version 1.59, 2003/06/10 09:12:11 |
version 1.60, 2003/07/28 09:49:56 |
|
|
.Fl r Ar hostname |
.Fl r Ar hostname |
.Op Fl f Ar input_keyfile |
.Op Fl f Ar input_keyfile |
.Op Fl g |
.Op Fl g |
|
.Nm ssh-keygen |
|
.Fl G Ar output_file |
|
.Op Fl b Ar bits |
|
.Op Fl M Ar memory |
|
.Op Fl S Ar start_point |
|
.Nm ssh-keygen |
|
.Fl T Ar output_file |
|
.Fl f Ar input_file |
|
.Op Fl a Ar num_trials |
|
.Op Fl W Ar generator |
.Sh DESCRIPTION |
.Sh DESCRIPTION |
.Nm |
.Nm |
generates, manages and converts authentication keys for |
generates, manages and converts authentication keys for |
|
|
.Fl t |
.Fl t |
option. |
option. |
.Pp |
.Pp |
|
.Nm |
|
is also used to generate groups for use in Diffie-Hellman group |
|
exchange (DH-GEX). |
|
See the |
|
.Sx MODULI GENERATION |
|
section for details. |
|
.Pp |
Normally each user wishing to use SSH |
Normally each user wishing to use SSH |
with RSA or DSA authentication runs this once to create the authentication |
with RSA or DSA authentication runs this once to create the authentication |
key in |
key in |
|
|
.Pp |
.Pp |
The options are as follows: |
The options are as follows: |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
|
.It Fl a Ar trials |
|
Specifies the number of primality tests to perform when screening DH-GEX |
|
candidates using the |
|
.Fl T |
|
command. |
.It Fl b Ar bits |
.It Fl b Ar bits |
Specifies the number of bits in the key to create. |
Specifies the number of bits in the key to create. |
Minimum is 512 bits. |
Minimum is 512 bits. |
|
|
.It Fl D Ar reader |
.It Fl D Ar reader |
Download the RSA public key stored in the smartcard in |
Download the RSA public key stored in the smartcard in |
.Ar reader . |
.Ar reader . |
|
.It Fl G Ar output_file |
|
Generate candidate primes for DH-GEX. |
|
These primes must be screened for |
|
safety (using the |
|
.Fl T |
|
option) before use. |
|
.It Fl M Ar memory |
|
Specify the amount of memory to use (in megabytes) when generating |
|
candidate moduli for DH-GEX. |
.It Fl N Ar new_passphrase |
.It Fl N Ar new_passphrase |
Provides the new passphrase. |
Provides the new passphrase. |
.It Fl P Ar passphrase |
.It Fl P Ar passphrase |
Provides the (old) passphrase. |
Provides the (old) passphrase. |
|
.It Fl S Ar start |
|
Specify start point (in hex) when generating candidate moduli for DH-GEX. |
|
.It Fl T Ar output_file |
|
Test DH group exchange candidate primes (generated using the |
|
.Fl G |
|
option) for safety. |
|
.It Fl W Ar generator |
|
Specify desired generator when testing candidate moduli for DH-GEX. |
.It Fl U Ar reader |
.It Fl U Ar reader |
Upload an existing RSA private key into the smartcard in |
Upload an existing RSA private key into the smartcard in |
.Ar reader . |
.Ar reader . |
|
|
Print DNS resource record with the specified |
Print DNS resource record with the specified |
.Ar hostname . |
.Ar hostname . |
.El |
.El |
|
.Sh MODULI GENERATION |
|
.Nm |
|
may be used to generate groups for the Diffie-Hellman Group Exchange |
|
(DH-GEX) protocol. |
|
Generating these groups is a two-step process: first, candidate |
|
primes are generated using a fast, but memory intensive process. |
|
These candidate primes are then tested for suitability (a CPU-intensive |
|
process). |
|
.Pp |
|
Generation of primes is performed using the |
|
.Fl G |
|
option. |
|
The desired length of the primes may be specified by the |
|
.Fl b |
|
option. |
|
For example: |
|
.Pp |
|
.Dl ssh-keygen -G moduli-2048.candidates -b 2048 |
|
.Pp |
|
By default, the search for primes begins at a random point in the |
|
desired length range. |
|
This may be overridden using the |
|
.Fl S |
|
option, which specifies a different start point (in hex). |
|
.Pp |
|
Once a set of candidates have been generated, they must be tested for |
|
suitability. |
|
This may be performed using the |
|
.Fl T |
|
option. |
|
In this mode |
|
.Nm |
|
will read candidates from standard input (or a file specified using the |
|
.Fl f |
|
option). |
|
For example: |
|
.Pp |
|
.Dl ssh-keygen -T moduli-2048 -f moduli-2048.candidates |
|
.Pp |
|
By default, each candidate will be subjected to 100 primality tests. |
|
This may be overridden using the |
|
.Fl a |
|
option. |
|
The DH generator value will be chosen automatically for the |
|
prime under consideration. |
|
If a specific generator is desired, it may be requested using the |
|
.Fl W |
|
option. |
|
Valid generator values are 2, 3 and 5. |
|
.Pp |
|
Screened DH groups may be installed in |
|
.Pa /etc/moduli . |
|
It is important that this file contains moduli of a range of bit lengths and |
|
that both ends of a connection share common moduli. |
.Sh FILES |
.Sh FILES |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Pa $HOME/.ssh/identity |
.It Pa $HOME/.ssh/identity |
|
|
on all machines |
on all machines |
where the user wishes to log in using public key authentication. |
where the user wishes to log in using public key authentication. |
There is no need to keep the contents of this file secret. |
There is no need to keep the contents of this file secret. |
|
.It Pa /etc/moduli |
|
Contains Diffie-Hellman groups used for DH-GEX. |
|
The file format is described in |
|
.Xr moduli 5 . |
.El |
.El |
.Sh SEE ALSO |
.Sh SEE ALSO |
.Xr ssh 1 , |
.Xr ssh 1 , |
.Xr ssh-add 1 , |
.Xr ssh-add 1 , |
.Xr ssh-agent 1 , |
.Xr ssh-agent 1 , |
|
.Xr moduli 5 , |
.Xr sshd 8 |
.Xr sshd 8 |
.Rs |
.Rs |
.%A J. Galbraith |
.%A J. Galbraith |