| version 1.59, 2003/06/10 09:12:11 |
version 1.60, 2003/07/28 09:49:56 |
|
|
| .Fl r Ar hostname |
.Fl r Ar hostname |
| .Op Fl f Ar input_keyfile |
.Op Fl f Ar input_keyfile |
| .Op Fl g |
.Op Fl g |
| |
.Nm ssh-keygen |
| |
.Fl G Ar output_file |
| |
.Op Fl b Ar bits |
| |
.Op Fl M Ar memory |
| |
.Op Fl S Ar start_point |
| |
.Nm ssh-keygen |
| |
.Fl T Ar output_file |
| |
.Fl f Ar input_file |
| |
.Op Fl a Ar num_trials |
| |
.Op Fl W Ar generator |
| .Sh DESCRIPTION |
.Sh DESCRIPTION |
| .Nm |
.Nm |
| generates, manages and converts authentication keys for |
generates, manages and converts authentication keys for |
|
|
| .Fl t |
.Fl t |
| option. |
option. |
| .Pp |
.Pp |
| |
.Nm |
| |
is also used to generate groups for use in Diffie-Hellman group |
| |
exchange (DH-GEX). |
| |
See the |
| |
.Sx MODULI GENERATION |
| |
section for details. |
| |
.Pp |
| Normally each user wishing to use SSH |
Normally each user wishing to use SSH |
| with RSA or DSA authentication runs this once to create the authentication |
with RSA or DSA authentication runs this once to create the authentication |
| key in |
key in |
|
|
| .Pp |
.Pp |
| The options are as follows: |
The options are as follows: |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| |
.It Fl a Ar trials |
| |
Specifies the number of primality tests to perform when screening DH-GEX |
| |
candidates using the |
| |
.Fl T |
| |
command. |
| .It Fl b Ar bits |
.It Fl b Ar bits |
| Specifies the number of bits in the key to create. |
Specifies the number of bits in the key to create. |
| Minimum is 512 bits. |
Minimum is 512 bits. |
|
|
| .It Fl D Ar reader |
.It Fl D Ar reader |
| Download the RSA public key stored in the smartcard in |
Download the RSA public key stored in the smartcard in |
| .Ar reader . |
.Ar reader . |
| |
.It Fl G Ar output_file |
| |
Generate candidate primes for DH-GEX. |
| |
These primes must be screened for |
| |
safety (using the |
| |
.Fl T |
| |
option) before use. |
| |
.It Fl M Ar memory |
| |
Specify the amount of memory to use (in megabytes) when generating |
| |
candidate moduli for DH-GEX. |
| .It Fl N Ar new_passphrase |
.It Fl N Ar new_passphrase |
| Provides the new passphrase. |
Provides the new passphrase. |
| .It Fl P Ar passphrase |
.It Fl P Ar passphrase |
| Provides the (old) passphrase. |
Provides the (old) passphrase. |
| |
.It Fl S Ar start |
| |
Specify start point (in hex) when generating candidate moduli for DH-GEX. |
| |
.It Fl T Ar output_file |
| |
Test DH group exchange candidate primes (generated using the |
| |
.Fl G |
| |
option) for safety. |
| |
.It Fl W Ar generator |
| |
Specify desired generator when testing candidate moduli for DH-GEX. |
| .It Fl U Ar reader |
.It Fl U Ar reader |
| Upload an existing RSA private key into the smartcard in |
Upload an existing RSA private key into the smartcard in |
| .Ar reader . |
.Ar reader . |
|
|
| Print DNS resource record with the specified |
Print DNS resource record with the specified |
| .Ar hostname . |
.Ar hostname . |
| .El |
.El |
| |
.Sh MODULI GENERATION |
| |
.Nm |
| |
may be used to generate groups for the Diffie-Hellman Group Exchange |
| |
(DH-GEX) protocol. |
| |
Generating these groups is a two-step process: first, candidate |
| |
primes are generated using a fast, but memory intensive process. |
| |
These candidate primes are then tested for suitability (a CPU-intensive |
| |
process). |
| |
.Pp |
| |
Generation of primes is performed using the |
| |
.Fl G |
| |
option. |
| |
The desired length of the primes may be specified by the |
| |
.Fl b |
| |
option. |
| |
For example: |
| |
.Pp |
| |
.Dl ssh-keygen -G moduli-2048.candidates -b 2048 |
| |
.Pp |
| |
By default, the search for primes begins at a random point in the |
| |
desired length range. |
| |
This may be overridden using the |
| |
.Fl S |
| |
option, which specifies a different start point (in hex). |
| |
.Pp |
| |
Once a set of candidates have been generated, they must be tested for |
| |
suitability. |
| |
This may be performed using the |
| |
.Fl T |
| |
option. |
| |
In this mode |
| |
.Nm |
| |
will read candidates from standard input (or a file specified using the |
| |
.Fl f |
| |
option). |
| |
For example: |
| |
.Pp |
| |
.Dl ssh-keygen -T moduli-2048 -f moduli-2048.candidates |
| |
.Pp |
| |
By default, each candidate will be subjected to 100 primality tests. |
| |
This may be overridden using the |
| |
.Fl a |
| |
option. |
| |
The DH generator value will be chosen automatically for the |
| |
prime under consideration. |
| |
If a specific generator is desired, it may be requested using the |
| |
.Fl W |
| |
option. |
| |
Valid generator values are 2, 3 and 5. |
| |
.Pp |
| |
Screened DH groups may be installed in |
| |
.Pa /etc/moduli . |
| |
It is important that this file contains moduli of a range of bit lengths and |
| |
that both ends of a connection share common moduli. |
| .Sh FILES |
.Sh FILES |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Pa $HOME/.ssh/identity |
.It Pa $HOME/.ssh/identity |
|
|
| on all machines |
on all machines |
| where the user wishes to log in using public key authentication. |
where the user wishes to log in using public key authentication. |
| There is no need to keep the contents of this file secret. |
There is no need to keep the contents of this file secret. |
| |
.It Pa /etc/moduli |
| |
Contains Diffie-Hellman groups used for DH-GEX. |
| |
The file format is described in |
| |
.Xr moduli 5 . |
| .El |
.El |
| .Sh SEE ALSO |
.Sh SEE ALSO |
| .Xr ssh 1 , |
.Xr ssh 1 , |
| .Xr ssh-add 1 , |
.Xr ssh-add 1 , |
| .Xr ssh-agent 1 , |
.Xr ssh-agent 1 , |
| |
.Xr moduli 5 , |
| .Xr sshd 8 |
.Xr sshd 8 |
| .Rs |
.Rs |
| .%A J. Galbraith |
.%A J. Galbraith |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-keygen.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh