| version 1.183, 2019/12/30 03:28:41 |
version 1.184, 2019/12/30 03:30:09 |
|
|
| .Op Fl g |
.Op Fl g |
| .Op Fl f Ar input_keyfile |
.Op Fl f Ar input_keyfile |
| .Nm ssh-keygen |
.Nm ssh-keygen |
| .Fl G Ar output_file |
.Fl M Cm generate |
| .Op Fl v |
.Op Fl O Ar option |
| .Op Fl b Ar bits |
.Ar |
| .Op Fl M Ar memory |
|
| .Op Fl S Ar start_point |
|
| .Nm ssh-keygen |
.Nm ssh-keygen |
| |
.Fl M Cm screen |
| .Fl f Ar input_file |
.Fl f Ar input_file |
| .Fl T Ar output_file |
.Op Fl O Ar option |
| .Op Fl v |
.Ar |
| .Op Fl a Ar rounds |
|
| .Op Fl J Ar num_lines |
|
| .Op Fl j Ar start_line |
|
| .Op Fl K Ar checkpt |
|
| .Op Fl W Ar generator |
|
| .Nm ssh-keygen |
.Nm ssh-keygen |
| .Fl I Ar certificate_identity |
.Fl I Ar certificate_identity |
| .Fl s Ar ca_key |
.Fl s Ar ca_key |
|
|
| (key derivation function) rounds used. |
(key derivation function) rounds used. |
| Higher numbers result in slower passphrase verification and increased |
Higher numbers result in slower passphrase verification and increased |
| resistance to brute-force password cracking (should the keys be stolen). |
resistance to brute-force password cracking (should the keys be stolen). |
| .Pp |
|
| When screening DH-GEX candidates (using the |
|
| .Fl T |
|
| command), |
|
| this option specifies the number of primality tests to perform. |
|
| .It Fl B |
.It Fl B |
| Show the bubblebabble digest of specified private or public key file. |
Show the bubblebabble digest of specified private or public key file. |
| .It Fl b Ar bits |
.It Fl b Ar bits |
|
|
| option to print found keys in a hashed format. |
option to print found keys in a hashed format. |
| .It Fl f Ar filename |
.It Fl f Ar filename |
| Specifies the filename of the key file. |
Specifies the filename of the key file. |
| .It Fl G Ar output_file |
|
| Generate candidate primes for DH-GEX. |
|
| These primes must be screened for |
|
| safety (using the |
|
| .Fl T |
|
| option) before use. |
|
| .It Fl g |
.It Fl g |
| Use generic DNS format when printing fingerprint resource records using the |
Use generic DNS format when printing fingerprint resource records using the |
| .Fl r |
.Fl r |
|
|
| commercial SSH implementations. |
commercial SSH implementations. |
| The default import format is |
The default import format is |
| .Dq RFC4716 . |
.Dq RFC4716 . |
| .It Fl J Ar num_lines |
|
| Exit after screening the specified number of lines |
|
| while performing DH candidate screening using the |
|
| .Fl T |
|
| option. |
|
| .It Fl j Ar start_line |
|
| Start screening at the specified line number |
|
| while performing DH candidate screening using the |
|
| .Fl T |
|
| option. |
|
| .It Fl K Ar checkpt |
|
| Write the last line processed to the file |
|
| .Ar checkpt |
|
| while performing DH candidate screening using the |
|
| .Fl T |
|
| option. |
|
| This will be used to skip lines in the input file that have already been |
|
| processed if the job is restarted. |
|
| .It Fl k |
.It Fl k |
| Generate a KRL file. |
Generate a KRL file. |
| In this mode, |
In this mode, |
|
|
| .Fl v , |
.Fl v , |
| a visual ASCII art representation of the key is supplied with the |
a visual ASCII art representation of the key is supplied with the |
| fingerprint. |
fingerprint. |
| .It Fl M Ar memory |
.It Fl M Cm generate |
| Specify the amount of memory to use (in megabytes) when generating |
Generate candidate Diffie-Hellman Group Exchange (DH-GEX) parameters for |
| candidate moduli for DH-GEX. |
eventual use by the |
| |
.Sq diffie-hellman-group-exchange-* |
| |
key exchange methods. |
| |
The numbers generated by this operation must be further screened before |
| |
use. |
| |
See the |
| |
.Sx MODULI GENERATION |
| |
section for more information. |
| |
.It Fl M Cm screen |
| |
Screen candidate parameters for Diffie-Hellman Group Exchange. |
| |
This will accept a list of candidate numbers and test that they are |
| |
safe (Sophie Germain) primes with acceptable group generators. |
| |
The results of this operation may be added to the |
| |
.Pa /etc/moduli |
| |
file. |
| |
See the |
| |
.Sx MODULI GENERATION |
| |
section for more information. |
| .It Fl m Ar key_format |
.It Fl m Ar key_format |
| Specify a key format for key generation, the |
Specify a key format for key generation, the |
| .Fl i |
.Fl i |
|
|
| .Sx CERTIFICATES |
.Sx CERTIFICATES |
| section for details. |
section for details. |
| .It Fl O Ar option |
.It Fl O Ar option |
| Specify a certificate option when signing a key. |
Specify a key/value option. |
| See the |
These are specific to the operation that |
| |
.Nm |
| |
has been requested to perform. |
| |
.Pp |
| |
When signing certificates, one of the options listed in the |
| .Sx CERTIFICATES |
.Sx CERTIFICATES |
| section for a list of available certificate options. |
section may be specified here. |
| |
.Pp |
| |
When performing moduli generation or screening, one of the options |
| |
listed in the |
| |
.Sx MODULI GENERATION |
| |
section may be specified. |
| |
.Pp |
| This option may be specified multiple times. |
This option may be specified multiple times. |
| .It Fl P Ar passphrase |
.It Fl P Ar passphrase |
| Provides the (old) passphrase. |
Provides the (old) passphrase. |
|
|
| Print the SSHFP fingerprint resource record named |
Print the SSHFP fingerprint resource record named |
| .Ar hostname |
.Ar hostname |
| for the specified public key file. |
for the specified public key file. |
| .It Fl S Ar start |
|
| Specify start point (in hex) when generating candidate moduli for DH-GEX. |
|
| .It Fl s Ar ca_key |
.It Fl s Ar ca_key |
| Certify (sign) a public key using the specified CA key. |
Certify (sign) a public key using the specified CA key. |
| Please see the |
Please see the |
|
|
| See the |
See the |
| .Sx KEY REVOCATION LISTS |
.Sx KEY REVOCATION LISTS |
| section for details. |
section for details. |
| .It Fl T Ar output_file |
|
| Test DH group exchange candidate primes (generated using the |
|
| .Fl G |
|
| option) for safety. |
|
| .It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa |
.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa |
| Specifies the type of key to create. |
Specifies the type of key to create. |
| The possible values are |
The possible values are |
|
|
| .Fl v |
.Fl v |
| options increase the verbosity. |
options increase the verbosity. |
| The maximum is 3. |
The maximum is 3. |
| .It Fl W Ar generator |
|
| Specify desired generator when testing candidate moduli for DH-GEX. |
|
| .It Fl w Ar provider |
.It Fl w Ar provider |
| Specifies a path to a library that will be used when creating |
Specifies a path to a library that will be used when creating |
| FIDO authenticator-hosted keys, overriding the default of using |
FIDO authenticator-hosted keys, overriding the default of using |
|
|
| process). |
process). |
| .Pp |
.Pp |
| Generation of primes is performed using the |
Generation of primes is performed using the |
| .Fl G |
.Fl M Cm generate |
| option. |
option. |
| The desired length of the primes may be specified by the |
The desired length of the primes may be specified by the |
| .Fl b |
.Fl O Cm bits |
| option. |
option. |
| For example: |
For example: |
| .Pp |
.Pp |
| .Dl # ssh-keygen -G moduli-2048.candidates -b 2048 |
.Dl # ssh-keygen -M generate -O bits=2048 moduli-2048.candidates |
| .Pp |
.Pp |
| By default, the search for primes begins at a random point in the |
By default, the search for primes begins at a random point in the |
| desired length range. |
desired length range. |
| This may be overridden using the |
This may be overridden using the |
| .Fl S |
.Fl O Cm start |
| option, which specifies a different start point (in hex). |
option, which specifies a different start point (in hex). |
| .Pp |
.Pp |
| Once a set of candidates have been generated, they must be screened for |
Once a set of candidates have been generated, they must be screened for |
| suitability. |
suitability. |
| This may be performed using the |
This may be performed using the |
| .Fl T |
.Fl M Cm screen |
| option. |
option. |
| In this mode |
In this mode |
| .Nm |
.Nm |
|
|
| option). |
option). |
| For example: |
For example: |
| .Pp |
.Pp |
| .Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates |
.Dl # ssh-keygen -M screen -f moduli-2048.candidates moduli-2048 |
| .Pp |
.Pp |
| By default, each candidate will be subjected to 100 primality tests. |
By default, each candidate will be subjected to 100 primality tests. |
| This may be overridden using the |
This may be overridden using the |
| .Fl a |
.Fl O Cm prime-tests |
| option. |
option. |
| The DH generator value will be chosen automatically for the |
The DH generator value will be chosen automatically for the |
| prime under consideration. |
prime under consideration. |
| If a specific generator is desired, it may be requested using the |
If a specific generator is desired, it may be requested using the |
| .Fl W |
.Fl O Cm generator |
| option. |
option. |
| Valid generator values are 2, 3, and 5. |
Valid generator values are 2, 3, and 5. |
| .Pp |
.Pp |
|
|
| .Pa /etc/moduli . |
.Pa /etc/moduli . |
| It is important that this file contains moduli of a range of bit lengths and |
It is important that this file contains moduli of a range of bit lengths and |
| that both ends of a connection share common moduli. |
that both ends of a connection share common moduli. |
| |
.Pp |
| |
A number of options are available for moduli generation and screening via the |
| |
.Fl O |
| |
flag: |
| |
.Bl -tag -width Ds -compact |
| |
.Pp |
| |
.It Ic lines Ns = Ns Ar number |
| |
Exit after screening the specified number of lines while performing DH |
| |
candidate screening. |
| |
.Pp |
| |
.It Ic start-line Ns = Ns Ar line-number |
| |
Start screening at the specified line number while performing DH candidate |
| |
screening. |
| |
.Pp |
| |
.It Ic checkpoint Ns = Ns Ar filename |
| |
Write the last line processed to the specified file while performing DH |
| |
candidate screening. |
| |
This will be used to skip lines in the input file that have already been |
| |
processed if the job is restarted. |
| |
.Pp |
| |
.It Ic memory Ns = Ns Ar mbytes |
| |
Specify the amount of memory to use (in megabytes) when generating |
| |
candidate moduli for DH-GEX. |
| |
.Pp |
| |
.It Ic start Ns = Ns Ar hex-value |
| |
Specify start point (in hex) when generating candidate moduli for DH-GEX. |
| |
.Pp |
| |
.It Ic generator Ns = Ns Ar value |
| |
Specify desired generator (in decimal) when testing candidate moduli for DH-GEX. |
| |
.El |
| .Sh CERTIFICATES |
.Sh CERTIFICATES |
| .Nm |
.Nm |
| supports signing of keys to produce certificates that may be used for |
supports signing of keys to produce certificates that may be used for |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-keygen.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh