Annotation of src/usr.bin/ssh/ssh-keygen.1, Revision 1.2
1.1 deraadt 1: .\" -*- nroff -*-
2: .\"
3: .\" ssh-keygen.1
4: .\"
5: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
6: .\"
7: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: .\" All rights reserved
9: .\"
10: .\" Created: Sat Apr 22 23:55:14 1995 ylo
11: .\"
12: .\" $Id: ssh-keygen.1,v 1.2 1999/05/04 11:59:16 bg Exp $
13: .\"
1.2 ! deraadt 14: .Dd September 25, 1999
! 15: .Dt SSH-KEYGEN 1
! 16: .Os
! 17: .Sh NAME
! 18: .Nm ssh-keygen
! 19: .Nd authentication key generation
! 20: .Sh SYNOPSIS
! 21: .Nm ssh-keygen
! 22: .Op Fl b Ar bits
! 23: .Op Fl N Ar new_passphrase
! 24: .Op Fl C Ar comment
! 25: .Nm ssh-keygen
! 26: .Fl p
! 27: .Op Fl P Ar old_passphrase
! 28: .Op Fl N Ar new_passphrase
! 29: .Nm ssh-keygen
! 30: .Fl c
! 31: .Op Fl P Ar passphrase
! 32: .Op Fl C Ar comment
! 33: .Sh DESCRIPTION
! 34: .Nm
1.1 deraadt 35: generates and manages authentication keys for
1.2 ! deraadt 36: .Xr ssh 1 .
! 37: Normally each user wishing to use SSH
1.1 deraadt 38: with RSA authentication runs this once to create the authentication
39: key in
1.2 ! deraadt 40: .Pa $HOME/.ssh/identity .
1.1 deraadt 41: Additionally, the system administrator may use this to generate host keys.
1.2 ! deraadt 42: .Pp
1.1 deraadt 43: Normally this program generates the key and asks for a file in which
44: to store the private key. The public key is stored in a file with the
1.2 ! deraadt 45: same name but
! 46: .Dq .pub
! 47: appended. The program also asks for a
1.1 deraadt 48: passphrase. The passphrase may be empty to indicate no passphrase
49: (host keys must have empty passphrase), or it may be a string of
50: arbitrary length. Good passphrases are 10-30 characters long and are
51: not simple sentences or otherwise easily guessable (English
52: prose has only 1-2 bits of entropy per word, and provides very bad
53: passphrases). The passphrase can be changed later by using the
1.2 ! deraadt 54: .Fl p
1.1 deraadt 55: option.
1.2 ! deraadt 56: .Pp
1.1 deraadt 57: There is no way to recover a lost passphrase. If the passphrase is
58: lost or forgotten, you will have to generate a new key and copy the
59: corresponding public key to other machines.
1.2 ! deraadt 60: .Pp
1.1 deraadt 61: There is also a comment field in the key file that is only for
62: convenience to the user to help identify the key. The comment can
63: tell what the key is for, or whatever is useful. The comment is
1.2 ! deraadt 64: initialized to
! 65: .Dq user@host
! 66: when the key is created, but can be changed using the
! 67: .Fl c
1.1 deraadt 68: option.
1.2 ! deraadt 69: .Pp
! 70: The options are as follows:
! 71: .Pp
! 72: .Bl -tag -width Ds
! 73: .It Fl b Ar bits
1.1 deraadt 74: Specifies the number of bits in the key to create. Minimum is 512
75: bits. Generally 1024 bits is considered sufficient, and key sizes
76: above that no longer improve security but make things slower. The
77: default is 1024 bits.
1.2 ! deraadt 78: .It Fl c
1.1 deraadt 79: Requests changing the comment in the private and public key files.
80: The program will prompt for the file containing the private keys, for
81: passphrase if the key has one, and for the new comment.
1.2 ! deraadt 82: .It Fl p
1.1 deraadt 83: Requests changing the passphrase of a private key file instead of
84: creating a new private key. The program will prompt for the file
85: containing the private key, for the old passphrase, and twice for the
86: new passphrase.
1.2 ! deraadt 87: .It Fl C Ar comment
1.1 deraadt 88: Provides the new comment.
1.2 ! deraadt 89: .It Fl N Ar new_passphrase
1.1 deraadt 90: Provides the new passphrase.
1.2 ! deraadt 91: .It Fl P Ar passphrase
1.1 deraadt 92: Provides the (old) passphrase.
1.2 ! deraadt 93: .El
! 94: .Sh FILES
! 95: .Bl -tag -width Ds
! 96: .It Pa $HOME/.ssh/random_seed
1.1 deraadt 97: Used for seeding the random number generator. This file should not be
98: readable by anyone but the user. This file is created the first time
99: the program is run, and is updated every time.
1.2 ! deraadt 100: .It Pa $HOME/.ssh/identity
1.1 deraadt 101: Contains the RSA authentication identity of the user. This file
102: should not be readable by anyone but the user. It is possible to
103: specify a passphrase when generating the key; that passphrase will be
104: used to encrypt the private part of this file using IDEA. This file
105: is not automatically accessed by
1.2 ! deraadt 106: .Nm
1.1 deraadt 107: but it is offered as the default file for the private key.
1.2 ! deraadt 108: .It Pa $HOME/.ssh/identity.pub
1.1 deraadt 109: Contains the public key for authentication. The contents of this file
1.2 ! deraadt 110: should be added to
! 111: .Pa $HOME/.ssh/authorized_keys
! 112: on all machines
1.1 deraadt 113: where you wish to log in using RSA authentication. There is no
114: need to keep the contents of this file secret.
1.2 ! deraadt 115: .Sh AUTHOR
1.1 deraadt 116: Tatu Ylonen <ylo@cs.hut.fi>
1.2 ! deraadt 117: .Sh SEE ALSO
! 118: .Xr ssh 1 ,
! 119: .Xr ssh-add 1 ,
! 120: .Xr ssh-agent 1,
! 121: .Xr sshd 8