src/usr.bin/ssh/ssh-keygen.1 - diff

Return to ssh-keygen.1 CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/ssh-keygen.1 between version 1.23 and 1.23.2.6

version 1.23, 2000/10/09 21:30:43

version 1.23.2.6, 2001/11/15 22:50:30

Line 1

.\" $OpenBSD$

.\"

.\" -*- nroff -*-

.\"

.\" Author: Tatu Ylonen <ylo@cs.hut.fi>

Line 11

Line 13

.\" called by a name other than "ssh" or "Secure Shell".

.\"

.\" Redistribution and use in source and binary forms, with or without

.\" modification, are permitted provided that the following conditions

Line 40

Line 42

.Os

.Sh NAME

.Nm ssh-keygen

.Nd authentication key generation

.Nd authentication key generation, management and conversion

.Sh SYNOPSIS

.Nm ssh-keygen

.Op Fl dq

.Op Fl q

.Op Fl b Ar bits

.Op Fl t Ar type

.Op Fl N Ar new_passphrase

.Op Fl C Ar comment

.Op Fl f Ar output_keyfile

Line 54

Line 57

.Op Fl N Ar new_passphrase

.Op Fl f Ar keyfile

.Nm ssh-keygen

.Fl x

.Fl i

.Op Fl f Ar input_keyfile

.Nm ssh-keygen

.Fl X

.Fl e

.Op Fl f Ar input_keyfile

.Nm ssh-keygen

.Fl y

Line 71

Line 74

.Fl l

.Op Fl f Ar input_keyfile

.Nm ssh-keygen

.Fl R

.Fl B

.Op Fl f Ar input_keyfile

.Nm ssh-keygen

.Fl D Ar reader

.Nm ssh-keygen

.Fl U Ar reader

.Op Fl f Ar input_keyfile

.Sh DESCRIPTION

.Nm

generates and manages authentication keys for

generates, manages and converts authentication keys for

.Xr ssh 1 .

.Nm

defaults to generating an RSA key for use by protocols 1.3 and 1.5;

defaults to generating a RSA1 key for use by SSH protocol version 1.

specifying the

Specifying the

.Fl d

.Fl t

flag will create a DSA key instead for use by protocol 2.0.

option instead creates a key for use by SSH protocol version 2.

.Pp

Normally each user wishing to use SSH

with RSA or DSA authentication runs this once to create the authentication

key in

.Pa $HOME/.ssh/identity

.Pa $HOME/.ssh/identity ,

.Pa $HOME/.ssh/id_dsa

.Pa $HOME/.ssh/id_dsa .

.Pa $HOME/.ssh/id_rsa .

Additionally, the system administrator may use this to generate host keys,

as seen in

.Pa /etc/rc .

Line 99

Line 109

appended.

The program also asks for a passphrase.

The passphrase may be empty to indicate no passphrase

(host keys must have empty passphrase), or it may be a string of

(host keys must have an empty passphrase), or it may be a string of

arbitrary length.

Good passphrases are 10-30 characters long and are

not simple sentences or otherwise easily guessable (English

prose has only 1-2 bits of entropy per word, and provides very bad

prose has only 1-2 bits of entropy per character, and provides very bad

passphrases).

The passphrase can be changed later by using the

.Fl p

Line 111

Line 121

.Pp

There is no way to recover a lost passphrase.

If the passphrase is

lost or forgotten, you will have to generate a new key and copy the

lost or forgotten, a new key must be generated and copied to the

corresponding public key to other machines.

.Pp

For RSA, there is also a comment field in the key file that is only for

For RSA1 keys,

there is also a comment field in the key file that is only for

convenience to the user to help identify the key.

The comment can tell what the key is for, or whatever is useful.

The comment is initialized to

Line 136

Line 147

The default is 1024 bits.

.It Fl c

Requests changing the comment in the private and public key files.

This operation is only supported for RSA1 keys.

The program will prompt for the file containing the private keys, for

passphrase if the key has one, and for the new comment.

the passphrase if the key has one, and for the new comment.

.It Fl f

.It Fl e

This option will read a private or public OpenSSH key file and

print the key in a

.Sq SECSH Public Key File Format

to stdout.

This option allows exporting keys for use by several commercial

SSH implementations.

.It Fl f Ar filename

Specifies the filename of the key file.

.It Fl i

This option will read an unencrypted private (or public) key file

in SSH2-compatible format and print an OpenSSH compatible private

(or public) key to stdout.

.Nm

also reads the

.Sq SECSH Public Key File Format .

This option allows importing keys from several commercial

SSH implementations.

.It Fl l

Show fingerprint of specified private or public key file.

Show fingerprint of specified public key file.

Private RSA1 keys are also supported.

For RSA and DSA keys

.Nm

tries to find the matching public key file and prints its fingerprint.

.It Fl p

Requests changing the passphrase of a private key file instead of

creating a new private key.

Line 154

Line 186

Used by

.Pa /etc/rc

when creating a new key.

.It Fl y

This option will read a private

OpenSSH format file and print an OpenSSH public key to stdout.

.It Fl t Ar type

Specifies the type of the key to create.

