1 .\" $OpenBSD: ssh-keygen.1,v 1.109 2012/07/06 00:41:59 dtucker Exp $
4 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
5 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 .\" All rights reserved
8 .\" As far as I am concerned, the code I have written for this software
9 .\" can be used freely for any purpose. Any derived versions of this
10 .\" software must be clearly marked as such, and if the derived work is
11 .\" incompatible with the protocol description in the RFC file, it must be
12 .\" called by a name other than "ssh" or "Secure Shell".
15 .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
16 .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
17 .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
19 .\" Redistribution and use in source and binary forms, with or without
20 .\" modification, are permitted provided that the following conditions
22 .\" 1. Redistributions of source code must retain the above copyright
23 .\" notice, this list of conditions and the following disclaimer.
24 .\" 2. Redistributions in binary form must reproduce the above copyright
25 .\" notice, this list of conditions and the following disclaimer in the
26 .\" documentation and/or other materials provided with the distribution.
28 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
29 .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
30 .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
31 .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
32 .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
33 .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
34 .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
35 .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
36 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
44 .Nd authentication key generation, management and conversion
51 .Op Fl N Ar new_passphrase
53 .Op Fl f Ar output_keyfile
56 .Op Fl P Ar old_passphrase
57 .Op Fl N Ar new_passphrase
61 .Op Fl m Ar key_format
62 .Op Fl f Ar input_keyfile
65 .Op Fl m Ar key_format
66 .Op Fl f Ar input_keyfile
69 .Op Fl f Ar input_keyfile
72 .Op Fl P Ar passphrase
77 .Op Fl f Ar input_keyfile
80 .Op Fl f Ar input_keyfile
85 .Op Fl f Ar known_hosts_file
89 .Op Fl f Ar known_hosts_file
92 .Op Fl f Ar known_hosts_file
95 .Op Fl f Ar input_keyfile
102 .Op Fl S Ar start_point
107 .Op Fl a Ar num_trials
108 .Op Fl J Ar num_lines
109 .Op Fl j Ar start_line
111 .Op Fl W Ar generator
114 .Fl I Ar certificate_identity
116 .Op Fl n Ar principals
118 .Op Fl V Ar validity_interval
119 .Op Fl z Ar serial_number
123 .Op Fl f Ar input_keyfile
129 generates, manages and converts authentication keys for
132 can create RSA keys for use by SSH protocol version 1 and DSA, ECDSA or RSA
133 keys for use by SSH protocol version 2.
134 The type of key to be generated is specified with the
137 If invoked without any arguments,
139 will generate an RSA key for use in SSH protocol 2 connections.
142 is also used to generate groups for use in Diffie-Hellman group
145 .Sx MODULI GENERATION
148 Normally each user wishing to use SSH
149 with public key authentication runs this once to create the authentication
151 .Pa ~/.ssh/identity ,
152 .Pa ~/.ssh/id_ecdsa ,
156 Additionally, the system administrator may use this to generate host keys,
160 Normally this program generates the key and asks for a file in which
161 to store the private key.
162 The public key is stored in a file with the same name but
165 The program also asks for a passphrase.
166 The passphrase may be empty to indicate no passphrase
167 (host keys must have an empty passphrase), or it may be a string of
169 A passphrase is similar to a password, except it can be a phrase with a
170 series of words, punctuation, numbers, whitespace, or any string of
172 Good passphrases are 10-30 characters long, are
173 not simple sentences or otherwise easily guessable (English
174 prose has only 1-2 bits of entropy per character, and provides very bad
175 passphrases), and contain a mix of upper and lowercase letters,
176 numbers, and non-alphanumeric characters.
177 The passphrase can be changed later by using the
181 There is no way to recover a lost passphrase.
182 If the passphrase is lost or forgotten, a new key must be generated
183 and the corresponding public key copied to other machines.
186 there is also a comment field in the key file that is only for
187 convenience to the user to help identify the key.
188 The comment can tell what the key is for, or whatever is useful.
189 The comment is initialized to
191 when the key is created, but can be changed using the
195 After a key is generated, instructions below detail where the keys
196 should be placed to be activated.
198 The options are as follows:
201 For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys
202 do not exist, generate the host keys with the default key file path,
203 an empty passphrase, default bits for the key type, and default comment.
206 to generate new host keys.
208 Specifies the number of primality tests to perform when screening DH-GEX
213 Show the bubblebabble digest of specified private or public key file.
215 Specifies the number of bits in the key to create.
216 For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
217 Generally, 2048 bits is considered sufficient.
218 DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
221 flag determines the key length by selecting from one of three elliptic
222 curve sizes: 256, 384 or 521 bits.
223 Attempting to use bit lengths other than these three values for ECDSA keys
226 Provides a new comment.
228 Requests changing the comment in the private and public key files.
229 This operation is only supported for RSA1 keys.
230 The program will prompt for the file containing the private keys, for
231 the passphrase if the key has one, and for the new comment.
233 Download the RSA public keys provided by the PKCS#11 shared library
235 When used in combination with
237 this option indicates that a CA key resides in a PKCS#11 token (see the
239 section for details).
241 This option will read a private or public OpenSSH key file and
242 print to stdout the key in one of the formats specified by the
245 The default export format is
247 This option allows exporting OpenSSH keys for use by other programs, including
248 several commercial SSH implementations.
250 Search for the specified
254 file, listing any occurrences found.
255 This option is useful to find hashed host names or addresses and may also be
256 used in conjunction with the
258 option to print found keys in a hashed format.
260 Specifies the filename of the key file.
261 .It Fl G Ar output_file
262 Generate candidate primes for DH-GEX.
263 These primes must be screened for
268 Use generic DNS format when printing fingerprint resource records using the
275 This replaces all hostnames and addresses with hashed representations
276 within the specified file; the original content is moved to a file with
278 These hashes may be used normally by
282 but they do not reveal identifying information should the file's contents
284 This option will not modify existing hashed hostnames and is therefore safe
285 to use on files that mix hashed and non-hashed names.
287 When signing a key, create a host certificate instead of a user
292 .It Fl I Ar certificate_identity
293 Specify the key identity when signing a public key.
298 This option will read an unencrypted private (or public) key file
299 in the format specified by the
301 option and print an OpenSSH compatible private
302 (or public) key to stdout.
303 .It Fl J Ar num_lines
304 Exit after screening the specified number of lines
305 while performing DH candidate screening using the
308 .It Fl j Ar start_line
309 Start screening at the specified line number
310 while performing DH candidate screening using the
314 Write the last line processed to the file
316 while performing DH candidate screening using the
319 This will be used to skip lines in the input file that have already been
320 processed if the job is restarted.
321 This option allows importing keys from other software, including several
322 commercial SSH implementations.
323 The default import format is
326 Prints the contents of a certificate.
328 Show fingerprint of specified public key file.
329 Private RSA1 keys are also supported.
332 tries to find the matching public key file and prints its fingerprint.
335 an ASCII art representation of the key is supplied with the fingerprint.
337 Specify the amount of memory to use (in megabytes) when generating
338 candidate moduli for DH-GEX.
339 .It Fl m Ar key_format
340 Specify a key format for the
344 (export) conversion options.
345 The supported key formats are:
347 (RFC 4716/SSH2 public or private key),
349 (PEM PKCS8 public key)
353 The default conversion format is
355 .It Fl N Ar new_passphrase
356 Provides the new passphrase.
357 .It Fl n Ar principals
358 Specify one or more principals (user or host names) to be included in
359 a certificate when signing a key.
360 Multiple principals may be specified, separated by commas.
365 Specify a certificate option when signing a key.
366 This option may be specified multiple times.
370 The options that are valid for user certificates are:
373 Clear all enabled permissions.
374 This is useful for clearing the default set of permissions so permissions may
375 be added individually.
376 .It Ic force-command Ns = Ns Ar command
377 Forces the execution of
379 instead of any shell or command specified by the user when
380 the certificate is used for authentication.
381 .It Ic no-agent-forwarding
384 forwarding (permitted by default).
385 .It Ic no-port-forwarding
386 Disable port forwarding (permitted by default).
388 Disable PTY allocation (permitted by default).
394 (permitted by default).
395 .It Ic no-x11-forwarding
396 Disable X11 forwarding (permitted by default).
397 .It Ic permit-agent-forwarding
401 .It Ic permit-port-forwarding
402 Allows port forwarding.
404 Allows PTY allocation.
405 .It Ic permit-user-rc
410 .It Ic permit-x11-forwarding
411 Allows X11 forwarding.
412 .It Ic source-address Ns = Ns Ar address_list
413 Restrict the source addresses from which the certificate is considered valid.
416 is a comma-separated list of one or more address/netmask pairs in CIDR
420 At present, no options are valid for host keys.
421 .It Fl P Ar passphrase
422 Provides the (old) passphrase.
424 Requests changing the passphrase of a private key file instead of
425 creating a new private key.
426 The program will prompt for the file
427 containing the private key, for the old passphrase, and twice for the
433 Removes all keys belonging to
438 This option is useful to delete hashed hosts (see the
442 Print the SSHFP fingerprint resource record named
444 for the specified public key file.
446 Specify start point (in hex) when generating candidate moduli for DH-GEX.
448 Certify (sign) a public key using the specified CA key.
452 .It Fl T Ar output_file
453 Test DH group exchange candidate primes (generated using the
457 Specifies the type of key to create.
458 The possible values are
460 for protocol version 1 and
465 for protocol version 2.
466 .It Fl V Ar validity_interval
467 Specify a validity interval when signing a certificate.
468 A validity interval may consist of a single time, indicating that the
469 certificate is valid beginning now and expiring at that time, or may consist
470 of two times separated by a colon to indicate an explicit time interval.
471 The start time may be specified as a date in YYYYMMDD format, a time
472 in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
473 of a minus sign followed by a relative time in the format described in the
477 The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
478 a relative time starting with a plus character.
482 (valid from now to 52 weeks and one day from now),
484 (valid from four weeks ago to four weeks from now),
485 .Dq 20100101123000:20110101123000
486 (valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
488 (valid from yesterday to midnight, January 1st, 2011).
493 to print debugging messages about its progress.
494 This is helpful for debugging moduli generation.
497 options increase the verbosity.
499 .It Fl W Ar generator
500 Specify desired generator when testing candidate moduli for DH-GEX.
502 This option will read a private
503 OpenSSH format file and print an OpenSSH public key to stdout.
504 .It Fl z Ar serial_number
505 Specifies a serial number to be embedded in the certificate to distinguish
506 this certificate from others from the same CA.
507 The default serial number is zero.
509 .Sh MODULI GENERATION
511 may be used to generate groups for the Diffie-Hellman Group Exchange
513 Generating these groups is a two-step process: first, candidate
514 primes are generated using a fast, but memory intensive process.
515 These candidate primes are then tested for suitability (a CPU-intensive
518 Generation of primes is performed using the
521 The desired length of the primes may be specified by the
526 .Dl # ssh-keygen -G moduli-2048.candidates -b 2048
528 By default, the search for primes begins at a random point in the
529 desired length range.
530 This may be overridden using the
532 option, which specifies a different start point (in hex).
534 Once a set of candidates have been generated, they must be screened for
536 This may be performed using the
541 will read candidates from standard input (or a file specified using the
546 .Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates
548 By default, each candidate will be subjected to 100 primality tests.
549 This may be overridden using the
552 The DH generator value will be chosen automatically for the
553 prime under consideration.
554 If a specific generator is desired, it may be requested using the
557 Valid generator values are 2, 3, and 5.
559 Screened DH groups may be installed in
561 It is important that this file contains moduli of a range of bit lengths and
562 that both ends of a connection share common moduli.
565 supports signing of keys to produce certificates that may be used for
566 user or host authentication.
567 Certificates consist of a public key, some identity information, zero or
568 more principal (user or host) names and a set of options that
569 are signed by a Certification Authority (CA) key.
570 Clients or servers may then trust only the CA key and verify its signature
571 on a certificate rather than trusting many user/host keys.
572 Note that OpenSSH certificates are a different, and much simpler, format to
573 the X.509 certificates used in
577 supports two types of certificates: user and host.
578 User certificates authenticate users to servers, whereas host certificates
579 authenticate server hosts to users.
580 To generate a user certificate:
582 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
584 The resultant certificate will be placed in
585 .Pa /path/to/user_key-cert.pub .
586 A host certificate requires the
590 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
592 The host certificate will be output to
593 .Pa /path/to/host_key-cert.pub .
595 It is possible to sign using a CA key stored in a PKCS#11 token by
596 providing the token library using
598 and identifying the CA key by providing its public half as an argument
602 .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub
606 is a "key identifier" that is logged by the server when the certificate
607 is used for authentication.
609 Certificates may be limited to be valid for a set of principal (user/host)
611 By default, generated certificates are valid for all users or hosts.
612 To generate a certificate for a specified set of principals:
614 .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
615 .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
617 Additional limitations on the validity and use of user certificates may
618 be specified through certificate options.
619 A certificate option may disable features of the SSH session, may be
620 valid only when presented from particular source addresses or may
621 force the use of a specific command.
622 For a list of valid certificate options, see the documentation for the
626 Finally, certificates may be defined with a validity lifetime.
629 option allows specification of certificate start and end times.
630 A certificate that is presented at a time outside this range will not be
632 By default, certificates have a maximum validity interval.
634 For certificates to be used for user or host authentication, the CA
635 public key must be trusted by
639 Please refer to those manual pages for details.
641 .Bl -tag -width Ds -compact
642 .It Pa ~/.ssh/identity
643 Contains the protocol version 1 RSA authentication identity of the user.
644 This file should not be readable by anyone but the user.
646 specify a passphrase when generating the key; that passphrase will be
647 used to encrypt the private part of this file using 3DES.
648 This file is not automatically accessed by
650 but it is offered as the default file for the private key.
652 will read this file when a login attempt is made.
654 .It Pa ~/.ssh/identity.pub
655 Contains the protocol version 1 RSA public key for authentication.
656 The contents of this file should be added to
657 .Pa ~/.ssh/authorized_keys
659 where the user wishes to log in using RSA authentication.
660 There is no need to keep the contents of this file secret.
663 .It Pa ~/.ssh/id_ecdsa
665 Contains the protocol version 2 DSA, ECDSA or RSA authentication identity of the user.
666 This file should not be readable by anyone but the user.
668 specify a passphrase when generating the key; that passphrase will be
669 used to encrypt the private part of this file using 128-bit AES.
670 This file is not automatically accessed by
672 but it is offered as the default file for the private key.
674 will read this file when a login attempt is made.
676 .It Pa ~/.ssh/id_dsa.pub
677 .It Pa ~/.ssh/id_ecdsa.pub
678 .It Pa ~/.ssh/id_rsa.pub
679 Contains the protocol version 2 DSA, ECDSA or RSA public key for authentication.
680 The contents of this file should be added to
681 .Pa ~/.ssh/authorized_keys
683 where the user wishes to log in using public key authentication.
684 There is no need to keep the contents of this file secret.
687 Contains Diffie-Hellman groups used for DH-GEX.
688 The file format is described in
699 .%T "The Secure Shell (SSH) Public Key File Format"
703 OpenSSH is a derivative of the original and free
704 ssh 1.2.12 release by Tatu Ylonen.
705 Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
706 Theo de Raadt and Dug Song
707 removed many bugs, re-added newer features and
709 Markus Friedl contributed the support for SSH
710 protocol versions 1.5 and 2.0.