| version 1.63.2.3, 2005/09/02 03:45:01 |
version 1.64, 2005/03/01 10:42:49 |
|
|
| Normally each user wishing to use SSH |
Normally each user wishing to use SSH |
| with RSA or DSA authentication runs this once to create the authentication |
with RSA or DSA authentication runs this once to create the authentication |
| key in |
key in |
| .Pa ~/.ssh/identity , |
.Pa $HOME/.ssh/identity , |
| .Pa ~/.ssh/id_dsa |
.Pa $HOME/.ssh/id_dsa |
| or |
or |
| .Pa ~/.ssh/id_rsa . |
.Pa $HOME/.ssh/id_rsa . |
| Additionally, the system administrator may use this to generate host keys, |
Additionally, the system administrator may use this to generate host keys, |
| as seen in |
as seen in |
| .Pa /etc/rc . |
.Pa /etc/rc . |
|
|
| candidates using the |
candidates using the |
| .Fl T |
.Fl T |
| command. |
command. |
| .It Fl B |
|
| Show the bubblebabble digest of specified private or public key file. |
|
| .It Fl b Ar bits |
.It Fl b Ar bits |
| Specifies the number of bits in the key to create. |
Specifies the number of bits in the key to create. |
| Minimum is 512 bits. |
Minimum is 512 bits. |
| Generally, 2048 bits is considered sufficient. |
Generally, 1024 bits is considered sufficient. |
| The default is 2048 bits. |
The default is 1024 bits. |
| .It Fl C Ar comment |
|
| Provides a new comment. |
|
| .It Fl c |
.It Fl c |
| Requests changing the comment in the private and public key files. |
Requests changing the comment in the private and public key files. |
| This operation is only supported for RSA1 keys. |
This operation is only supported for RSA1 keys. |
| The program will prompt for the file containing the private keys, for |
The program will prompt for the file containing the private keys, for |
| the passphrase if the key has one, and for the new comment. |
the passphrase if the key has one, and for the new comment. |
| .It Fl D Ar reader |
|
| Download the RSA public key stored in the smartcard in |
|
| .Ar reader . |
|
| .It Fl e |
.It Fl e |
| This option will read a private or public OpenSSH key file and |
This option will read a private or public OpenSSH key file and |
| print the key in a |
print the key in a |
|
|
| to stdout. |
to stdout. |
| This option allows exporting keys for use by several commercial |
This option allows exporting keys for use by several commercial |
| SSH implementations. |
SSH implementations. |
| .It Fl F Ar hostname |
|
| Search for the specified |
|
| .Ar hostname |
|
| in a |
|
| .Pa known_hosts |
|
| file, listing any occurrences found. |
|
| This option is useful to find hashed host names or addresses and may also be |
|
| used in conjunction with the |
|
| .Fl H |
|
| option to print found keys in a hashed format. |
|
| .It Fl f Ar filename |
|
| Specifies the filename of the key file. |
|
| .It Fl G Ar output_file |
|
| Generate candidate primes for DH-GEX. |
|
| These primes must be screened for |
|
| safety (using the |
|
| .Fl T |
|
| option) before use. |
|
| .It Fl g |
.It Fl g |
| Use generic DNS format when printing fingerprint resource records using the |
Use generic DNS format when printing fingerprint resource records using the |
| .Fl r |
.Fl r |
| command. |
command. |
| .It Fl H |
.It Fl f Ar filename |
| Hash a |
Specifies the filename of the key file. |
| .Pa known_hosts |
|
| file. |
|
| This replaces all hostnames and addresses with hashed representations |
|
| within the specified file; the original content is moved to a file with |
|
| a .old suffix. |
|
| These hashes may be used normally by |
|
| .Nm ssh |
|
| and |
|
| .Nm sshd , |
|
| but they do not reveal identifying information should the file's contents |
|
| be disclosed. |
|
| This option will not modify existing hashed hostnames and is therefore safe |
|
| to use on files that mix hashed and non-hashed names. |
|
| .It Fl i |
.It Fl i |
| This option will read an unencrypted private (or public) key file |
This option will read an unencrypted private (or public) key file |
| in SSH2-compatible format and print an OpenSSH compatible private |
in SSH2-compatible format and print an OpenSSH compatible private |
|
|
| For RSA and DSA keys |
For RSA and DSA keys |
| .Nm |
.Nm |
| tries to find the matching public key file and prints its fingerprint. |
tries to find the matching public key file and prints its fingerprint. |
| .It Fl M Ar memory |
|
| Specify the amount of memory to use (in megabytes) when generating |
|
| candidate moduli for DH-GEX. |
|
| .It Fl N Ar new_passphrase |
|
| Provides the new passphrase. |
|
| .It Fl P Ar passphrase |
|
| Provides the (old) passphrase. |
|
| .It Fl p |
.It Fl p |
| Requests changing the passphrase of a private key file instead of |
Requests changing the passphrase of a private key file instead of |
| creating a new private key. |
creating a new private key. |
|
|
| Used by |
Used by |
| .Pa /etc/rc |
.Pa /etc/rc |
| when creating a new key. |
when creating a new key. |
| |
.It Fl y |
| |
This option will read a private |
| |
OpenSSH format file and print an OpenSSH public key to stdout. |
| |
.It Fl t Ar type |
| |
Specifies the type of the key to create. |
| |
The possible values are |
| |
.Dq rsa1 |
| |
for protocol version 1 and |
| |
.Dq rsa |
| |
or |
| |
.Dq dsa |
| |
for protocol version 2. |
| |
.It Fl B |
| |
Show the bubblebabble digest of specified private or public key file. |
| |
.It Fl C Ar comment |
| |
Provides the new comment. |
| |
.It Fl D Ar reader |
| |
Download the RSA public key stored in the smartcard in |
| |
.Ar reader . |
| |
.It Fl F Ar hostname |
| |
Search for the specified |
| |
.Ar hostname |
| |
in a |
| |
.Pa known_hosts |
| |
file, listing any occurances found. |
| |
This option is useful to find hashed host names or addresses and may also be |
| |
used in conjunction with the |
| |
.Fl H |
| |
option to print found keys in a hashed format. |
| |
.It Fl H |
| |
Hash a |
| |
.Pa known_hosts |
| |
file, printing the result to standard output. |
| |
This replaces all hostnames and addresses with hashed representations. |
| |
These hashes may be used normally by |
| |
.Nm ssh |
| |
and |
| |
.Nm sshd , |
| |
but they do not reveal identifying information should the file's contents |
| |
be disclosed. |
| |
This option will not modify existing hashed hostnames and is therefore safe |
| |
to use on files that mix hashed and non-hashed names. |
| .It Fl R Ar hostname |
.It Fl R Ar hostname |
| Removes all keys belonging to |
Removes all keys belonging to |
| .Ar hostname |
.Ar hostname |
| from a |
from a |
| .Pa known_hosts |
.Pa known_hosts |
| file. |
file. |
| This option is useful to delete hashed hosts (see the |
This option is useful to delete hashed hosts (see the |
| .Fl H |
.Fl H |
| option above). |
option above). |
| .It Fl r Ar hostname |
.It Fl G Ar output_file |
| Print the SSHFP fingerprint resource record named |
Generate candidate primes for DH-GEX. |
| .Ar hostname |
These primes must be screened for |
| for the specified public key file. |
safety (using the |
| |
.Fl T |
| |
option) before use. |
| |
.It Fl M Ar memory |
| |
Specify the amount of memory to use (in megabytes) when generating |
| |
candidate moduli for DH-GEX. |
| |
.It Fl N Ar new_passphrase |
| |
Provides the new passphrase. |
| |
.It Fl P Ar passphrase |
| |
Provides the (old) passphrase. |
| .It Fl S Ar start |
.It Fl S Ar start |
| Specify start point (in hex) when generating candidate moduli for DH-GEX. |
Specify start point (in hex) when generating candidate moduli for DH-GEX. |
| .It Fl T Ar output_file |
.It Fl T Ar output_file |
| Test DH group exchange candidate primes (generated using the |
Test DH group exchange candidate primes (generated using the |
| .Fl G |
.Fl G |
| option) for safety. |
option) for safety. |
| .It Fl t Ar type |
.It Fl W Ar generator |
| Specifies the type of key to create. |
Specify desired generator when testing candidate moduli for DH-GEX. |
| The possible values are |
|
| .Dq rsa1 |
|
| for protocol version 1 and |
|
| .Dq rsa |
|
| or |
|
| .Dq dsa |
|
| for protocol version 2. |
|
| .It Fl U Ar reader |
.It Fl U Ar reader |
| Upload an existing RSA private key into the smartcard in |
Upload an existing RSA private key into the smartcard in |
| .Ar reader . |
.Ar reader . |
|
|
| .Fl v |
.Fl v |
| options increase the verbosity. |
options increase the verbosity. |
| The maximum is 3. |
The maximum is 3. |
| .It Fl W Ar generator |
.It Fl r Ar hostname |
| Specify desired generator when testing candidate moduli for DH-GEX. |
Print the SSHFP fingerprint resource record named |
| .It Fl y |
.Ar hostname |
| This option will read a private |
for the specified public key file. |
| OpenSSH format file and print an OpenSSH public key to stdout. |
|
| .El |
.El |
| .Sh MODULI GENERATION |
.Sh MODULI GENERATION |
| .Nm |
.Nm |
|
|
| option. |
option. |
| For example: |
For example: |
| .Pp |
.Pp |
| .Dl # ssh-keygen -G moduli-2048.candidates -b 2048 |
.Dl ssh-keygen -G moduli-2048.candidates -b 2048 |
| .Pp |
.Pp |
| By default, the search for primes begins at a random point in the |
By default, the search for primes begins at a random point in the |
| desired length range. |
desired length range. |
|
|
| option). |
option). |
| For example: |
For example: |
| .Pp |
.Pp |
| .Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates |
.Dl ssh-keygen -T moduli-2048 -f moduli-2048.candidates |
| .Pp |
.Pp |
| By default, each candidate will be subjected to 100 primality tests. |
By default, each candidate will be subjected to 100 primality tests. |
| This may be overridden using the |
This may be overridden using the |
|
|
| If a specific generator is desired, it may be requested using the |
If a specific generator is desired, it may be requested using the |
| .Fl W |
.Fl W |
| option. |
option. |
| Valid generator values are 2, 3, and 5. |
Valid generator values are 2, 3 and 5. |
| .Pp |
.Pp |
| Screened DH groups may be installed in |
Screened DH groups may be installed in |
| .Pa /etc/moduli . |
.Pa /etc/moduli . |
|
|
| that both ends of a connection share common moduli. |
that both ends of a connection share common moduli. |
| .Sh FILES |
.Sh FILES |
| .Bl -tag -width Ds |
.Bl -tag -width Ds |
| .It Pa ~/.ssh/identity |
.It Pa $HOME/.ssh/identity |
| Contains the protocol version 1 RSA authentication identity of the user. |
Contains the protocol version 1 RSA authentication identity of the user. |
| This file should not be readable by anyone but the user. |
This file should not be readable by anyone but the user. |
| It is possible to |
It is possible to |
|
|
| but it is offered as the default file for the private key. |
but it is offered as the default file for the private key. |
| .Xr ssh 1 |
.Xr ssh 1 |
| will read this file when a login attempt is made. |
will read this file when a login attempt is made. |
| .It Pa ~/.ssh/identity.pub |
.It Pa $HOME/.ssh/identity.pub |
| Contains the protocol version 1 RSA public key for authentication. |
Contains the protocol version 1 RSA public key for authentication. |
| The contents of this file should be added to |
The contents of this file should be added to |
| .Pa ~/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys |
| on all machines |
on all machines |
| where the user wishes to log in using RSA authentication. |
where the user wishes to log in using RSA authentication. |
| There is no need to keep the contents of this file secret. |
There is no need to keep the contents of this file secret. |
| .It Pa ~/.ssh/id_dsa |
.It Pa $HOME/.ssh/id_dsa |
| Contains the protocol version 2 DSA authentication identity of the user. |
Contains the protocol version 2 DSA authentication identity of the user. |
| This file should not be readable by anyone but the user. |
This file should not be readable by anyone but the user. |
| It is possible to |
It is possible to |
|
|
| but it is offered as the default file for the private key. |
but it is offered as the default file for the private key. |
| .Xr ssh 1 |
.Xr ssh 1 |
| will read this file when a login attempt is made. |
will read this file when a login attempt is made. |
| .It Pa ~/.ssh/id_dsa.pub |
.It Pa $HOME/.ssh/id_dsa.pub |
| Contains the protocol version 2 DSA public key for authentication. |
Contains the protocol version 2 DSA public key for authentication. |
| The contents of this file should be added to |
The contents of this file should be added to |
| .Pa ~/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys |
| on all machines |
on all machines |
| where the user wishes to log in using public key authentication. |
where the user wishes to log in using public key authentication. |
| There is no need to keep the contents of this file secret. |
There is no need to keep the contents of this file secret. |
| .It Pa ~/.ssh/id_rsa |
.It Pa $HOME/.ssh/id_rsa |
| Contains the protocol version 2 RSA authentication identity of the user. |
Contains the protocol version 2 RSA authentication identity of the user. |
| This file should not be readable by anyone but the user. |
This file should not be readable by anyone but the user. |
| It is possible to |
It is possible to |
|
|
| but it is offered as the default file for the private key. |
but it is offered as the default file for the private key. |
| .Xr ssh 1 |
.Xr ssh 1 |
| will read this file when a login attempt is made. |
will read this file when a login attempt is made. |
| .It Pa ~/.ssh/id_rsa.pub |
.It Pa $HOME/.ssh/id_rsa.pub |
| Contains the protocol version 2 RSA public key for authentication. |
Contains the protocol version 2 RSA public key for authentication. |
| The contents of this file should be added to |
The contents of this file should be added to |
| .Pa ~/.ssh/authorized_keys |
.Pa $HOME/.ssh/authorized_keys |
| on all machines |
on all machines |
| where the user wishes to log in using public key authentication. |
where the user wishes to log in using public key authentication. |
| There is no need to keep the contents of this file secret. |
There is no need to keep the contents of this file secret. |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-keygen.1 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh