| version 1.139, 2017/05/02 17:04:09 |
version 1.140, 2017/05/03 06:32:02 |
|
|
| generates, manages and converts authentication keys for |
generates, manages and converts authentication keys for |
| .Xr ssh 1 . |
.Xr ssh 1 . |
| .Nm |
.Nm |
| can create keys for use by SSH protocol versions 1 and 2. |
can create keys for use by SSH protocol version 2. |
| Protocol 1 should not be used |
|
| and is only offered to support legacy devices. |
|
| It suffers from a number of cryptographic weaknesses |
|
| and doesn't support many of the advanced features available for protocol 2. |
|
| .Pp |
.Pp |
| The type of key to be generated is specified with the |
The type of key to be generated is specified with the |
| .Fl t |
.Fl t |
|
|
| Normally each user wishing to use SSH |
Normally each user wishing to use SSH |
| with public key authentication runs this once to create the authentication |
with public key authentication runs this once to create the authentication |
| key in |
key in |
| .Pa ~/.ssh/identity , |
|
| .Pa ~/.ssh/id_dsa , |
.Pa ~/.ssh/id_dsa , |
| .Pa ~/.ssh/id_ecdsa , |
.Pa ~/.ssh/id_ecdsa , |
| .Pa ~/.ssh/id_ed25519 |
.Pa ~/.ssh/id_ed25519 |
|
|
| .Pa /etc/rc |
.Pa /etc/rc |
| to generate new host keys. |
to generate new host keys. |
| .It Fl a Ar rounds |
.It Fl a Ar rounds |
| When saving a new-format private key (i.e. an ed25519 key or any SSH protocol |
When saving a new-format private key (i.e. an ed25519 key or when the |
| 2 key when the |
|
| .Fl o |
.Fl o |
| flag is set), this option specifies the number of KDF (key derivation function) |
flag is set), this option specifies the number of KDF (key derivation function) |
| rounds used. |
rounds used. |
| Higher numbers result in slower passphrase verification and increased |
Higher numbers result in slower passphrase verification and increased |
| resistance to brute-force password cracking (should the keys be stolen). |
resistance to brute-force password cracking (should the keys be stolen). |
| .Pp |
.Pp |
| When screening DH-GEX candidates ( |
When screening DH-GEX candidates (using the |
| using the |
|
| .Fl T |
.Fl T |
| command). |
command). |
| This option specifies the number of primality tests to perform. |
This option specifies the number of primality tests to perform. |
|
|
| A zero exit status will only be returned if no key was revoked. |
A zero exit status will only be returned if no key was revoked. |
| .Sh FILES |
.Sh FILES |
| .Bl -tag -width Ds -compact |
.Bl -tag -width Ds -compact |
| .It Pa ~/.ssh/identity |
|
| Contains the protocol version 1 RSA authentication identity of the user. |
|
| This file should not be readable by anyone but the user. |
|
| It is possible to |
|
| specify a passphrase when generating the key; that passphrase will be |
|
| used to encrypt the private part of this file using 3DES. |
|
| This file is not automatically accessed by |
|
| .Nm |
|
| but it is offered as the default file for the private key. |
|
| .Xr ssh 1 |
|
| will read this file when a login attempt is made. |
|
| .Pp |
|
| .It Pa ~/.ssh/identity.pub |
|
| Contains the protocol version 1 RSA public key for authentication. |
|
| The contents of this file should be added to |
|
| .Pa ~/.ssh/authorized_keys |
|
| on all machines |
|
| where the user wishes to log in using RSA authentication. |
|
| There is no need to keep the contents of this file secret. |
|
| .Pp |
|
| .It Pa ~/.ssh/id_dsa |
.It Pa ~/.ssh/id_dsa |
| .It Pa ~/.ssh/id_ecdsa |
.It Pa ~/.ssh/id_ecdsa |
| .It Pa ~/.ssh/id_ed25519 |
.It Pa ~/.ssh/id_ed25519 |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-keygen.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh