1 .\" $OpenBSD: ssh-keygen.1,v 1.148 2018/08/08 01:16:01 djm Exp $
3 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 .\" All rights reserved
7 .\" As far as I am concerned, the code I have written for this software
8 .\" can be used freely for any purpose. Any derived versions of this
9 .\" software must be clearly marked as such, and if the derived work is
10 .\" incompatible with the protocol description in the RFC file, it must be
11 .\" called by a name other than "ssh" or "Secure Shell".
14 .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
15 .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
16 .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
18 .\" Redistribution and use in source and binary forms, with or without
19 .\" modification, are permitted provided that the following conditions
21 .\" 1. Redistributions of source code must retain the above copyright
22 .\" notice, this list of conditions and the following disclaimer.
23 .\" 2. Redistributions in binary form must reproduce the above copyright
24 .\" notice, this list of conditions and the following disclaimer in the
25 .\" documentation and/or other materials provided with the distribution.
27 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28 .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29 .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30 .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31 .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32 .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33 .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34 .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 .Dd $Mdocdate: August 8 2018 $
43 .Nd authentication key generation, management and conversion
49 .Op Fl t Cm dsa | ecdsa | ed25519 | rsa
50 .Op Fl N Ar new_passphrase
52 .Op Fl f Ar output_keyfile
55 .Op Fl P Ar old_passphrase
56 .Op Fl N Ar new_passphrase
60 .Op Fl m Ar key_format
61 .Op Fl f Ar input_keyfile
64 .Op Fl m Ar key_format
65 .Op Fl f Ar input_keyfile
68 .Op Fl f Ar input_keyfile
71 .Op Fl P Ar passphrase
77 .Op Fl E Ar fingerprint_hash
78 .Op Fl f Ar input_keyfile
81 .Op Fl f Ar input_keyfile
86 .Op Fl f Ar known_hosts_file
90 .Op Fl f Ar known_hosts_file
93 .Op Fl f Ar known_hosts_file
96 .Op Fl f Ar input_keyfile
103 .Op Fl S Ar start_point
109 .Op Fl J Ar num_lines
110 .Op Fl j Ar start_line
112 .Op Fl W Ar generator
115 .Fl I Ar certificate_identity
118 .Op Fl D Ar pkcs11_provider
119 .Op Fl n Ar principals
121 .Op Fl V Ar validity_interval
122 .Op Fl z Ar serial_number
126 .Op Fl f Ar input_keyfile
129 .Op Fl f Ar prefix_path
134 .Op Fl s Ar ca_public
135 .Op Fl z Ar version_number
144 generates, manages and converts authentication keys for
147 can create keys for use by SSH protocol version 2.
149 The type of key to be generated is specified with the
152 If invoked without any arguments,
154 will generate an RSA key.
157 is also used to generate groups for use in Diffie-Hellman group
160 .Sx MODULI GENERATION
165 can be used to generate and update Key Revocation Lists, and to test whether
166 given keys have been revoked by one.
168 .Sx KEY REVOCATION LISTS
171 Normally each user wishing to use SSH
172 with public key authentication runs this once to create the authentication
175 .Pa ~/.ssh/id_ecdsa ,
176 .Pa ~/.ssh/id_ed25519
179 Additionally, the system administrator may use this to generate host keys,
183 Normally this program generates the key and asks for a file in which
184 to store the private key.
185 The public key is stored in a file with the same name but
188 The program also asks for a passphrase.
189 The passphrase may be empty to indicate no passphrase
190 (host keys must have an empty passphrase), or it may be a string of
192 A passphrase is similar to a password, except it can be a phrase with a
193 series of words, punctuation, numbers, whitespace, or any string of
195 Good passphrases are 10-30 characters long, are
196 not simple sentences or otherwise easily guessable (English
197 prose has only 1-2 bits of entropy per character, and provides very bad
198 passphrases), and contain a mix of upper and lowercase letters,
199 numbers, and non-alphanumeric characters.
200 The passphrase can be changed later by using the
204 There is no way to recover a lost passphrase.
205 If the passphrase is lost or forgotten, a new key must be generated
206 and the corresponding public key copied to other machines.
208 For keys stored in the newer OpenSSH format,
209 there is also a comment field in the key file that is only for
210 convenience to the user to help identify the key.
211 The comment can tell what the key is for, or whatever is useful.
212 The comment is initialized to
214 when the key is created, but can be changed using the
218 After a key is generated, instructions below detail where the keys
219 should be placed to be activated.
221 The options are as follows:
224 For each of the key types (rsa, dsa, ecdsa and ed25519)
226 do not exist, generate the host keys with the default key file path,
227 an empty passphrase, default bits for the key type, and default comment.
230 has also been specified, its argument is used as a prefix to the
231 default path for the resulting host key files.
234 to generate new host keys.
236 When saving a private key this option specifies the number of KDF
237 (key derivation function) rounds used.
238 Higher numbers result in slower passphrase verification and increased
239 resistance to brute-force password cracking (should the keys be stolen).
241 When screening DH-GEX candidates (using the
244 This option specifies the number of primality tests to perform.
246 Show the bubblebabble digest of specified private or public key file.
248 Specifies the number of bits in the key to create.
249 For RSA keys, the minimum size is 1024 bits and the default is 2048 bits.
250 Generally, 2048 bits is considered sufficient.
251 DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
254 flag determines the key length by selecting from one of three elliptic
255 curve sizes: 256, 384 or 521 bits.
256 Attempting to use bit lengths other than these three values for ECDSA keys
258 Ed25519 keys have a fixed length and the
260 flag will be ignored.
262 Provides a new comment.
264 Requests changing the comment in the private and public key files.
265 The program will prompt for the file containing the private keys, for
266 the passphrase if the key has one, and for the new comment.
268 Download the RSA public keys provided by the PKCS#11 shared library
270 When used in combination with
272 this option indicates that a CA key resides in a PKCS#11 token (see the
274 section for details).
275 .It Fl E Ar fingerprint_hash
276 Specifies the hash algorithm used when displaying key fingerprints.
284 This option will read a private or public OpenSSH key file and
285 print to stdout the key in one of the formats specified by the
288 The default export format is
290 This option allows exporting OpenSSH keys for use by other programs, including
291 several commercial SSH implementations.
293 Search for the specified
297 file, listing any occurrences found.
298 This option is useful to find hashed host names or addresses and may also be
299 used in conjunction with the
301 option to print found keys in a hashed format.
303 Specifies the filename of the key file.
304 .It Fl G Ar output_file
305 Generate candidate primes for DH-GEX.
306 These primes must be screened for
311 Use generic DNS format when printing fingerprint resource records using the
318 This replaces all hostnames and addresses with hashed representations
319 within the specified file; the original content is moved to a file with
321 These hashes may be used normally by
325 but they do not reveal identifying information should the file's contents
327 This option will not modify existing hashed hostnames and is therefore safe
328 to use on files that mix hashed and non-hashed names.
330 When signing a key, create a host certificate instead of a user
335 .It Fl I Ar certificate_identity
336 Specify the key identity when signing a public key.
341 This option will read an unencrypted private (or public) key file
342 in the format specified by the
344 option and print an OpenSSH compatible private
345 (or public) key to stdout.
346 This option allows importing keys from other software, including several
347 commercial SSH implementations.
348 The default import format is
350 .It Fl J Ar num_lines
351 Exit after screening the specified number of lines
352 while performing DH candidate screening using the
355 .It Fl j Ar start_line
356 Start screening at the specified line number
357 while performing DH candidate screening using the
361 Write the last line processed to the file
363 while performing DH candidate screening using the
366 This will be used to skip lines in the input file that have already been
367 processed if the job is restarted.
372 will generate a KRL file at the location specified via the
374 flag that revokes every key or certificate presented on the command line.
375 Keys/certificates to be revoked may be specified by public key file or
376 using the format described in the
377 .Sx KEY REVOCATION LISTS
380 Prints the contents of one or more certificates.
382 Show fingerprint of specified public key file.
385 tries to find the matching public key file and prints its fingerprint.
388 a visual ASCII art representation of the key is supplied with the
391 Specify the amount of memory to use (in megabytes) when generating
392 candidate moduli for DH-GEX.
393 .It Fl m Ar key_format
394 Specify a key format for the
398 (export) conversion options.
399 The supported key formats are:
401 (RFC 4716/SSH2 public or private key),
403 (PEM PKCS8 public key)
407 The default conversion format is
411 when generating or updating a supported private key type will cause the
412 key to be stored in the legacy PEM private key format.
413 .It Fl N Ar new_passphrase
414 Provides the new passphrase.
415 .It Fl n Ar principals
416 Specify one or more principals (user or host names) to be included in
417 a certificate when signing a key.
418 Multiple principals may be specified, separated by commas.
423 Specify a certificate option when signing a key.
424 This option may be specified multiple times.
427 section for further details.
429 At present, no standard options are valid for host keys.
430 The options that are valid for user certificates are:
432 .Bl -tag -width Ds -compact
434 Clear all enabled permissions.
435 This is useful for clearing the default set of permissions so permissions may
436 be added individually.
438 .It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
439 .It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
440 Includes an arbitrary certificate critical option or extension.
443 should include a domain suffix, e.g.\&
444 .Dq name@example.com .
447 is specified then it is included as the contents of the extension/option
448 encoded as a string, otherwise the extension/option is created with no
449 contents (usually indicating a flag).
450 Extensions may be ignored by a client or server that does not recognise them,
451 whereas unknown critical options will cause the certificate to be refused.
453 .It Ic force-command Ns = Ns Ar command
454 Forces the execution of
456 instead of any shell or command specified by the user when
457 the certificate is used for authentication.
459 .It Ic no-agent-forwarding
462 forwarding (permitted by default).
464 .It Ic no-port-forwarding
465 Disable port forwarding (permitted by default).
468 Disable PTY allocation (permitted by default).
475 (permitted by default).
477 .It Ic no-x11-forwarding
478 Disable X11 forwarding (permitted by default).
480 .It Ic permit-agent-forwarding
485 .It Ic permit-port-forwarding
486 Allows port forwarding.
489 Allows PTY allocation.
491 .It Ic permit-user-rc
497 .It Ic permit-X11-forwarding
498 Allows X11 forwarding.
500 .It Ic source-address Ns = Ns Ar address_list
501 Restrict the source addresses from which the certificate is considered valid.
504 is a comma-separated list of one or more address/netmask pairs in CIDR
507 .It Fl P Ar passphrase
508 Provides the (old) passphrase.
510 Requests changing the passphrase of a private key file instead of
511 creating a new private key.
512 The program will prompt for the file
513 containing the private key, for the old passphrase, and twice for the
516 Test whether keys have been revoked in a KRL.
521 Removes all keys belonging to
526 This option is useful to delete hashed hosts (see the
530 Print the SSHFP fingerprint resource record named
532 for the specified public key file.
534 Specify start point (in hex) when generating candidate moduli for DH-GEX.
536 Certify (sign) a public key using the specified CA key.
541 When generating a KRL,
543 specifies a path to a CA public key file used to revoke certificates directly
544 by key ID or serial number.
546 .Sx KEY REVOCATION LISTS
548 .It Fl T Ar output_file
549 Test DH group exchange candidate primes (generated using the
552 .It Fl t Cm dsa | ecdsa | ed25519 | rsa
553 Specifies the type of key to create.
554 The possible values are
561 When used in combination with
563 this option indicates that a CA key resides in a
567 section for more information.
572 keys listed via the command line are added to the existing KRL rather than
573 a new KRL being created.
574 .It Fl V Ar validity_interval
575 Specify a validity interval when signing a certificate.
576 A validity interval may consist of a single time, indicating that the
577 certificate is valid beginning now and expiring at that time, or may consist
578 of two times separated by a colon to indicate an explicit time interval.
