Annotation of src/usr.bin/ssh/ssh-keygen.1, Revision 1.18
1.1 deraadt 1: .\" -*- nroff -*-
2: .\"
3: .\" ssh-keygen.1
4: .\"
5: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
6: .\"
7: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: .\" All rights reserved
9: .\"
10: .\" Created: Sat Apr 22 23:55:14 1995 ylo
11: .\"
1.18 ! hugh 12: .\" $Id: ssh-keygen.1,v 1.17 2000/05/03 08:37:27 markus Exp $
1.1 deraadt 13: .\"
1.2 deraadt 14: .Dd September 25, 1999
15: .Dt SSH-KEYGEN 1
16: .Os
17: .Sh NAME
18: .Nm ssh-keygen
19: .Nd authentication key generation
20: .Sh SYNOPSIS
21: .Nm ssh-keygen
1.15 deraadt 22: .Op Fl dq
1.2 deraadt 23: .Op Fl b Ar bits
24: .Op Fl N Ar new_passphrase
25: .Op Fl C Ar comment
1.9 markus 26: .Op Fl f Ar keyfile
1.2 deraadt 27: .Nm ssh-keygen
28: .Fl p
29: .Op Fl P Ar old_passphrase
30: .Op Fl N Ar new_passphrase
1.9 markus 31: .Op Fl f Ar keyfile
1.2 deraadt 32: .Nm ssh-keygen
1.16 deraadt 33: .Fl x
34: .Op Fl f Ar keyfile
35: .Nm ssh-keygen
36: .Fl X
37: .Op Fl f Ar keyfile
38: .Nm ssh-keygen
1.17 markus 39: .Fl y
40: .Op Fl f Ar keyfile
41: .Nm ssh-keygen
1.2 deraadt 42: .Fl c
43: .Op Fl P Ar passphrase
44: .Op Fl C Ar comment
1.9 markus 45: .Op Fl f Ar keyfile
46: .Nm ssh-keygen
47: .Fl l
48: .Op Fl f Ar keyfile
1.14 deraadt 49: .Nm ssh-keygen
50: .Fl R
1.13 aaron 51: .Sh DESCRIPTION
1.2 deraadt 52: .Nm
1.13 aaron 53: generates and manages authentication keys for
1.2 deraadt 54: .Xr ssh 1 .
1.15 deraadt 55: .Nm
56: defaults to generating an RSA key for use by protocols 1.3 and 1.5;
57: specifying the
58: .Fl d
59: flag will create a DSA key instead for use by protocol 2.0.
60: .Pp
1.2 deraadt 61: Normally each user wishing to use SSH
1.15 deraadt 62: with RSA or DSA authentication runs this once to create the authentication
1.1 deraadt 63: key in
1.15 deraadt 64: .Pa $HOME/.ssh/identity
65: or
66: .Pa $HOME/.ssh/id_dsa .
67: Additionally, the system administrator may use this to generate host keys,
68: as seen in
69: .Pa /etc/rc .
1.2 deraadt 70: .Pp
1.1 deraadt 71: Normally this program generates the key and asks for a file in which
1.12 aaron 72: to store the private key.
73: The public key is stored in a file with the same name but
1.2 deraadt 74: .Dq .pub
1.12 aaron 75: appended.
76: The program also asks for a passphrase.
77: The passphrase may be empty to indicate no passphrase
1.1 deraadt 78: (host keys must have empty passphrase), or it may be a string of
1.12 aaron 79: arbitrary length.
80: Good passphrases are 10-30 characters long and are
1.1 deraadt 81: not simple sentences or otherwise easily guessable (English
82: prose has only 1-2 bits of entropy per word, and provides very bad
1.12 aaron 83: passphrases).
84: The passphrase can be changed later by using the
1.2 deraadt 85: .Fl p
1.1 deraadt 86: option.
1.2 deraadt 87: .Pp
1.12 aaron 88: There is no way to recover a lost passphrase.
89: If the passphrase is
1.1 deraadt 90: lost or forgotten, you will have to generate a new key and copy the
91: corresponding public key to other machines.
1.2 deraadt 92: .Pp
1.15 deraadt 93: For RSA, there is also a comment field in the key file that is only for
1.12 aaron 94: convenience to the user to help identify the key.
95: The comment can tell what the key is for, or whatever is useful.
96: The comment is initialized to
1.2 deraadt 97: .Dq user@host
98: when the key is created, but can be changed using the
99: .Fl c
1.1 deraadt 100: option.
1.2 deraadt 101: .Pp
1.15 deraadt 102: After a key is generated, instructions below detail where the keys
103: should be placed to be activated.
104: .Pp
1.2 deraadt 105: The options are as follows:
106: .Bl -tag -width Ds
107: .It Fl b Ar bits
1.12 aaron 108: Specifies the number of bits in the key to create.
109: Minimum is 512 bits.
110: Generally 1024 bits is considered sufficient, and key sizes
111: above that no longer improve security but make things slower.
112: The default is 1024 bits.
1.2 deraadt 113: .It Fl c
1.1 deraadt 114: Requests changing the comment in the private and public key files.
115: The program will prompt for the file containing the private keys, for
116: passphrase if the key has one, and for the new comment.
1.9 markus 117: .It Fl f
118: Specifies the filename of the key file.
119: .It Fl l
120: Show fingerprint of specified private or public key file.
1.2 deraadt 121: .It Fl p
1.1 deraadt 122: Requests changing the passphrase of a private key file instead of
1.12 aaron 123: creating a new private key.
124: The program will prompt for the file
1.1 deraadt 125: containing the private key, for the old passphrase, and twice for the
126: new passphrase.
1.5 aaron 127: .It Fl q
128: Silence
129: .Nm ssh-keygen .
130: Used by
131: .Pa /etc/rc
132: when creating a new key.
1.2 deraadt 133: .It Fl C Ar comment
1.1 deraadt 134: Provides the new comment.
1.2 deraadt 135: .It Fl N Ar new_passphrase
1.1 deraadt 136: Provides the new passphrase.
1.2 deraadt 137: .It Fl P Ar passphrase
1.1 deraadt 138: Provides the (old) passphrase.
1.14 deraadt 139: .It Fl R
140: If RSA support is functional, immediately exits with code 0. If RSA
141: support is not functional, exits with code 1. This flag will be
142: removed once the RSA patent expires.
1.16 deraadt 143: .It Fl x
1.17 markus 144: This option will read a private
1.18 ! hugh 145: OpenSSH DSA format file and print a SSH2-compatible public key to stdout.
1.16 deraadt 146: .It Fl X
147: This option will read a
1.18 ! hugh 148: SSH2-compatible public key file and print an OpenSSH DSA compatible public key to stdout.
1.17 markus 149: .It Fl y
150: This option will read a private
1.18 ! hugh 151: OpenSSH DSA format file and print an OpenSSH DSA public key to stdout.
1.2 deraadt 152: .El
153: .Sh FILES
154: .Bl -tag -width Ds
155: .It Pa $HOME/.ssh/identity
1.12 aaron 156: Contains the RSA authentication identity of the user.
157: This file should not be readable by anyone but the user.
158: It is possible to
1.1 deraadt 159: specify a passphrase when generating the key; that passphrase will be
1.12 aaron 160: used to encrypt the private part of this file using 3DES.
161: This file is not automatically accessed by
1.2 deraadt 162: .Nm
1.1 deraadt 163: but it is offered as the default file for the private key.
1.15 deraadt 164: .Xr sshd 8
165: will read this file when a login attempt is made.
1.2 deraadt 166: .It Pa $HOME/.ssh/identity.pub
1.12 aaron 167: Contains the public key for authentication.
168: The contents of this file should be added to
1.2 deraadt 169: .Pa $HOME/.ssh/authorized_keys
170: on all machines
1.12 aaron 171: where you wish to log in using RSA authentication.
1.15 deraadt 172: There is no need to keep the contents of this file secret.
173: .It Pa $HOME/.ssh/id_dsa
174: Contains the DSA authentication identity of the user.
175: This file should not be readable by anyone but the user.
176: It is possible to
177: specify a passphrase when generating the key; that passphrase will be
178: used to encrypt the private part of this file using 3DES.
179: This file is not automatically accessed by
180: .Nm
181: but it is offered as the default file for the private key.
182: .Xr sshd 8
183: will read this file when a login attempt is made.
184: .It Pa $HOME/.ssh/id_dsa.pub
185: Contains the public key for authentication.
186: The contents of this file should be added to
187: .Pa $HOME/.ssh/authorized_keys2
188: on all machines
189: where you wish to log in using DSA authentication.
1.12 aaron 190: There is no need to keep the contents of this file secret.
1.2 deraadt 191: .Sh AUTHOR
1.1 deraadt 192: Tatu Ylonen <ylo@cs.hut.fi>
1.4 deraadt 193: .Pp
1.6 deraadt 194: OpenSSH
195: is a derivative of the original (free) ssh 1.2.12 release, but with bugs
1.12 aaron 196: removed and newer features re-added.
197: Rapidly after the 1.2.12 release,
198: newer versions bore successively more restrictive licenses.
199: This version of OpenSSH
1.6 deraadt 200: .Bl -bullet
201: .It
1.11 aaron 202: has all components of a restrictive nature (i.e., patents, see
1.6 deraadt 203: .Xr ssl 8 )
204: directly removed from the source code; any licensed or patented components
205: are chosen from
206: external libraries.
207: .It
208: has been updated to support ssh protocol 1.5.
209: .It
1.13 aaron 210: contains added support for
1.6 deraadt 211: .Xr kerberos 8
212: authentication and ticket passing.
213: .It
214: supports one-time password authentication with
215: .Xr skey 1 .
216: .El
217: .Pp
218: The libraries described in
1.4 deraadt 219: .Xr ssl 8
220: are required for proper operation.
1.2 deraadt 221: .Sh SEE ALSO
222: .Xr ssh 1 ,
223: .Xr ssh-add 1 ,
1.8 ericj 224: .Xr ssh-agent 1 ,
1.4 deraadt 225: .Xr sshd 8 ,
226: .Xr ssl 8