version 1.139, 2017/05/02 17:04:09 |
version 1.140, 2017/05/03 06:32:02 |
|
|
generates, manages and converts authentication keys for |
generates, manages and converts authentication keys for |
.Xr ssh 1 . |
.Xr ssh 1 . |
.Nm |
.Nm |
can create keys for use by SSH protocol versions 1 and 2. |
can create keys for use by SSH protocol version 2. |
Protocol 1 should not be used |
|
and is only offered to support legacy devices. |
|
It suffers from a number of cryptographic weaknesses |
|
and doesn't support many of the advanced features available for protocol 2. |
|
.Pp |
.Pp |
The type of key to be generated is specified with the |
The type of key to be generated is specified with the |
.Fl t |
.Fl t |
|
|
Normally each user wishing to use SSH |
Normally each user wishing to use SSH |
with public key authentication runs this once to create the authentication |
with public key authentication runs this once to create the authentication |
key in |
key in |
.Pa ~/.ssh/identity , |
|
.Pa ~/.ssh/id_dsa , |
.Pa ~/.ssh/id_dsa , |
.Pa ~/.ssh/id_ecdsa , |
.Pa ~/.ssh/id_ecdsa , |
.Pa ~/.ssh/id_ed25519 |
.Pa ~/.ssh/id_ed25519 |
|
|
.Pa /etc/rc |
.Pa /etc/rc |
to generate new host keys. |
to generate new host keys. |
.It Fl a Ar rounds |
.It Fl a Ar rounds |
When saving a new-format private key (i.e. an ed25519 key or any SSH protocol |
When saving a new-format private key (i.e. an ed25519 key or when the |
2 key when the |
|
.Fl o |
.Fl o |
flag is set), this option specifies the number of KDF (key derivation function) |
flag is set), this option specifies the number of KDF (key derivation function) |
rounds used. |
rounds used. |
Higher numbers result in slower passphrase verification and increased |
Higher numbers result in slower passphrase verification and increased |
resistance to brute-force password cracking (should the keys be stolen). |
resistance to brute-force password cracking (should the keys be stolen). |
.Pp |
.Pp |
When screening DH-GEX candidates ( |
When screening DH-GEX candidates (using the |
using the |
|
.Fl T |
.Fl T |
command). |
command). |
This option specifies the number of primality tests to perform. |
This option specifies the number of primality tests to perform. |
|
|
A zero exit status will only be returned if no key was revoked. |
A zero exit status will only be returned if no key was revoked. |
.Sh FILES |
.Sh FILES |
.Bl -tag -width Ds -compact |
.Bl -tag -width Ds -compact |
.It Pa ~/.ssh/identity |
|
Contains the protocol version 1 RSA authentication identity of the user. |
|
This file should not be readable by anyone but the user. |
|
It is possible to |
|
specify a passphrase when generating the key; that passphrase will be |
|
used to encrypt the private part of this file using 3DES. |
|
This file is not automatically accessed by |
|
.Nm |
|
but it is offered as the default file for the private key. |
|
.Xr ssh 1 |
|
will read this file when a login attempt is made. |
|
.Pp |
|
.It Pa ~/.ssh/identity.pub |
|
Contains the protocol version 1 RSA public key for authentication. |
|
The contents of this file should be added to |
|
.Pa ~/.ssh/authorized_keys |
|
on all machines |
|
where the user wishes to log in using RSA authentication. |
|
There is no need to keep the contents of this file secret. |
|
.Pp |
|
.It Pa ~/.ssh/id_dsa |
.It Pa ~/.ssh/id_dsa |
.It Pa ~/.ssh/id_ecdsa |
.It Pa ~/.ssh/id_ecdsa |
.It Pa ~/.ssh/id_ed25519 |
.It Pa ~/.ssh/id_ed25519 |