version 1.63, 2004/08/13 00:01:43 |
version 1.63.2.3, 2005/09/02 03:45:01 |
|
|
.Nm ssh-keygen |
.Nm ssh-keygen |
.Fl D Ar reader |
.Fl D Ar reader |
.Nm ssh-keygen |
.Nm ssh-keygen |
|
.Fl F Ar hostname |
|
.Op Fl f Ar known_hosts_file |
|
.Nm ssh-keygen |
|
.Fl H |
|
.Op Fl f Ar known_hosts_file |
|
.Nm ssh-keygen |
|
.Fl R Ar hostname |
|
.Op Fl f Ar known_hosts_file |
|
.Nm ssh-keygen |
.Fl U Ar reader |
.Fl U Ar reader |
.Op Fl f Ar input_keyfile |
.Op Fl f Ar input_keyfile |
.Nm ssh-keygen |
.Nm ssh-keygen |
|
|
Normally each user wishing to use SSH |
Normally each user wishing to use SSH |
with RSA or DSA authentication runs this once to create the authentication |
with RSA or DSA authentication runs this once to create the authentication |
key in |
key in |
.Pa $HOME/.ssh/identity , |
.Pa ~/.ssh/identity , |
.Pa $HOME/.ssh/id_dsa |
.Pa ~/.ssh/id_dsa |
or |
or |
.Pa $HOME/.ssh/id_rsa . |
.Pa ~/.ssh/id_rsa . |
Additionally, the system administrator may use this to generate host keys, |
Additionally, the system administrator may use this to generate host keys, |
as seen in |
as seen in |
.Pa /etc/rc . |
.Pa /etc/rc . |
|
|
candidates using the |
candidates using the |
.Fl T |
.Fl T |
command. |
command. |
|
.It Fl B |
|
Show the bubblebabble digest of specified private or public key file. |
.It Fl b Ar bits |
.It Fl b Ar bits |
Specifies the number of bits in the key to create. |
Specifies the number of bits in the key to create. |
Minimum is 512 bits. |
Minimum is 512 bits. |
Generally, 1024 bits is considered sufficient. |
Generally, 2048 bits is considered sufficient. |
The default is 1024 bits. |
The default is 2048 bits. |
|
.It Fl C Ar comment |
|
Provides a new comment. |
.It Fl c |
.It Fl c |
Requests changing the comment in the private and public key files. |
Requests changing the comment in the private and public key files. |
This operation is only supported for RSA1 keys. |
This operation is only supported for RSA1 keys. |
The program will prompt for the file containing the private keys, for |
The program will prompt for the file containing the private keys, for |
the passphrase if the key has one, and for the new comment. |
the passphrase if the key has one, and for the new comment. |
|
.It Fl D Ar reader |
|
Download the RSA public key stored in the smartcard in |
|
.Ar reader . |
.It Fl e |
.It Fl e |
This option will read a private or public OpenSSH key file and |
This option will read a private or public OpenSSH key file and |
print the key in a |
print the key in a |
|
|
to stdout. |
to stdout. |
This option allows exporting keys for use by several commercial |
This option allows exporting keys for use by several commercial |
SSH implementations. |
SSH implementations. |
|
.It Fl F Ar hostname |
|
Search for the specified |
|
.Ar hostname |
|
in a |
|
.Pa known_hosts |
|
file, listing any occurrences found. |
|
This option is useful to find hashed host names or addresses and may also be |
|
used in conjunction with the |
|
.Fl H |
|
option to print found keys in a hashed format. |
|
.It Fl f Ar filename |
|
Specifies the filename of the key file. |
|
.It Fl G Ar output_file |
|
Generate candidate primes for DH-GEX. |
|
These primes must be screened for |
|
safety (using the |
|
.Fl T |
|
option) before use. |
.It Fl g |
.It Fl g |
Use generic DNS format when printing fingerprint resource records using the |
Use generic DNS format when printing fingerprint resource records using the |
.Fl r |
.Fl r |
command. |
command. |
.It Fl f Ar filename |
.It Fl H |
Specifies the filename of the key file. |
Hash a |
|
.Pa known_hosts |
|
file. |
|
This replaces all hostnames and addresses with hashed representations |
|
within the specified file; the original content is moved to a file with |
|
a .old suffix. |
|
These hashes may be used normally by |
|
.Nm ssh |
|
and |
|
.Nm sshd , |
|
but they do not reveal identifying information should the file's contents |
|
be disclosed. |
|
This option will not modify existing hashed hostnames and is therefore safe |
|
to use on files that mix hashed and non-hashed names. |
.It Fl i |
.It Fl i |
This option will read an unencrypted private (or public) key file |
This option will read an unencrypted private (or public) key file |
in SSH2-compatible format and print an OpenSSH compatible private |