580 The start time may be specified as the string
582 to indicate the certificate has no specified start time,
583 a date in YYYYMMDD format, a time in YYYYMMDDHHMM[SS] format,
584 a relative time (to the current time) consisting of a minus sign followed by
585 an interval in the format described in the
586 TIME FORMATS section of
589 The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMM[SS] time,
590 a relative time starting with a plus character or the string
592 to indicate that the certificate has no expirty date.
596 (valid from now to 52 weeks and one day from now),
598 (valid from four weeks ago to four weeks from now),
599 .Dq 20100101123000:20110101123000
600 (valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
602 (valid from yesterday to midnight, January 1st, 2011).
604 (valid from one minute ago and never expiring).
609 to print debugging messages about its progress.
610 This is helpful for debugging moduli generation.
613 options increase the verbosity.
615 .It Fl W Ar generator
616 Specify desired generator when testing candidate moduli for DH-GEX.
618 This option will read a private
619 OpenSSH format file and print an OpenSSH public key to stdout.
620 .It Fl z Ar serial_number
621 Specifies a serial number to be embedded in the certificate to distinguish
622 this certificate from others from the same CA.
623 The default serial number is zero.
625 When generating a KRL, the
627 flag is used to specify a KRL version number.
629 .Sh MODULI GENERATION
631 may be used to generate groups for the Diffie-Hellman Group Exchange
633 Generating these groups is a two-step process: first, candidate
634 primes are generated using a fast, but memory intensive process.
635 These candidate primes are then tested for suitability (a CPU-intensive
638 Generation of primes is performed using the
641 The desired length of the primes may be specified by the
646 .Dl # ssh-keygen -G moduli-2048.candidates -b 2048
648 By default, the search for primes begins at a random point in the
649 desired length range.
650 This may be overridden using the
652 option, which specifies a different start point (in hex).
654 Once a set of candidates have been generated, they must be screened for
656 This may be performed using the
661 will read candidates from standard input (or a file specified using the
666 .Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates
668 By default, each candidate will be subjected to 100 primality tests.
669 This may be overridden using the
672 The DH generator value will be chosen automatically for the
673 prime under consideration.
674 If a specific generator is desired, it may be requested using the
677 Valid generator values are 2, 3, and 5.
679 Screened DH groups may be installed in
681 It is important that this file contains moduli of a range of bit lengths and
682 that both ends of a connection share common moduli.
685 supports signing of keys to produce certificates that may be used for
686 user or host authentication.
687 Certificates consist of a public key, some identity information, zero or
688 more principal (user or host) names and a set of options that
689 are signed by a Certification Authority (CA) key.
690 Clients or servers may then trust only the CA key and verify its signature
691 on a certificate rather than trusting many user/host keys.
692 Note that OpenSSH certificates are a different, and much simpler, format to
693 the X.509 certificates used in
697 supports two types of certificates: user and host.
698 User certificates authenticate users to servers, whereas host certificates
699 authenticate server hosts to users.
700 To generate a user certificate:
702 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
704 The resultant certificate will be placed in
705 .Pa /path/to/user_key-cert.pub .
706 A host certificate requires the
710 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
712 The host certificate will be output to
713 .Pa /path/to/host_key-cert.pub .
715 It is possible to sign using a CA key stored in a PKCS#11 token by
716 providing the token library using
718 and identifying the CA key by providing its public half as an argument
722 .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
724 Similarly, it is possible for the CA key to be hosted in a
726 This is indicated by the
728 flag and, again, the CA key must be identified by its public half.
730 .Dl $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub
734 is a "key identifier" that is logged by the server when the certificate
735 is used for authentication.
737 Certificates may be limited to be valid for a set of principal (user/host)
739 By default, generated certificates are valid for all users or hosts.
740 To generate a certificate for a specified set of principals:
742 .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
743 .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub"
745 Additional limitations on the validity and use of user certificates may
746 be specified through certificate options.