The possible values are

.Dq rsa1

for protocol version 1 and

.Dq rsa

.Dq dsa

for protocol version 2.

The default is

.Dq rsa1 .

.It Fl B

Show the bubblebabble digest of specified private or public key file.

.It Fl C Ar comment

Provides the new comment.

.It Fl D Ar reader

Download the RSA public key stored in the smartcard in

.Ar reader .

.It Fl N Ar new_passphrase

Provides the new passphrase.

.It Fl P Ar passphrase

Provides the (old) passphrase.

.It Fl R

.It Fl U Ar reader

If RSA support is functional, immediately exits with code 0. If RSA

Upload an existing RSA private key into the smartcard in

support is not functional, exits with code 1. This flag will be

.Ar reader .

removed once the RSA patent expires.

.It Fl x

This option will read a private

OpenSSH DSA format file and print a SSH2-compatible public key to stdout.

.It Fl X

This option will read a unencrypted

SSH2-compatible private (or public) key file and

print an OpenSSH compatible private (or public) key to stdout.

.It Fl y

This option will read a private

OpenSSH DSA format file and print an OpenSSH DSA public key to stdout.

.El

.Sh FILES

.Bl -tag -width Ds

.It Pa $HOME/.ssh/identity

Contains the RSA authentication identity of the user.

Contains the protocol version 1 RSA authentication identity of the user.

This file should not be readable by anyone but the user.

It is possible to

specify a passphrase when generating the key; that passphrase will be

Line 186

Line 226

This file is not automatically accessed by

.Nm

but it is offered as the default file for the private key.

.Xr sshd 8

.Xr ssh 1

will read this file when a login attempt is made.

.It Pa $HOME/.ssh/identity.pub

Contains the public key for authentication.

Contains the protocol version 1 RSA public key for authentication.

The contents of this file should be added to

.Pa $HOME/.ssh/authorized_keys

on all machines

where you wish to log in using RSA authentication.

where the user wishes to log in using RSA authentication.

There is no need to keep the contents of this file secret.

.It Pa $HOME/.ssh/id_dsa

Contains the DSA authentication identity of the user.

Contains the protocol version 2 DSA authentication identity of the user.

This file should not be readable by anyone but the user.

It is possible to

specify a passphrase when generating the key; that passphrase will be

Line 204

Line 244

This file is not automatically accessed by

.Nm

but it is offered as the default file for the private key.

.Xr sshd 8

.Xr ssh 1

will read this file when a login attempt is made.

.It Pa $HOME/.ssh/id_dsa.pub

Contains the public key for authentication.

Contains the protocol version 2 DSA public key for authentication.

The contents of this file should be added to

.Pa $HOME/.ssh/authorized_keys2

.Pa $HOME/.ssh/authorized_keys

on all machines

where you wish to log in using DSA authentication.

where the user wishes to log in using public key authentication.

There is no need to keep the contents of this file secret.

.It Pa $HOME/.ssh/id_rsa

Contains the protocol version 2 RSA authentication identity of the user.

This file should not be readable by anyone but the user.

It is possible to

specify a passphrase when generating the key; that passphrase will be

used to encrypt the private part of this file using 3DES.

This file is not automatically accessed by

.Nm

but it is offered as the default file for the private key.

.Xr ssh 1

will read this file when a login attempt is made.

.It Pa $HOME/.ssh/id_rsa.pub

Contains the protocol version 2 RSA public key for authentication.

The contents of this file should be added to

.Pa $HOME/.ssh/authorized_keys

on all machines

where the user wishes to log in using public key authentication.

There is no need to keep the contents of this file secret.

.El

.Sh AUTHOR

.Sh AUTHORS

Tatu Ylonen <ylo@cs.hut.fi>

OpenSSH is a derivative of the original and free

.Pp

ssh 1.2.12 release by Tatu Ylonen.

OpenSSH

Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,

is a derivative of the original (free) ssh 1.2.12 release, but with bugs

Theo de Raadt and Dug Song

removed and newer features re-added.

removed many bugs, re-added newer features and

Rapidly after the 1.2.12 release,

created OpenSSH.

newer versions bore successively more restrictive licenses.

Markus Friedl contributed the support for SSH

This version of OpenSSH

protocol versions 1.5 and 2.0.

.Bl -bullet

.It

has all components of a restrictive nature (i.e., patents, see

.Xr ssl 8 )

directly removed from the source code; any licensed or patented components

are chosen from

external libraries.

.It

has been updated to support ssh protocol 1.5.

.It

contains added support for

.Xr kerberos 8

authentication and ticket passing.

.It

supports one-time password authentication with

.Xr skey 1 .

.El

.Sh SEE ALSO

.Xr ssh 1 ,

.Xr ssh-add 1 ,

.Xr ssh-agent 1 ,

.Xr sshd 8 ,

.Xr sshd 8

.Xr ssl 8

.Rs

.%A J. Galbraith

.%A R. Thayer

.%T "SECSH Public Key File Format"

.%N draft-ietf-secsh-publickeyfile-01.txt

.%D March 2001

.%O work in progress material

.Re