in SSH2-compatible format and print an OpenSSH compatible private |
|
|
For RSA and DSA keys |
For RSA and DSA keys |
.Nm |
.Nm |
tries to find the matching public key file and prints its fingerprint. |
tries to find the matching public key file and prints its fingerprint. |
|
.It Fl M Ar memory |
|
Specify the amount of memory to use (in megabytes) when generating |
|
candidate moduli for DH-GEX. |
|
.It Fl N Ar new_passphrase |
|
Provides the new passphrase. |
|
.It Fl P Ar passphrase |
|
Provides the (old) passphrase. |
.It Fl p |
.It Fl p |
Requests changing the passphrase of a private key file instead of |
Requests changing the passphrase of a private key file instead of |
creating a new private key. |
creating a new private key. |
|
|
Used by |
Used by |
.Pa /etc/rc |
.Pa /etc/rc |
when creating a new key. |
when creating a new key. |
.It Fl y |
.It Fl R Ar hostname |
This option will read a private |
Removes all keys belonging to |
OpenSSH format file and print an OpenSSH public key to stdout. |
.Ar hostname |
|
from a |
|
.Pa known_hosts |
|
file. |
|
This option is useful to delete hashed hosts (see the |
|
.Fl H |
|
option above). |
|
.It Fl r Ar hostname |
|
Print the SSHFP fingerprint resource record named |
|
.Ar hostname |
|
for the specified public key file. |
|
.It Fl S Ar start |
|
Specify start point (in hex) when generating candidate moduli for DH-GEX. |
|
.It Fl T Ar output_file |
|
Test DH group exchange candidate primes (generated using the |
|
.Fl G |
|
option) for safety. |
.It Fl t Ar type |
.It Fl t Ar type |
Specifies the type of the key to create. |
Specifies the type of key to create. |
The possible values are |
The possible values are |
.Dq rsa1 |
.Dq rsa1 |
for protocol version 1 and |
for protocol version 1 and |
|
|
or |
or |
.Dq dsa |
.Dq dsa |
for protocol version 2. |
for protocol version 2. |
.It Fl B |
|
Show the bubblebabble digest of specified private or public key file. |
|
.It Fl C Ar comment |
|
Provides the new comment. |
|
.It Fl D Ar reader |
|
Download the RSA public key stored in the smartcard in |
|
.Ar reader . |
|
.It Fl G Ar output_file |
|
Generate candidate primes for DH-GEX. |
|
These primes must be screened for |
|
safety (using the |
|
.Fl T |
|
option) before use. |
|
.It Fl M Ar memory |
|
Specify the amount of memory to use (in megabytes) when generating |
|
candidate moduli for DH-GEX. |
|
.It Fl N Ar new_passphrase |
|
Provides the new passphrase. |
|
.It Fl P Ar passphrase |
|
Provides the (old) passphrase. |
|
.It Fl S Ar start |
|
Specify start point (in hex) when generating candidate moduli for DH-GEX. |
|
.It Fl T Ar output_file |
|
Test DH group exchange candidate primes (generated using the |
|
.Fl G |
|
option) for safety. |
|
.It Fl W Ar generator |
|
Specify desired generator when testing candidate moduli for DH-GEX. |
|
.It Fl U Ar reader |
.It Fl U Ar reader |
Upload an existing RSA private key into the smartcard in |
Upload an existing RSA private key into the smartcard in |
.Ar reader . |
.Ar reader . |
|
|
.Fl v |
.Fl v |
options increase the verbosity. |
options increase the verbosity. |
The maximum is 3. |
The maximum is 3. |
.It Fl r Ar hostname |
.It Fl W Ar generator |
Print the SSHFP fingerprint resource record named |
Specify desired generator when testing candidate moduli for DH-GEX. |
.Ar hostname |
.It Fl y |
for the specified public key file. |
This option will read a private |
|
OpenSSH format file and print an OpenSSH public key to stdout. |
.El |
.El |
.Sh MODULI GENERATION |
.Sh MODULI GENERATION |
.Nm |
.Nm |
|
|
option. |
option. |
For example: |
For example: |
.Pp |
.Pp |
.Dl ssh-keygen -G moduli-2048.candidates -b 2048 |
.Dl # ssh-keygen -G moduli-2048.candidates -b 2048 |
.Pp |
.Pp |
By default, the search for primes begins at a random point in the |
By default, the search for primes begins at a random point in the |
desired length range. |
desired length range. |
|
|
option). |
option). |
For example: |
For example: |
.Pp |
.Pp |
.Dl ssh-keygen -T moduli-2048 -f moduli-2048.candidates |
.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates |
.Pp |
.Pp |
By default, each candidate will be subjected to 100 primality tests. |
By default, each candidate will be subjected to 100 primality tests. |
This may be overridden using the |
This may be overridden using the |
