| .\" -*- nroff -*- |
| .\" |
| .\" ssh-keygen.1 |
| .\" |
| .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
| .\" |
| .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| .\" All rights reserved |
| .\" |
| .\" Created: Sat Apr 22 23:55:14 1995 ylo |
| .\" |
| .\" $Id: ssh-keygen.1,v 1.16 2000/07/11 07:31:38 djm Exp $ |
| .\" |
| .Dd September 25, 1999 |
| .Dt SSH-KEYGEN 1 |
| .Os |
| .Sh NAME |
| .Nm ssh-keygen |
| .Nd authentication key generation |
| .Sh SYNOPSIS |
| .Nm ssh-keygen |
| .Op Fl dq |
| .Op Fl b Ar bits |
| .Op Fl N Ar new_passphrase |
| .Op Fl C Ar comment |
| .Op Fl f Ar keyfile |
| .Nm ssh-keygen |
| .Fl p |
| .Op Fl P Ar old_passphrase |
| .Op Fl N Ar new_passphrase |
| .Op Fl f Ar keyfile |
| .Nm ssh-keygen |
| .Fl x |
| .Op Fl f Ar keyfile |
| .Nm ssh-keygen |
| .Fl X |
| .Op Fl f Ar keyfile |
| .Nm ssh-keygen |
| .Fl y |
| .Op Fl f Ar keyfile |
| .Nm ssh-keygen |
| .Fl c |
| .Op Fl P Ar passphrase |
| .Op Fl C Ar comment |
| .Op Fl f Ar keyfile |
| .Nm ssh-keygen |
| .Fl l |
| .Op Fl f Ar keyfile |
| .Nm ssh-keygen |
| .Fl R |
| .Sh DESCRIPTION |
| .Nm |
| generates and manages authentication keys for |
| .Xr ssh 1 . |
| .Nm |
| defaults to generating an RSA key for use by protocols 1.3 and 1.5; |
| specifying the |
| .Fl d |
| flag will create a DSA key instead for use by protocol 2.0. |
| .Pp |
| Normally each user wishing to use SSH |
| with RSA or DSA authentication runs this once to create the authentication |
| key in |
| .Pa $HOME/.ssh/identity |
| or |
| .Pa $HOME/.ssh/id_dsa . |
| Additionally, the system administrator may use this to generate host keys, |
| as seen in |
| .Pa /etc/rc . |
| .Pp |
| Normally this program generates the key and asks for a file in which |
| to store the private key. |
| The public key is stored in a file with the same name but |
| .Dq .pub |
| appended. |
| The program also asks for a passphrase. |
| The passphrase may be empty to indicate no passphrase |
| (host keys must have empty passphrase), or it may be a string of |
| arbitrary length. |
| Good passphrases are 10-30 characters long and are |
| not simple sentences or otherwise easily guessable (English |
| prose has only 1-2 bits of entropy per word, and provides very bad |
| passphrases). |
| The passphrase can be changed later by using the |
| .Fl p |
| option. |
| .Pp |
| There is no way to recover a lost passphrase. |
| If the passphrase is |
| lost or forgotten, you will have to generate a new key and copy the |
| corresponding public key to other machines. |
| .Pp |
| For RSA, there is also a comment field in the key file that is only for |
| convenience to the user to help identify the key. |
| The comment can tell what the key is for, or whatever is useful. |
| The comment is initialized to |
| .Dq user@host |
| when the key is created, but can be changed using the |
| .Fl c |
| option. |
| .Pp |
| After a key is generated, instructions below detail where the keys |
| should be placed to be activated. |
| .Pp |
| The options are as follows: |
| .Bl -tag -width Ds |
| .It Fl b Ar bits |
| Specifies the number of bits in the key to create. |
| Minimum is 512 bits. |
| Generally 1024 bits is considered sufficient, and key sizes |
| above that no longer improve security but make things slower. |
| The default is 1024 bits. |
| .It Fl c |
| Requests changing the comment in the private and public key files. |
| The program will prompt for the file containing the private keys, for |
| passphrase if the key has one, and for the new comment. |
| .It Fl f |
| Specifies the filename of the key file. |
| .It Fl l |
| Show fingerprint of specified private or public key file. |
