version 1.183, 2019/12/30 03:28:41 |
version 1.184, 2019/12/30 03:30:09 |
|
|
.Op Fl g |
.Op Fl g |
.Op Fl f Ar input_keyfile |
.Op Fl f Ar input_keyfile |
.Nm ssh-keygen |
.Nm ssh-keygen |
.Fl G Ar output_file |
.Fl M Cm generate |
.Op Fl v |
.Op Fl O Ar option |
.Op Fl b Ar bits |
.Ar |
.Op Fl M Ar memory |
|
.Op Fl S Ar start_point |
|
.Nm ssh-keygen |
.Nm ssh-keygen |
|
.Fl M Cm screen |
.Fl f Ar input_file |
.Fl f Ar input_file |
.Fl T Ar output_file |
.Op Fl O Ar option |
.Op Fl v |
.Ar |
.Op Fl a Ar rounds |
|
.Op Fl J Ar num_lines |
|
.Op Fl j Ar start_line |
|
.Op Fl K Ar checkpt |
|
.Op Fl W Ar generator |
|
.Nm ssh-keygen |
.Nm ssh-keygen |
.Fl I Ar certificate_identity |
.Fl I Ar certificate_identity |
.Fl s Ar ca_key |
.Fl s Ar ca_key |
|
|
(key derivation function) rounds used. |
(key derivation function) rounds used. |
Higher numbers result in slower passphrase verification and increased |
Higher numbers result in slower passphrase verification and increased |
resistance to brute-force password cracking (should the keys be stolen). |
resistance to brute-force password cracking (should the keys be stolen). |
.Pp |
|
When screening DH-GEX candidates (using the |
|
.Fl T |
|
command), |
|
this option specifies the number of primality tests to perform. |
|
.It Fl B |
.It Fl B |
Show the bubblebabble digest of specified private or public key file. |
Show the bubblebabble digest of specified private or public key file. |
.It Fl b Ar bits |
.It Fl b Ar bits |
|
|
option to print found keys in a hashed format. |
option to print found keys in a hashed format. |
.It Fl f Ar filename |
.It Fl f Ar filename |
Specifies the filename of the key file. |
Specifies the filename of the key file. |
.It Fl G Ar output_file |
|
Generate candidate primes for DH-GEX. |
|
These primes must be screened for |
|
safety (using the |
|
.Fl T |
|
option) before use. |
|
.It Fl g |
.It Fl g |
Use generic DNS format when printing fingerprint resource records using the |
Use generic DNS format when printing fingerprint resource records using the |
.Fl r |
.Fl r |
|
|
commercial SSH implementations. |
commercial SSH implementations. |
The default import format is |
The default import format is |
.Dq RFC4716 . |
.Dq RFC4716 . |
.It Fl J Ar num_lines |
|
Exit after screening the specified number of lines |
|
while performing DH candidate screening using the |
|
.Fl T |
|
option. |
|
.It Fl j Ar start_line |
|
Start screening at the specified line number |
|
while performing DH candidate screening using the |
|
.Fl T |
|
option. |
|
.It Fl K Ar checkpt |
|
Write the last line processed to the file |
|
.Ar checkpt |
|
while performing DH candidate screening using the |
|
.Fl T |
|
option. |
|
This will be used to skip lines in the input file that have already been |
|
processed if the job is restarted. |
|
.It Fl k |
.It Fl k |
Generate a KRL file. |
Generate a KRL file. |
In this mode, |
In this mode, |
|
|
.Fl v , |
.Fl v , |
a visual ASCII art representation of the key is supplied with the |
a visual ASCII art representation of the key is supplied with the |
fingerprint. |
fingerprint. |
.It Fl M Ar memory |
.It Fl M Cm generate |
Specify the amount of memory to use (in megabytes) when generating |
Generate candidate Diffie-Hellman Group Exchange (DH-GEX) parameters for |
candidate moduli for DH-GEX. |
eventual use by the |
|
.Sq diffie-hellman-group-exchange-* |
|
key exchange methods. |
|
The numbers generated by this operation must be further screened before |
|
use. |
|
See the |
|
.Sx MODULI GENERATION |
|
section for more information. |
|
.It Fl M Cm screen |
|
Screen candidate parameters for Diffie-Hellman Group Exchange. |
|
This will accept a list of candidate numbers and test that they are |
|
safe (Sophie Germain) primes with acceptable group generators. |
|
The results of this operation may be added to the |
|
.Pa /etc/moduli |
|
file. |
|
See the |
|
.Sx MODULI GENERATION |
|
section for more information. |
.It Fl m Ar key_format |
.It Fl m Ar key_format |
Specify a key format for key generation, the |
Specify a key format for key generation, the |
.Fl i |
.Fl i |
|
|
.Sx CERTIFICATES |
.Sx CERTIFICATES |
section for details. |
section for details. |
.It Fl O Ar option |
.It Fl O Ar option |
Specify a certificate option when signing a key. |
Specify a key/value option. |
See the |
These are specific to the operation that |
|
.Nm |
|
has been requested to perform. |
|
.Pp |
|
When signing certificates, one of the options listed in the |
.Sx CERTIFICATES |
.Sx CERTIFICATES |
section for a list of available certificate options. |
section may be specified here. |
|
.Pp |
|
When performing moduli generation or screening, one of the options |
|
listed in the |
|
.Sx MODULI GENERATION |
|
section may be specified. |
|
.Pp |
This option may be specified multiple times. |
This option may be specified multiple times. |
.It Fl P Ar passphrase |
.It Fl P Ar passphrase |
Provides the (old) passphrase. |
Provides the (old) passphrase. |
|
|
Print the SSHFP fingerprint resource record named |
Print the SSHFP fingerprint resource record named |
.Ar hostname |
.Ar hostname |
for the specified public key file. |
