1 .\" $OpenBSD: ssh-keygen.1,v 1.130 2016/02/17 07:38:19 jmc Exp $
3 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 .\" All rights reserved
7 .\" As far as I am concerned, the code I have written for this software
8 .\" can be used freely for any purpose. Any derived versions of this
9 .\" software must be clearly marked as such, and if the derived work is
10 .\" incompatible with the protocol description in the RFC file, it must be
11 .\" called by a name other than "ssh" or "Secure Shell".
14 .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
15 .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
16 .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
18 .\" Redistribution and use in source and binary forms, with or without
19 .\" modification, are permitted provided that the following conditions
21 .\" 1. Redistributions of source code must retain the above copyright
22 .\" notice, this list of conditions and the following disclaimer.
23 .\" 2. Redistributions in binary form must reproduce the above copyright
24 .\" notice, this list of conditions and the following disclaimer in the
25 .\" documentation and/or other materials provided with the distribution.
27 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28 .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29 .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30 .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31 .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32 .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33 .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34 .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 .Dd $Mdocdate: February 17 2016 $
43 .Nd authentication key generation, management and conversion
49 .Op Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1
50 .Op Fl N Ar new_passphrase
52 .Op Fl f Ar output_keyfile
55 .Op Fl P Ar old_passphrase
56 .Op Fl N Ar new_passphrase
60 .Op Fl m Ar key_format
61 .Op Fl f Ar input_keyfile
64 .Op Fl m Ar key_format
65 .Op Fl f Ar input_keyfile
68 .Op Fl f Ar input_keyfile
71 .Op Fl P Ar passphrase
77 .Op Fl E Ar fingerprint_hash
78 .Op Fl f Ar input_keyfile
81 .Op Fl f Ar input_keyfile
86 .Op Fl f Ar known_hosts_file
90 .Op Fl f Ar known_hosts_file
93 .Op Fl f Ar known_hosts_file
96 .Op Fl f Ar input_keyfile
103 .Op Fl S Ar start_point
109 .Op Fl J Ar num_lines
110 .Op Fl j Ar start_line
112 .Op Fl W Ar generator
115 .Fl I Ar certificate_identity
117 .Op Fl n Ar principals
119 .Op Fl V Ar validity_interval
120 .Op Fl z Ar serial_number
124 .Op Fl f Ar input_keyfile
131 .Op Fl s Ar ca_public
132 .Op Fl z Ar version_number
141 generates, manages and converts authentication keys for
144 can create keys for use by SSH protocol versions 1 and 2.
145 Protocol 1 should not be used
146 and is only offered to support legacy devices.
147 It suffers from a number of cryptographic weaknesses
148 and doesn't support many of the advanced features available for protocol 2.
150 The type of key to be generated is specified with the
153 If invoked without any arguments,
155 will generate an RSA key for use in SSH protocol 2 connections.
158 is also used to generate groups for use in Diffie-Hellman group
161 .Sx MODULI GENERATION
166 can be used to generate and update Key Revocation Lists, and to test whether
167 given keys have been revoked by one.
169 .Sx KEY REVOCATION LISTS
172 Normally each user wishing to use SSH
173 with public key authentication runs this once to create the authentication
175 .Pa ~/.ssh/identity ,
177 .Pa ~/.ssh/id_ecdsa ,
178 .Pa ~/.ssh/id_ed25519
181 Additionally, the system administrator may use this to generate host keys,
185 Normally this program generates the key and asks for a file in which
186 to store the private key.
187 The public key is stored in a file with the same name but
190 The program also asks for a passphrase.
191 The passphrase may be empty to indicate no passphrase
192 (host keys must have an empty passphrase), or it may be a string of
194 A passphrase is similar to a password, except it can be a phrase with a
195 series of words, punctuation, numbers, whitespace, or any string of
197 Good passphrases are 10-30 characters long, are
198 not simple sentences or otherwise easily guessable (English
199 prose has only 1-2 bits of entropy per character, and provides very bad
200 passphrases), and contain a mix of upper and lowercase letters,
201 numbers, and non-alphanumeric characters.
202 The passphrase can be changed later by using the
206 There is no way to recover a lost passphrase.
207 If the passphrase is lost or forgotten, a new key must be generated
208 and the corresponding public key copied to other machines.
211 there is also a comment field in the key file that is only for
212 convenience to the user to help identify the key.
213 The comment can tell what the key is for, or whatever is useful.
214 The comment is initialized to
216 when the key is created, but can be changed using the
220 After a key is generated, instructions below detail where the keys
221 should be placed to be activated.
223 The options are as follows:
226 For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
228 do not exist, generate the host keys with the default key file path,
229 an empty passphrase, default bits for the key type, and default comment.
232 to generate new host keys.
234 When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
237 flag is set), this option specifies the number of KDF (key derivation function)
239 Higher numbers result in slower passphrase verification and increased
240 resistance to brute-force password cracking (should the keys be stolen).
242 When screening DH-GEX candidates (
246 This option specifies the number of primality tests to perform.
248 Show the bubblebabble digest of specified private or public key file.
250 Specifies the number of bits in the key to create.
251 For RSA keys, the minimum size is 1024 bits and the default is 2048 bits.
252 Generally, 2048 bits is considered sufficient.
253 DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
256 flag determines the key length by selecting from one of three elliptic
257 curve sizes: 256, 384 or 521 bits.
258 Attempting to use bit lengths other than these three values for ECDSA keys
260 Ed25519 keys have a fixed length and the
262 flag will be ignored.
264 Provides a new comment.
266 Requests changing the comment in the private and public key files.
267 This operation is only supported for RSA1 keys.
268 The program will prompt for the file containing the private keys, for
269 the passphrase if the key has one, and for the new comment.
271 Download the RSA public keys provided by the PKCS#11 shared library
273 When used in combination with
275 this option indicates that a CA key resides in a PKCS#11 token (see the
277 section for details).
278 .It Fl E Ar fingerprint_hash
279 Specifies the hash algorithm used when displaying key fingerprints.
287 This option will read a private or public OpenSSH key file and
288 print to stdout the key in one of the formats specified by the
291 The default export format is
293 This option allows exporting OpenSSH keys for use by other programs, including
294 several commercial SSH implementations.
296 Search for the specified
300 file, listing any occurrences found.
301 This option is useful to find hashed host names or addresses and may also be
302 used in conjunction with the
304 option to print found keys in a hashed format.
306 Specifies the filename of the key file.
307 .It Fl G Ar output_file
308 Generate candidate primes for DH-GEX.
309 These primes must be screened for
314 Use generic DNS format when printing fingerprint resource records using the
321 This replaces all hostnames and addresses with hashed representations
322 within the specified file; the original content is moved to a file with
324 These hashes may be used normally by
328 but they do not reveal identifying information should the file's contents
330 This option will not modify existing hashed hostnames and is therefore safe
331 to use on files that mix hashed and non-hashed names.
333 When signing a key, create a host certificate instead of a user
338 .It Fl I Ar certificate_identity
339 Specify the key identity when signing a public key.
344 This option will read an unencrypted private (or public) key file
345 in the format specified by the
347 option and print an OpenSSH compatible private
348 (or public) key to stdout.
349 This option allows importing keys from other software, including several
350 commercial SSH implementations.
351 The default import format is
353 .It Fl J Ar num_lines
354 Exit after screening the specified number of lines
355 while performing DH candidate screening using the
358 .It Fl j Ar start_line
359 Start screening at the specified line number
360 while performing DH candidate screening using the
364 Write the last line processed to the file
366 while performing DH candidate screening using the
369 This will be used to skip lines in the input file that have already been
370 processed if the job is restarted.
375 will generate a KRL file at the location specified via the
377 flag that revokes every key or certificate presented on the command line.
378 Keys/certificates to be revoked may be specified by public key file or
379 using the format described in the
380 .Sx KEY REVOCATION LISTS
383 Prints the contents of one or more certificates.
385 Show fingerprint of specified public key file.
386 Private RSA1 keys are also supported.
389 tries to find the matching public key file and prints its fingerprint.
392 an ASCII art representation of the key is supplied with the fingerprint.
394 Specify the amount of memory to use (in megabytes) when generating
395 candidate moduli for DH-GEX.
396 .It Fl m Ar key_format
397 Specify a key format for the
401 (export) conversion options.
402 The supported key formats are:
404 (RFC 4716/SSH2 public or private key),
406 (PEM PKCS8 public key)
410 The default conversion format is
412 .It Fl N Ar new_passphrase
413 Provides the new passphrase.
414 .It Fl n Ar principals
415 Specify one or more principals (user or host names) to be included in
416 a certificate when signing a key.
417 Multiple principals may be specified, separated by commas.
422 Specify a certificate option when signing a key.
423 This option may be specified multiple times.
427 The options that are valid for user certificates are:
430 Clear all enabled permissions.
431 This is useful for clearing the default set of permissions so permissions may
432 be added individually.
433 .It Ic force-command Ns = Ns Ar command
434 Forces the execution of
436 instead of any shell or command specified by the user when
437 the certificate is used for authentication.
438 .It Ic no-agent-forwarding
441 forwarding (permitted by default).
442 .It Ic no-port-forwarding
443 Disable port forwarding (permitted by default).
445 Disable PTY allocation (permitted by default).
451 (permitted by default).
452 .It Ic no-x11-forwarding
453 Disable X11 forwarding (permitted by default).
454 .It Ic permit-agent-forwarding
458 .It Ic permit-port-forwarding
459 Allows port forwarding.
461 Allows PTY allocation.
462 .It Ic permit-user-rc
467 .It Ic permit-x11-forwarding
468 Allows X11 forwarding.
469 .It Ic source-address Ns = Ns Ar address_list
470 Restrict the source addresses from which the certificate is considered valid.
473 is a comma-separated list of one or more address/netmask pairs in CIDR
477 At present, no options are valid for host keys.
481 to save private keys using the new OpenSSH format rather than
482 the more compatible PEM format.
483 The new format has increased resistance to brute-force password cracking
484 but is not supported by versions of OpenSSH prior to 6.5.
485 Ed25519 keys always use the new private key format.
486 .It Fl P Ar passphrase
487 Provides the (old) passphrase.
489 Requests changing the passphrase of a private key file instead of
490 creating a new private key.
491 The program will prompt for the file
492 containing the private key, for the old passphrase, and twice for the
495 Test whether keys have been revoked in a KRL.
500 Removes all keys belonging to
505 This option is useful to delete hashed hosts (see the
509 Print the SSHFP fingerprint resource record named
511 for the specified public key file.
513 Specify start point (in hex) when generating candidate moduli for DH-GEX.
515 Certify (sign) a public key using the specified CA key.
520 When generating a KRL,
522 specifies a path to a CA public key file used to revoke certificates directly
523 by key ID or serial number.
525 .Sx KEY REVOCATION LISTS
527 .It Fl T Ar output_file
528 Test DH group exchange candidate primes (generated using the
531 .It Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1
532 Specifies the type of key to create.
533 The possible values are
535 for protocol version 1 and
541 for protocol version 2.
546 keys listed via the command line are added to the existing KRL rather than
547 a new KRL being created.
548 .It Fl V Ar validity_interval
549 Specify a validity interval when signing a certificate.
550 A validity interval may consist of a single time, indicating that the
551 certificate is valid beginning now and expiring at that time, or may consist
552 of two times separated by a colon to indicate an explicit time interval.
553 The start time may be specified as a date in YYYYMMDD format, a time
554 in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
555 of a minus sign followed by a relative time in the format described in the
556 TIME FORMATS section of
558 The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
559 a relative time starting with a plus character.