| .It Fl p |
| Requests changing the passphrase of a private key file instead of |
| creating a new private key. |
| The program will prompt for the file |
| containing the private key, for the old passphrase, and twice for the |
| new passphrase. |
| .It Fl q |
| Silence |
| .Nm ssh-keygen . |
| Used by |
| .Pa /etc/rc |
| when creating a new key. |
| .It Fl C Ar comment |
| Provides the new comment. |
| .It Fl N Ar new_passphrase |
| Provides the new passphrase. |
| .It Fl P Ar passphrase |
| Provides the (old) passphrase. |
| .It Fl R |
| If RSA support is functional, immediately exits with code 0. If RSA |
| support is not functional, exits with code 1. This flag will be |
| removed once the RSA patent expires. |
| .It Fl x |
| This option will read a private |
| OpenSSH DSA format file and print a SSH2-compatible public key to stdout. |
| .It Fl X |
| This option will read a |
| SSH2-compatible public key file and print an OpenSSH DSA compatible public key to stdout. |
| .It Fl y |
| This option will read a private |
| OpenSSH DSA format file and print an OpenSSH DSA public key to stdout. |
| .El |
| .Sh FILES |
| .Bl -tag -width Ds |
| .It Pa $HOME/.ssh/identity |
| Contains the RSA authentication identity of the user. |
| This file should not be readable by anyone but the user. |
| It is possible to |
| specify a passphrase when generating the key; that passphrase will be |
| used to encrypt the private part of this file using 3DES. |
| This file is not automatically accessed by |
| .Nm |
| but it is offered as the default file for the private key. |
| .Xr sshd 8 |
| will read this file when a login attempt is made. |
| .It Pa $HOME/.ssh/identity.pub |
| Contains the public key for authentication. |
| The contents of this file should be added to |
| .Pa $HOME/.ssh/authorized_keys |
| on all machines |
| where you wish to log in using RSA authentication. |
| There is no need to keep the contents of this file secret. |
| .It Pa $HOME/.ssh/id_dsa |
| Contains the DSA authentication identity of the user. |
| This file should not be readable by anyone but the user. |
| It is possible to |
| specify a passphrase when generating the key; that passphrase will be |
| used to encrypt the private part of this file using 3DES. |
| This file is not automatically accessed by |
| .Nm |
| but it is offered as the default file for the private key. |
| .Xr sshd 8 |
| will read this file when a login attempt is made. |
| .It Pa $HOME/.ssh/id_dsa.pub |
| Contains the public key for authentication. |
| The contents of this file should be added to |
| .Pa $HOME/.ssh/authorized_keys2 |
| on all machines |
| where you wish to log in using DSA authentication. |
| There is no need to keep the contents of this file secret. |
| .El |
| .Sh AUTHOR |
| Tatu Ylonen <ylo@cs.hut.fi> |
| .Pp |
| OpenSSH |
| is a derivative of the original (free) ssh 1.2.12 release, but with bugs |
| removed and newer features re-added. |
| Rapidly after the 1.2.12 release, |
| newer versions bore successively more restrictive licenses. |
| This version of OpenSSH |
| .Bl -bullet |
| .It |
| has all components of a restrictive nature (i.e., patents) |
| directly removed from the source code; any licensed or patented components |
| are chosen from |
| external libraries. |
| .It |
| has been updated to support ssh protocol 1.5. |
| .It |
| contains added support for |
| .Xr kerberos 8 |
| authentication and ticket passing. |
| .It |
| supports one-time password authentication with |
| .Xr skey 1 . |
| .El |
| .Sh SEE ALSO |
| .Xr ssh 1 , |
| .Xr ssh-add 1 , |
| .Xr ssh-agent 1 , |
| .Xr sshd 8 , |