Annotation of src/usr.bin/ssh/ssh-keygen.1, Revision 1.3
1.1 deraadt 1: .\" -*- nroff -*-
2: .\"
3: .\" ssh-keygen.1
4: .\"
5: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
6: .\"
7: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: .\" All rights reserved
9: .\"
10: .\" Created: Sat Apr 22 23:55:14 1995 ylo
11: .\"
1.3 ! deraadt 12: .\" $Id: ssh-keygen.1,v 1.2 1999/09/26 22:30:06 deraadt Exp $
1.1 deraadt 13: .\"
1.2 deraadt 14: .Dd September 25, 1999
15: .Dt SSH-KEYGEN 1
16: .Os
17: .Sh NAME
18: .Nm ssh-keygen
19: .Nd authentication key generation
20: .Sh SYNOPSIS
21: .Nm ssh-keygen
22: .Op Fl b Ar bits
23: .Op Fl N Ar new_passphrase
24: .Op Fl C Ar comment
25: .Nm ssh-keygen
26: .Fl p
27: .Op Fl P Ar old_passphrase
28: .Op Fl N Ar new_passphrase
29: .Nm ssh-keygen
30: .Fl c
31: .Op Fl P Ar passphrase
32: .Op Fl C Ar comment
33: .Sh DESCRIPTION
34: .Nm
1.1 deraadt 35: generates and manages authentication keys for
1.2 deraadt 36: .Xr ssh 1 .
37: Normally each user wishing to use SSH
1.1 deraadt 38: with RSA authentication runs this once to create the authentication
39: key in
1.2 deraadt 40: .Pa $HOME/.ssh/identity .
1.1 deraadt 41: Additionally, the system administrator may use this to generate host keys.
1.2 deraadt 42: .Pp
1.1 deraadt 43: Normally this program generates the key and asks for a file in which
44: to store the private key. The public key is stored in a file with the
1.2 deraadt 45: same name but
46: .Dq .pub
47: appended. The program also asks for a
1.1 deraadt 48: passphrase. The passphrase may be empty to indicate no passphrase
49: (host keys must have empty passphrase), or it may be a string of
50: arbitrary length. Good passphrases are 10-30 characters long and are
51: not simple sentences or otherwise easily guessable (English
52: prose has only 1-2 bits of entropy per word, and provides very bad
53: passphrases). The passphrase can be changed later by using the
1.2 deraadt 54: .Fl p
1.1 deraadt 55: option.
1.2 deraadt 56: .Pp
1.1 deraadt 57: There is no way to recover a lost passphrase. If the passphrase is
58: lost or forgotten, you will have to generate a new key and copy the
59: corresponding public key to other machines.
1.2 deraadt 60: .Pp
1.1 deraadt 61: There is also a comment field in the key file that is only for
62: convenience to the user to help identify the key. The comment can
63: tell what the key is for, or whatever is useful. The comment is
1.2 deraadt 64: initialized to
65: .Dq user@host
66: when the key is created, but can be changed using the
67: .Fl c
1.1 deraadt 68: option.
1.2 deraadt 69: .Pp
70: The options are as follows:
71: .Pp
72: .Bl -tag -width Ds
73: .It Fl b Ar bits
1.1 deraadt 74: Specifies the number of bits in the key to create. Minimum is 512
75: bits. Generally 1024 bits is considered sufficient, and key sizes
76: above that no longer improve security but make things slower. The
77: default is 1024 bits.
1.2 deraadt 78: .It Fl c
1.1 deraadt 79: Requests changing the comment in the private and public key files.
80: The program will prompt for the file containing the private keys, for
81: passphrase if the key has one, and for the new comment.
1.2 deraadt 82: .It Fl p
1.1 deraadt 83: Requests changing the passphrase of a private key file instead of
84: creating a new private key. The program will prompt for the file
85: containing the private key, for the old passphrase, and twice for the
86: new passphrase.
1.2 deraadt 87: .It Fl C Ar comment
1.1 deraadt 88: Provides the new comment.
1.2 deraadt 89: .It Fl N Ar new_passphrase
1.1 deraadt 90: Provides the new passphrase.
1.2 deraadt 91: .It Fl P Ar passphrase
1.1 deraadt 92: Provides the (old) passphrase.
1.2 deraadt 93: .El
94: .Sh FILES
95: .Bl -tag -width Ds
96: .It Pa $HOME/.ssh/random_seed
1.1 deraadt 97: Used for seeding the random number generator. This file should not be
98: readable by anyone but the user. This file is created the first time
99: the program is run, and is updated every time.
1.2 deraadt 100: .It Pa $HOME/.ssh/identity
1.1 deraadt 101: Contains the RSA authentication identity of the user. This file
102: should not be readable by anyone but the user. It is possible to
103: specify a passphrase when generating the key; that passphrase will be
1.3 ! deraadt 104: used to encrypt the private part of this file using 3DES. This file
1.1 deraadt 105: is not automatically accessed by
1.2 deraadt 106: .Nm
1.1 deraadt 107: but it is offered as the default file for the private key.
1.2 deraadt 108: .It Pa $HOME/.ssh/identity.pub
1.1 deraadt 109: Contains the public key for authentication. The contents of this file
1.2 deraadt 110: should be added to
111: .Pa $HOME/.ssh/authorized_keys
112: on all machines
1.1 deraadt 113: where you wish to log in using RSA authentication. There is no
114: need to keep the contents of this file secret.
1.2 deraadt 115: .Sh AUTHOR
1.1 deraadt 116: Tatu Ylonen <ylo@cs.hut.fi>
1.2 deraadt 117: .Sh SEE ALSO
118: .Xr ssh 1 ,
119: .Xr ssh-add 1 ,
120: .Xr ssh-agent 1,
121: .Xr sshd 8