Annotation of src/usr.bin/ssh/ssh-keygen.1, Revision 1.5
1.1 deraadt 1: .\" -*- nroff -*-
2: .\"
3: .\" ssh-keygen.1
4: .\"
5: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
6: .\"
7: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: .\" All rights reserved
9: .\"
10: .\" Created: Sat Apr 22 23:55:14 1995 ylo
11: .\"
1.5 ! aaron 12: .\" $Id: ssh-keygen.1,v 1.4 1999/10/02 13:10:26 deraadt Exp $
1.1 deraadt 13: .\"
1.2 deraadt 14: .Dd September 25, 1999
15: .Dt SSH-KEYGEN 1
16: .Os
17: .Sh NAME
18: .Nm ssh-keygen
19: .Nd authentication key generation
20: .Sh SYNOPSIS
21: .Nm ssh-keygen
1.5 ! aaron 22: .Op Fl q
1.2 deraadt 23: .Op Fl b Ar bits
24: .Op Fl N Ar new_passphrase
25: .Op Fl C Ar comment
26: .Nm ssh-keygen
27: .Fl p
28: .Op Fl P Ar old_passphrase
29: .Op Fl N Ar new_passphrase
30: .Nm ssh-keygen
31: .Fl c
32: .Op Fl P Ar passphrase
33: .Op Fl C Ar comment
34: .Sh DESCRIPTION
35: .Nm
1.1 deraadt 36: generates and manages authentication keys for
1.2 deraadt 37: .Xr ssh 1 .
38: Normally each user wishing to use SSH
1.1 deraadt 39: with RSA authentication runs this once to create the authentication
40: key in
1.2 deraadt 41: .Pa $HOME/.ssh/identity .
1.1 deraadt 42: Additionally, the system administrator may use this to generate host keys.
1.2 deraadt 43: .Pp
1.1 deraadt 44: Normally this program generates the key and asks for a file in which
45: to store the private key. The public key is stored in a file with the
1.2 deraadt 46: same name but
47: .Dq .pub
48: appended. The program also asks for a
1.1 deraadt 49: passphrase. The passphrase may be empty to indicate no passphrase
50: (host keys must have empty passphrase), or it may be a string of
51: arbitrary length. Good passphrases are 10-30 characters long and are
52: not simple sentences or otherwise easily guessable (English
53: prose has only 1-2 bits of entropy per word, and provides very bad
54: passphrases). The passphrase can be changed later by using the
1.2 deraadt 55: .Fl p
1.1 deraadt 56: option.
1.2 deraadt 57: .Pp
1.1 deraadt 58: There is no way to recover a lost passphrase. If the passphrase is
59: lost or forgotten, you will have to generate a new key and copy the
60: corresponding public key to other machines.
1.2 deraadt 61: .Pp
1.1 deraadt 62: There is also a comment field in the key file that is only for
63: convenience to the user to help identify the key. The comment can
64: tell what the key is for, or whatever is useful. The comment is
1.2 deraadt 65: initialized to
66: .Dq user@host
67: when the key is created, but can be changed using the
68: .Fl c
1.1 deraadt 69: option.
1.2 deraadt 70: .Pp
71: The options are as follows:
72: .Pp
73: .Bl -tag -width Ds
74: .It Fl b Ar bits
1.1 deraadt 75: Specifies the number of bits in the key to create. Minimum is 512
76: bits. Generally 1024 bits is considered sufficient, and key sizes
77: above that no longer improve security but make things slower. The
78: default is 1024 bits.
1.2 deraadt 79: .It Fl c
1.1 deraadt 80: Requests changing the comment in the private and public key files.
81: The program will prompt for the file containing the private keys, for
82: passphrase if the key has one, and for the new comment.
1.2 deraadt 83: .It Fl p
1.1 deraadt 84: Requests changing the passphrase of a private key file instead of
85: creating a new private key. The program will prompt for the file
86: containing the private key, for the old passphrase, and twice for the
87: new passphrase.
1.5 ! aaron 88: .It Fl q
! 89: Silence
! 90: .Nm ssh-keygen .
! 91: Used by
! 92: .Pa /etc/rc
! 93: when creating a new key.
1.2 deraadt 94: .It Fl C Ar comment
1.1 deraadt 95: Provides the new comment.
1.2 deraadt 96: .It Fl N Ar new_passphrase
1.1 deraadt 97: Provides the new passphrase.
1.2 deraadt 98: .It Fl P Ar passphrase
1.1 deraadt 99: Provides the (old) passphrase.
1.2 deraadt 100: .El
101: .Sh FILES
102: .Bl -tag -width Ds
103: .It Pa $HOME/.ssh/random_seed
1.1 deraadt 104: Used for seeding the random number generator. This file should not be
105: readable by anyone but the user. This file is created the first time
106: the program is run, and is updated every time.
1.2 deraadt 107: .It Pa $HOME/.ssh/identity
1.1 deraadt 108: Contains the RSA authentication identity of the user. This file
109: should not be readable by anyone but the user. It is possible to
110: specify a passphrase when generating the key; that passphrase will be
1.3 deraadt 111: used to encrypt the private part of this file using 3DES. This file
1.1 deraadt 112: is not automatically accessed by
1.2 deraadt 113: .Nm
1.1 deraadt 114: but it is offered as the default file for the private key.
1.2 deraadt 115: .It Pa $HOME/.ssh/identity.pub
1.1 deraadt 116: Contains the public key for authentication. The contents of this file
1.2 deraadt 117: should be added to
118: .Pa $HOME/.ssh/authorized_keys
119: on all machines
1.1 deraadt 120: where you wish to log in using RSA authentication. There is no
121: need to keep the contents of this file secret.
1.2 deraadt 122: .Sh AUTHOR
1.1 deraadt 123: Tatu Ylonen <ylo@cs.hut.fi>
1.4 deraadt 124: .Pp
125: This version of
126: .Nm
127: is a derivative of the original 1.2.12 release, but with bugs removed and
128: newer features re-added. Rapidly after the 1.2.12 release, newer versions
129: bore successively more restrictive licenses. In this version, all components
130: of a restrictive nature (ie. patents) have been directly removed from the
131: source code; any licensed or patented components are chosen from external
132: libraries. The libraries described in
133: .Xr ssl 8
134: are required for proper operation.
1.2 deraadt 135: .Sh SEE ALSO
136: .Xr ssh 1 ,
137: .Xr ssh-add 1 ,
138: .Xr ssh-agent 1,
1.4 deraadt 139: .Xr sshd 8 ,
140: .Xr ssl 8