
152 | The default is 1024 bits. |
---|
153 | .It Fl c |
---|
154 | Requests changing the comment in the private and public key files. |
---|
155 | This operation is only supported for RSA1 keys. |
---|
156 | The program will prompt for the file containing the private keys, for |
---|
157 | the passphrase if the key has one, and for the new comment. |
---|
158 | .It Fl e |
---|
159 | This option will read a private or public OpenSSH key file and |
---|
160 | print the key in a |
---|
161 | .Sq SECSH Public Key File Format |
---|
162 | to stdout. |
---|
163 | This option allows exporting keys for use by several commercial |
---|
164 | SSH implementations. |
---|
165 | .It Fl f Ar filename |
---|
166 | Specifies the filename of the key file. |
---|
167 | .It Fl i |
---|
168 | This option will read an unencrypted private (or public) key file |
---|
169 | in SSH2-compatible format and print an OpenSSH compatible private |
---|
170 | (or public) key to stdout. |
---|
171 | .Nm |
---|
172 | also reads the |
---|
173 | .Sq SECSH Public Key File Format . |
---|
174 | This option allows importing keys from several commercial |
---|
175 | SSH implementations. |
---|
176 | .It Fl l |
---|
177 | Show fingerprint of specified public key file. |
---|
178 | Private RSA1 keys are also supported. |
---|
179 | For RSA and DSA keys |
---|
180 | .Nm |
---|
181 | tries to find the matching public key file and prints its fingerprint. |
---|
182 | .It Fl p |
---|
183 | Requests changing the passphrase of a private key file instead of |
---|
184 | creating a new private key. |
---|
185 | The program will prompt for the file |
---|
186 | containing the private key, for the old passphrase, and twice for the |
---|
187 | new passphrase. |
---|
188 | .It Fl q |
---|
189 | Silence |
---|
190 | .Nm ssh-keygen . |
---|
191 | Used by |
---|
192 | .Pa /etc/rc |
---|
193 | when creating a new key. |
---|
194 | .It Fl y |
---|
195 | This option will read a private |
---|
196 | OpenSSH format file and print an OpenSSH public key to stdout. |
---|
197 | .It Fl t Ar type |
---|
198 | Specifies the type of the key to create. |
---|
199 | The possible values are |
---|
200 | .Dq rsa1 |
---|
201 | for protocol version 1 and |
---|
202 | .Dq rsa |
---|
203 | or |
---|
204 | .Dq dsa |
---|
205 | for protocol version 2. |
---|
206 | .It Fl B |
---|
207 | Show the bubblebabble digest of specified private or public key file. |
---|
208 | .It Fl C Ar comment |
---|
209 | Provides the new comment. |
---|
210 | .It Fl D Ar reader |
---|
211 | Download the RSA public key stored in the smartcard in |
---|
212 | .Ar reader . |
---|
213 | .It Fl N Ar new_passphrase |
---|
214 | Provides the new passphrase. |
---|
215 | .It Fl P Ar passphrase |
---|
216 | Provides the (old) passphrase. |
---|
217 | .It Fl U Ar reader |
---|
218 | Upload an existing RSA private key into the smartcard in |
---|
219 | .Ar reader . |
---|
220 | .El |
---|
221 | .Sh FILES |
---|
222 | .Bl -tag -width Ds |
---|
223 | .It Pa $HOME/.ssh/identity |
---|
224 | Contains the protocol version 1 RSA authentication identity of the user. |
---|
225 | This file should not be readable by anyone but the user. |
---|
226 | It is possible to |
---|
227 | specify a passphrase when generating the key; that passphrase will be |
---|
228 | used to encrypt the private part of this file using 3DES. |
---|
229 | This file is not automatically accessed by |
---|
230 | .Nm |
---|
231 | but it is offered as the default file for the private key. |
---|
232 | .Xr ssh 1 |
---|
233 | will read this file when a login attempt is made. |
---|
234 | .It Pa $HOME/.ssh/identity.pub |
---|
235 | Contains the protocol version 1 RSA public key for authentication. |
---|
236 | The contents of this file should be added to |
---|
237 | .Pa $HOME/.ssh/authorized_keys |
---|
238 | on all machines |
---|
239 | where the user wishes to log in using RSA authentication. |
---|
240 | There is no need to keep the contents of this file secret. |
---|
241 | .It Pa $HOME/.ssh/id_dsa |
---|
242 | Contains the protocol version 2 DSA authentication identity of the user. |
---|
243 | This file should not be readable by anyone but the user. |
---|
244 | It is possible to |
---|
245 | specify a passphrase when generating the key; that passphrase will be |
---|
246 | used to encrypt the private part of this file using 3DES. |
---|
247 | This file is not automatically accessed by |
---|
248 | .Nm |
---|
249 | but it is offered as the default file for the private key. |
---|
250 | .Xr ssh 1 |
---|
251 | will read this file when a login attempt is made. |
---|
252 | .It Pa $HOME/.ssh/id_dsa.pub |
---|
253 | Contains the protocol version 2 DSA public key for authentication. |
---|
254 | The contents of this file should be added to |
---|
255 | .Pa $HOME/.ssh/authorized_keys |
---|
256 | on all machines |
---|
257 | where the user wishes to log in using public key authentication. |
---|
258 | There is no need to keep the contents of this file secret. |
---|
259 | .It Pa $HOME/.ssh/id_rsa |
---|
260 | Contains the protocol version 2 RSA authentication identity of the user. |
---|
261 | This file should not be readable by anyone but the user. |
---|
262 | It is possible to |
---|
263 | specify a passphrase when generating the key; that passphrase will be |
---|
264 | used to encrypt the private part of this file using 3DES. |
---|
265 | This file is not automatically accessed by |
---|
266 | .Nm |
---|
267 | but it is offered as the default file for the private key. |
---|
268 | .Xr ssh 1 |
---|
269 | will read this file when a login attempt is made. |
---|
270 | .It Pa $HOME/.ssh/id_rsa.pub |
---|
271 | Contains the protocol version 2 RSA public key for authentication. |
---|
272 | The contents of this file should be added to |
---|
273 | .Pa $HOME/.ssh/authorized_keys |
---|
274 | on all machines |
---|
275 | where the user wishes to log in using public key authentication. |
---|
276 | There is no need to keep the contents of this file secret. |
---|
277 | .El |
---|
278 | .Sh AUTHORS |
---|
279 | OpenSSH is a derivative of the original and free |
---|
280 | ssh 1.2.12 release by Tatu Ylonen. |
---|
281 | Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, |
---|
282 | Theo de Raadt and Dug Song |
---|
283 | removed many bugs, re-added newer features and |
---|
284 | created OpenSSH. |
---|
285 | Markus Friedl contributed the support for SSH |
---|
286 | protocol versions 1.5 and 2.0. |
---|
287 | .Sh SEE ALSO |
---|
288 | .Xr ssh 1 , |
---|
289 | .Xr ssh-add 1 , |
---|
290 | .Xr ssh-agent 1 , |
---|
291 | .Xr sshd 8 |
---|
292 | .Rs |
---|
293 | .%A J. Galbraith |
---|
294 | .%A R. Thayer |
---|
295 | .%T "SECSH Public Key File Format" |
---|
296 | .%N draft-ietf-secsh-publickeyfile-01.txt |
---|
297 | .%D March 2001 |
---|
298 | .%O work in progress material |
---|
299 | .Re |
---|