747 A certificate option may disable features of the SSH session, may be
748 valid only when presented from particular source addresses or may
749 force the use of a specific command.
750 For a list of valid certificate options, see the documentation for the
754 Finally, certificates may be defined with a validity lifetime.
757 option allows specification of certificate start and end times.
758 A certificate that is presented at a time outside this range will not be
760 By default, certificates are valid from
762 Epoch to the distant future.
764 For certificates to be used for user or host authentication, the CA
765 public key must be trusted by
769 Please refer to those manual pages for details.
770 .Sh KEY REVOCATION LISTS
772 is able to manage OpenSSH format Key Revocation Lists (KRLs).
773 These binary files specify keys or certificates to be revoked using a
774 compact format, taking as little as one bit per certificate if they are being
775 revoked by serial number.
777 KRLs may be generated using the
780 This option reads one or more files from the command line and generates a new
782 The files may either contain a KRL specification (see below) or public keys,
784 Plain public keys are revoked by listing their hash or contents in the KRL and
785 certificates revoked by serial number or key ID (if the serial is zero or
788 Revoking keys using a KRL specification offers explicit control over the
789 types of record used to revoke keys and may be used to directly revoke
790 certificates by serial number or key ID without having the complete original
792 A KRL specification consists of lines containing one of the following directives
793 followed by a colon and some directive-specific information.
795 .It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
796 Revokes a certificate with the specified serial number.
797 Serial numbers are 64-bit values, not including zero and may be expressed
798 in decimal, hex or octal.
799 If two serial numbers are specified separated by a hyphen, then the range
800 of serial numbers including and between each is revoked.
801 The CA key must have been specified on the
803 command line using the
806 .It Cm id : Ar key_id
807 Revokes a certificate with the specified key ID string.
808 The CA key must have been specified on the
810 command line using the
813 .It Cm key : Ar public_key
814 Revokes the specified key.
815 If a certificate is listed, then it is revoked as a plain public key.
816 .It Cm sha1 : Ar public_key
817 Revokes the specified key by its SHA1 hash.
820 KRLs may be updated using the
824 When this option is specified, keys listed via the command line are merged into
825 the KRL, adding to those already there.
827 It is also possible, given a KRL, to test whether it revokes a particular key
831 flag will query an existing KRL, testing each key specified on the command line.
832 If any key listed on the command line has been revoked (or an error encountered)
835 will exit with a non-zero exit status.
836 A zero exit status will only be returned if no key was revoked.
838 .Bl -tag -width Ds -compact
840 .It Pa ~/.ssh/id_ecdsa
841 .It Pa ~/.ssh/id_ed25519
843 Contains the DSA, ECDSA, Ed25519 or RSA
844 authentication identity of the user.
845 This file should not be readable by anyone but the user.
847 specify a passphrase when generating the key; that passphrase will be
848 used to encrypt the private part of this file using 128-bit AES.
849 This file is not automatically accessed by
851 but it is offered as the default file for the private key.
853 will read this file when a login attempt is made.
855 .It Pa ~/.ssh/id_dsa.pub
856 .It Pa ~/.ssh/id_ecdsa.pub
857 .It Pa ~/.ssh/id_ed25519.pub
858 .It Pa ~/.ssh/id_rsa.pub
859 Contains the DSA, ECDSA, Ed25519 or RSA
860 public key for authentication.
861 The contents of this file should be added to
862 .Pa ~/.ssh/authorized_keys
864 where the user wishes to log in using public key authentication.
865 There is no need to keep the contents of this file secret.
868 Contains Diffie-Hellman groups used for DH-GEX.
869 The file format is described in
880 .%T "The Secure Shell (SSH) Public Key File Format"
884 OpenSSH is a derivative of the original and free
885 ssh 1.2.12 release by Tatu Ylonen.
886 Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
887 Theo de Raadt and Dug Song
888 removed many bugs, re-added newer features and
890 Markus Friedl contributed the support for SSH
891 protocol versions 1.5 and 2.0.