for the specified public key file. |
.It Fl S Ar start |
|
Specify start point (in hex) when generating candidate moduli for DH-GEX. |
|
.It Fl s Ar ca_key |
.It Fl s Ar ca_key |
Certify (sign) a public key using the specified CA key. |
Certify (sign) a public key using the specified CA key. |
Please see the |
Please see the |
|
|
See the |
See the |
.Sx KEY REVOCATION LISTS |
.Sx KEY REVOCATION LISTS |
section for details. |
section for details. |
.It Fl T Ar output_file |
|
Test DH group exchange candidate primes (generated using the |
|
.Fl G |
|
option) for safety. |
|
.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa |
.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa |
Specifies the type of key to create. |
Specifies the type of key to create. |
The possible values are |
The possible values are |
|
|
.Fl v |
.Fl v |
options increase the verbosity. |
options increase the verbosity. |
The maximum is 3. |
The maximum is 3. |
.It Fl W Ar generator |
|
Specify desired generator when testing candidate moduli for DH-GEX. |
|
.It Fl w Ar provider |
.It Fl w Ar provider |
Specifies a path to a library that will be used when creating |
Specifies a path to a library that will be used when creating |
FIDO authenticator-hosted keys, overriding the default of using |
FIDO authenticator-hosted keys, overriding the default of using |
|
|
process). |
process). |
.Pp |
.Pp |
Generation of primes is performed using the |
Generation of primes is performed using the |
.Fl G |
.Fl M Cm generate |
option. |
option. |
The desired length of the primes may be specified by the |
The desired length of the primes may be specified by the |
.Fl b |
.Fl O Cm bits |
option. |
option. |
For example: |
For example: |
.Pp |
.Pp |
.Dl # ssh-keygen -G moduli-2048.candidates -b 2048 |
.Dl # ssh-keygen -M generate -O bits=2048 moduli-2048.candidates |
.Pp |
.Pp |
By default, the search for primes begins at a random point in the |
By default, the search for primes begins at a random point in the |
desired length range. |
desired length range. |
This may be overridden using the |
This may be overridden using the |
.Fl S |
.Fl O Cm start |
option, which specifies a different start point (in hex). |
option, which specifies a different start point (in hex). |
.Pp |
.Pp |
Once a set of candidates have been generated, they must be screened for |
Once a set of candidates have been generated, they must be screened for |
suitability. |
suitability. |
This may be performed using the |
This may be performed using the |
.Fl T |
.Fl M Cm screen |
option. |
option. |
In this mode |
In this mode |
.Nm |
.Nm |
|
|
option). |
option). |
For example: |
For example: |
.Pp |
.Pp |
.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates |
.Dl # ssh-keygen -M screen -f moduli-2048.candidates moduli-2048 |
.Pp |
.Pp |
By default, each candidate will be subjected to 100 primality tests. |
By default, each candidate will be subjected to 100 primality tests. |
This may be overridden using the |
This may be overridden using the |
.Fl a |
.Fl O Cm prime-tests |
option. |
option. |
The DH generator value will be chosen automatically for the |
The DH generator value will be chosen automatically for the |
prime under consideration. |
prime under consideration. |
If a specific generator is desired, it may be requested using the |
If a specific generator is desired, it may be requested using the |
.Fl W |
.Fl O Cm generator |
option. |
option. |
Valid generator values are 2, 3, and 5. |
Valid generator values are 2, 3, and 5. |
.Pp |
.Pp |
|
|
.Pa /etc/moduli . |
.Pa /etc/moduli . |
It is important that this file contains moduli of a range of bit lengths and |
It is important that this file contains moduli of a range of bit lengths and |
that both ends of a connection share common moduli. |
that both ends of a connection share common moduli. |
|
.Pp |
|
A number of options are available for moduli generation and screening via the |
|
.Fl O |
|
flag: |
|
.Bl -tag -width Ds -compact |
|
.Pp |
|
.It Ic lines Ns = Ns Ar number |
|
Exit after screening the specified number of lines while performing DH |
|
candidate screening. |
|
.Pp |
|
.It Ic start-line Ns = Ns Ar line-number |
|
Start screening at the specified line number while performing DH candidate |
|
screening. |
|
.Pp |
|
.It Ic checkpoint Ns = Ns Ar filename |
|
Write the last line processed to the specified file while performing DH |
|
candidate screening. |
|
This will be used to skip lines in the input file that have already been |
|
processed if the job is restarted. |
|
.Pp |
|
.It Ic memory Ns = Ns Ar mbytes |
|
Specify the amount of memory to use (in megabytes) when generating |
|
candidate moduli for DH-GEX. |
|
.Pp |
|
.It Ic start Ns = Ns Ar hex-value |
|
Specify start point (in hex) when generating candidate moduli for DH-GEX. |
|
.Pp |
|
.It Ic generator Ns = Ns Ar value |
|
Specify desired generator (in decimal) when testing candidate moduli for DH-GEX. |
|
.El |
.Sh CERTIFICATES |
.Sh CERTIFICATES |
.Nm |
.Nm |
supports signing of keys to produce certificates that may be used for |
supports signing of keys to produce certificates that may be used for |