Annotation of src/usr.bin/ssh/ssh-keygen.1, Revision 1.6
1.1 deraadt 1: .\" -*- nroff -*-
2: .\"
3: .\" ssh-keygen.1
4: .\"
5: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
6: .\"
7: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: .\" All rights reserved
9: .\"
10: .\" Created: Sat Apr 22 23:55:14 1995 ylo
11: .\"
1.6 ! deraadt 12: .\" $Id: ssh-keygen.1,v 1.5 1999/10/07 18:58:26 aaron Exp $
1.1 deraadt 13: .\"
1.2 deraadt 14: .Dd September 25, 1999
15: .Dt SSH-KEYGEN 1
16: .Os
17: .Sh NAME
18: .Nm ssh-keygen
19: .Nd authentication key generation
20: .Sh SYNOPSIS
21: .Nm ssh-keygen
1.5 aaron 22: .Op Fl q
1.2 deraadt 23: .Op Fl b Ar bits
24: .Op Fl N Ar new_passphrase
25: .Op Fl C Ar comment
26: .Nm ssh-keygen
27: .Fl p
28: .Op Fl P Ar old_passphrase
29: .Op Fl N Ar new_passphrase
30: .Nm ssh-keygen
31: .Fl c
32: .Op Fl P Ar passphrase
33: .Op Fl C Ar comment
34: .Sh DESCRIPTION
35: .Nm
1.1 deraadt 36: generates and manages authentication keys for
1.2 deraadt 37: .Xr ssh 1 .
38: Normally each user wishing to use SSH
1.1 deraadt 39: with RSA authentication runs this once to create the authentication
40: key in
1.2 deraadt 41: .Pa $HOME/.ssh/identity .
1.1 deraadt 42: Additionally, the system administrator may use this to generate host keys.
1.2 deraadt 43: .Pp
1.1 deraadt 44: Normally this program generates the key and asks for a file in which
45: to store the private key. The public key is stored in a file with the
1.2 deraadt 46: same name but
47: .Dq .pub
48: appended. The program also asks for a
1.1 deraadt 49: passphrase. The passphrase may be empty to indicate no passphrase
50: (host keys must have empty passphrase), or it may be a string of
51: arbitrary length. Good passphrases are 10-30 characters long and are
52: not simple sentences or otherwise easily guessable (English
53: prose has only 1-2 bits of entropy per word, and provides very bad
54: passphrases). The passphrase can be changed later by using the
1.2 deraadt 55: .Fl p
1.1 deraadt 56: option.
1.2 deraadt 57: .Pp
1.1 deraadt 58: There is no way to recover a lost passphrase. If the passphrase is
59: lost or forgotten, you will have to generate a new key and copy the
60: corresponding public key to other machines.
1.2 deraadt 61: .Pp
1.1 deraadt 62: There is also a comment field in the key file that is only for
63: convenience to the user to help identify the key. The comment can
64: tell what the key is for, or whatever is useful. The comment is
1.2 deraadt 65: initialized to
66: .Dq user@host
67: when the key is created, but can be changed using the
68: .Fl c
1.1 deraadt 69: option.
1.2 deraadt 70: .Pp
71: The options are as follows:
72: .Pp
73: .Bl -tag -width Ds
74: .It Fl b Ar bits
1.1 deraadt 75: Specifies the number of bits in the key to create. Minimum is 512
76: bits. Generally 1024 bits is considered sufficient, and key sizes
77: above that no longer improve security but make things slower. The
78: default is 1024 bits.
1.2 deraadt 79: .It Fl c
1.1 deraadt 80: Requests changing the comment in the private and public key files.
81: The program will prompt for the file containing the private keys, for
82: passphrase if the key has one, and for the new comment.
1.2 deraadt 83: .It Fl p
1.1 deraadt 84: Requests changing the passphrase of a private key file instead of
85: creating a new private key. The program will prompt for the file
86: containing the private key, for the old passphrase, and twice for the
87: new passphrase.
1.5 aaron 88: .It Fl q
89: Silence
90: .Nm ssh-keygen .
91: Used by
92: .Pa /etc/rc
93: when creating a new key.
1.2 deraadt 94: .It Fl C Ar comment
1.1 deraadt 95: Provides the new comment.
1.2 deraadt 96: .It Fl N Ar new_passphrase
1.1 deraadt 97: Provides the new passphrase.
1.2 deraadt 98: .It Fl P Ar passphrase
1.1 deraadt 99: Provides the (old) passphrase.
1.2 deraadt 100: .El
101: .Sh FILES
102: .Bl -tag -width Ds
103: .It Pa $HOME/.ssh/random_seed
1.1 deraadt 104: Used for seeding the random number generator. This file should not be
105: readable by anyone but the user. This file is created the first time
106: the program is run, and is updated every time.
1.2 deraadt 107: .It Pa $HOME/.ssh/identity
1.1 deraadt 108: Contains the RSA authentication identity of the user. This file
109: should not be readable by anyone but the user. It is possible to
110: specify a passphrase when generating the key; that passphrase will be
1.3 deraadt 111: used to encrypt the private part of this file using 3DES. This file
1.1 deraadt 112: is not automatically accessed by
1.2 deraadt 113: .Nm
1.1 deraadt 114: but it is offered as the default file for the private key.
1.2 deraadt 115: .It Pa $HOME/.ssh/identity.pub
1.1 deraadt 116: Contains the public key for authentication. The contents of this file
1.2 deraadt 117: should be added to
118: .Pa $HOME/.ssh/authorized_keys
119: on all machines
1.1 deraadt 120: where you wish to log in using RSA authentication. There is no
121: need to keep the contents of this file secret.
1.2 deraadt 122: .Sh AUTHOR
1.1 deraadt 123: Tatu Ylonen <ylo@cs.hut.fi>
1.4 deraadt 124: .Pp
1.6 ! deraadt 125: OpenSSH
! 126: is a derivative of the original (free) ssh 1.2.12 release, but with bugs
! 127: removed and newer features re-added. Rapidly after the 1.2.12 release,
! 128: newer versions bore successively more restrictive licenses. This version
! 129: of OpenSSH
! 130: .Bl -bullet
! 131: .It
! 132: has all components of a restrictive nature (ie. patents, see
! 133: .Xr ssl 8 )
! 134: directly removed from the source code; any licensed or patented components
! 135: are chosen from
! 136: external libraries.
! 137: .It
! 138: has been updated to support ssh protocol 1.5.
! 139: .It
! 140: contains added support for
! 141: .Xr kerberos 8
! 142: authentication and ticket passing.
! 143: .It
! 144: supports one-time password authentication with
! 145: .Xr skey 1 .
! 146: .El
! 147: .Pp
! 148: The libraries described in
1.4 deraadt 149: .Xr ssl 8
150: are required for proper operation.
1.2 deraadt 151: .Sh SEE ALSO
152: .Xr ssh 1 ,
153: .Xr ssh-add 1 ,
154: .Xr ssh-agent 1,
1.4 deraadt 155: .Xr sshd 8 ,
156: .Xr ssl 8