|
|
If a specific generator is desired, it may be requested using the |
If a specific generator is desired, it may be requested using the |
.Fl W |
.Fl W |
option. |
option. |
Valid generator values are 2, 3 and 5. |
Valid generator values are 2, 3, and 5. |
.Pp |
.Pp |
Screened DH groups may be installed in |
Screened DH groups may be installed in |
.Pa /etc/moduli . |
.Pa /etc/moduli . |
|
|
that both ends of a connection share common moduli. |
that both ends of a connection share common moduli. |
.Sh FILES |
.Sh FILES |
.Bl -tag -width Ds |
.Bl -tag -width Ds |
.It Pa $HOME/.ssh/identity |
.It Pa ~/.ssh/identity |
Contains the protocol version 1 RSA authentication identity of the user. |
Contains the protocol version 1 RSA authentication identity of the user. |
This file should not be readable by anyone but the user. |
This file should not be readable by anyone but the user. |
It is possible to |
It is possible to |
|
|
but it is offered as the default file for the private key. |
but it is offered as the default file for the private key. |
.Xr ssh 1 |
.Xr ssh 1 |
will read this file when a login attempt is made. |
will read this file when a login attempt is made. |
.It Pa $HOME/.ssh/identity.pub |
.It Pa ~/.ssh/identity.pub |
Contains the protocol version 1 RSA public key for authentication. |
Contains the protocol version 1 RSA public key for authentication. |
The contents of this file should be added to |
The contents of this file should be added to |
.Pa $HOME/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
on all machines |
on all machines |
where the user wishes to log in using RSA authentication. |
where the user wishes to log in using RSA authentication. |
There is no need to keep the contents of this file secret. |
There is no need to keep the contents of this file secret. |
.It Pa $HOME/.ssh/id_dsa |
.It Pa ~/.ssh/id_dsa |
Contains the protocol version 2 DSA authentication identity of the user. |
Contains the protocol version 2 DSA authentication identity of the user. |
This file should not be readable by anyone but the user. |
This file should not be readable by anyone but the user. |
It is possible to |
It is possible to |
|
|
but it is offered as the default file for the private key. |
but it is offered as the default file for the private key. |
.Xr ssh 1 |
.Xr ssh 1 |
will read this file when a login attempt is made. |
will read this file when a login attempt is made. |
.It Pa $HOME/.ssh/id_dsa.pub |
.It Pa ~/.ssh/id_dsa.pub |
Contains the protocol version 2 DSA public key for authentication. |
Contains the protocol version 2 DSA public key for authentication. |
The contents of this file should be added to |
The contents of this file should be added to |
.Pa $HOME/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
on all machines |
on all machines |
where the user wishes to log in using public key authentication. |
where the user wishes to log in using public key authentication. |
There is no need to keep the contents of this file secret. |
There is no need to keep the contents of this file secret. |
.It Pa $HOME/.ssh/id_rsa |
.It Pa ~/.ssh/id_rsa |
Contains the protocol version 2 RSA authentication identity of the user. |
Contains the protocol version 2 RSA authentication identity of the user. |
This file should not be readable by anyone but the user. |
This file should not be readable by anyone but the user. |
It is possible to |
It is possible to |
|
|
but it is offered as the default file for the private key. |
but it is offered as the default file for the private key. |
.Xr ssh 1 |
.Xr ssh 1 |
will read this file when a login attempt is made. |
will read this file when a login attempt is made. |
.It Pa $HOME/.ssh/id_rsa.pub |
.It Pa ~/.ssh/id_rsa.pub |
Contains the protocol version 2 RSA public key for authentication. |
Contains the protocol version 2 RSA public key for authentication. |
The contents of this file should be added to |
The contents of this file should be added to |
.Pa $HOME/.ssh/authorized_keys |
.Pa ~/.ssh/authorized_keys |
on all machines |
on all machines |
where the user wishes to log in using public key authentication. |
where the user wishes to log in using public key authentication. |
There is no need to keep the contents of this file secret. |
There is no need to keep the contents of this file secret. |