Annotation of src/usr.bin/ssh/ssh-keygen.1, Revision 1.8
1.1 deraadt 1: .\" -*- nroff -*-
2: .\"
3: .\" ssh-keygen.1
4: .\"
5: .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
6: .\"
7: .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: .\" All rights reserved
9: .\"
10: .\" Created: Sat Apr 22 23:55:14 1995 ylo
11: .\"
1.8 ! ericj 12: .\" $Id: ssh-keygen.1,v 1.7 1999/10/17 20:35:46 aaron Exp $
1.1 deraadt 13: .\"
1.2 deraadt 14: .Dd September 25, 1999
15: .Dt SSH-KEYGEN 1
16: .Os
17: .Sh NAME
18: .Nm ssh-keygen
19: .Nd authentication key generation
20: .Sh SYNOPSIS
21: .Nm ssh-keygen
1.5 aaron 22: .Op Fl q
1.2 deraadt 23: .Op Fl b Ar bits
24: .Op Fl N Ar new_passphrase
25: .Op Fl C Ar comment
26: .Nm ssh-keygen
27: .Fl p
28: .Op Fl P Ar old_passphrase
29: .Op Fl N Ar new_passphrase
30: .Nm ssh-keygen
31: .Fl c
32: .Op Fl P Ar passphrase
33: .Op Fl C Ar comment
34: .Sh DESCRIPTION
35: .Nm
1.1 deraadt 36: generates and manages authentication keys for
1.2 deraadt 37: .Xr ssh 1 .
38: Normally each user wishing to use SSH
1.1 deraadt 39: with RSA authentication runs this once to create the authentication
40: key in
1.2 deraadt 41: .Pa $HOME/.ssh/identity .
1.1 deraadt 42: Additionally, the system administrator may use this to generate host keys.
1.2 deraadt 43: .Pp
1.1 deraadt 44: Normally this program generates the key and asks for a file in which
45: to store the private key. The public key is stored in a file with the
1.2 deraadt 46: same name but
47: .Dq .pub
48: appended. The program also asks for a
1.1 deraadt 49: passphrase. The passphrase may be empty to indicate no passphrase
50: (host keys must have empty passphrase), or it may be a string of
51: arbitrary length. Good passphrases are 10-30 characters long and are
52: not simple sentences or otherwise easily guessable (English
53: prose has only 1-2 bits of entropy per word, and provides very bad
54: passphrases). The passphrase can be changed later by using the
1.2 deraadt 55: .Fl p
1.1 deraadt 56: option.
1.2 deraadt 57: .Pp
1.1 deraadt 58: There is no way to recover a lost passphrase. If the passphrase is
59: lost or forgotten, you will have to generate a new key and copy the
60: corresponding public key to other machines.
1.2 deraadt 61: .Pp
1.1 deraadt 62: There is also a comment field in the key file that is only for
63: convenience to the user to help identify the key. The comment can
64: tell what the key is for, or whatever is useful. The comment is
1.2 deraadt 65: initialized to
66: .Dq user@host
67: when the key is created, but can be changed using the
68: .Fl c
1.1 deraadt 69: option.
1.2 deraadt 70: .Pp
71: The options are as follows:
72: .Bl -tag -width Ds
73: .It Fl b Ar bits
1.1 deraadt 74: Specifies the number of bits in the key to create. Minimum is 512
75: bits. Generally 1024 bits is considered sufficient, and key sizes
76: above that no longer improve security but make things slower. The
77: default is 1024 bits.
1.2 deraadt 78: .It Fl c
1.1 deraadt 79: Requests changing the comment in the private and public key files.
80: The program will prompt for the file containing the private keys, for
81: passphrase if the key has one, and for the new comment.
1.2 deraadt 82: .It Fl p
1.1 deraadt 83: Requests changing the passphrase of a private key file instead of
84: creating a new private key. The program will prompt for the file
85: containing the private key, for the old passphrase, and twice for the
86: new passphrase.
1.5 aaron 87: .It Fl q
88: Silence
89: .Nm ssh-keygen .
90: Used by
91: .Pa /etc/rc
92: when creating a new key.
1.2 deraadt 93: .It Fl C Ar comment
1.1 deraadt 94: Provides the new comment.
1.2 deraadt 95: .It Fl N Ar new_passphrase
1.1 deraadt 96: Provides the new passphrase.
1.2 deraadt 97: .It Fl P Ar passphrase
1.1 deraadt 98: Provides the (old) passphrase.
1.2 deraadt 99: .El
100: .Sh FILES
101: .Bl -tag -width Ds
102: .It Pa $HOME/.ssh/random_seed
1.1 deraadt 103: Used for seeding the random number generator. This file should not be
104: readable by anyone but the user. This file is created the first time
105: the program is run, and is updated every time.
1.2 deraadt 106: .It Pa $HOME/.ssh/identity
1.1 deraadt 107: Contains the RSA authentication identity of the user. This file
108: should not be readable by anyone but the user. It is possible to
109: specify a passphrase when generating the key; that passphrase will be
1.3 deraadt 110: used to encrypt the private part of this file using 3DES. This file
1.1 deraadt 111: is not automatically accessed by
1.2 deraadt 112: .Nm
1.1 deraadt 113: but it is offered as the default file for the private key.
1.2 deraadt 114: .It Pa $HOME/.ssh/identity.pub
1.1 deraadt 115: Contains the public key for authentication. The contents of this file
1.2 deraadt 116: should be added to
117: .Pa $HOME/.ssh/authorized_keys
118: on all machines
1.1 deraadt 119: where you wish to log in using RSA authentication. There is no
120: need to keep the contents of this file secret.
1.2 deraadt 121: .Sh AUTHOR
1.1 deraadt 122: Tatu Ylonen <ylo@cs.hut.fi>
1.4 deraadt 123: .Pp
1.6 deraadt 124: OpenSSH
125: is a derivative of the original (free) ssh 1.2.12 release, but with bugs
126: removed and newer features re-added. Rapidly after the 1.2.12 release,
127: newer versions bore successively more restrictive licenses. This version
128: of OpenSSH
129: .Bl -bullet
130: .It
131: has all components of a restrictive nature (ie. patents, see
132: .Xr ssl 8 )
133: directly removed from the source code; any licensed or patented components
134: are chosen from
135: external libraries.
136: .It
137: has been updated to support ssh protocol 1.5.
138: .It
139: contains added support for
140: .Xr kerberos 8
141: authentication and ticket passing.
142: .It
143: supports one-time password authentication with
144: .Xr skey 1 .
145: .El
146: .Pp
147: The libraries described in
1.4 deraadt 148: .Xr ssl 8
149: are required for proper operation.
1.2 deraadt 150: .Sh SEE ALSO
151: .Xr ssh 1 ,
152: .Xr ssh-add 1 ,
1.8 ! ericj 153: .Xr ssh-agent 1 ,
1.4 deraadt 154: .Xr sshd 8 ,
155: .Xr ssl 8