563 (valid from now to 52 weeks and one day from now),
565 (valid from four weeks ago to four weeks from now),
566 .Dq 20100101123000:20110101123000
567 (valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
569 (valid from yesterday to midnight, January 1st, 2011).
574 to print debugging messages about its progress.
575 This is helpful for debugging moduli generation.
578 options increase the verbosity.
580 .It Fl W Ar generator
581 Specify desired generator when testing candidate moduli for DH-GEX.
583 This option will read a private
584 OpenSSH format file and print an OpenSSH public key to stdout.
585 .It Fl z Ar serial_number
586 Specifies a serial number to be embedded in the certificate to distinguish
587 this certificate from others from the same CA.
588 The default serial number is zero.
590 When generating a KRL, the
592 flag is used to specify a KRL version number.
594 .Sh MODULI GENERATION
596 may be used to generate groups for the Diffie-Hellman Group Exchange
598 Generating these groups is a two-step process: first, candidate
599 primes are generated using a fast, but memory intensive process.
600 These candidate primes are then tested for suitability (a CPU-intensive
603 Generation of primes is performed using the
606 The desired length of the primes may be specified by the
611 .Dl # ssh-keygen -G moduli-2048.candidates -b 2048
613 By default, the search for primes begins at a random point in the
614 desired length range.
615 This may be overridden using the
617 option, which specifies a different start point (in hex).
619 Once a set of candidates have been generated, they must be screened for
621 This may be performed using the
626 will read candidates from standard input (or a file specified using the
631 .Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates
633 By default, each candidate will be subjected to 100 primality tests.
634 This may be overridden using the
637 The DH generator value will be chosen automatically for the
638 prime under consideration.
639 If a specific generator is desired, it may be requested using the
642 Valid generator values are 2, 3, and 5.
644 Screened DH groups may be installed in
646 It is important that this file contains moduli of a range of bit lengths and
647 that both ends of a connection share common moduli.
650 supports signing of keys to produce certificates that may be used for
651 user or host authentication.
652 Certificates consist of a public key, some identity information, zero or
653 more principal (user or host) names and a set of options that
654 are signed by a Certification Authority (CA) key.
655 Clients or servers may then trust only the CA key and verify its signature
656 on a certificate rather than trusting many user/host keys.
657 Note that OpenSSH certificates are a different, and much simpler, format to
658 the X.509 certificates used in
662 supports two types of certificates: user and host.
663 User certificates authenticate users to servers, whereas host certificates
664 authenticate server hosts to users.
665 To generate a user certificate:
667 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
669 The resultant certificate will be placed in
670 .Pa /path/to/user_key-cert.pub .
671 A host certificate requires the
675 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
677 The host certificate will be output to
678 .Pa /path/to/host_key-cert.pub .
680 It is possible to sign using a CA key stored in a PKCS#11 token by
681 providing the token library using
683 and identifying the CA key by providing its public half as an argument
687 .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
691 is a "key identifier" that is logged by the server when the certificate
692 is used for authentication.
694 Certificates may be limited to be valid for a set of principal (user/host)
696 By default, generated certificates are valid for all users or hosts.
697 To generate a certificate for a specified set of principals:
699 .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
700 .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub"
702 Additional limitations on the validity and use of user certificates may
703 be specified through certificate options.
704 A certificate option may disable features of the SSH session, may be
705 valid only when presented from particular source addresses or may
706 force the use of a specific command.
707 For a list of valid certificate options, see the documentation for the
711 Finally, certificates may be defined with a validity lifetime.
714 option allows specification of certificate start and end times.
715 A certificate that is presented at a time outside this range will not be
717 By default, certificates are valid from
719 Epoch to the distant future.
721 For certificates to be used for user or host authentication, the CA
722 public key must be trusted by
726 Please refer to those manual pages for details.
727 .Sh KEY REVOCATION LISTS
729 is able to manage OpenSSH format Key Revocation Lists (KRLs).
730 These binary files specify keys or certificates to be revoked using a
731 compact format, taking as little as one bit per certificate if they are being
732 revoked by serial number.
734 KRLs may be generated using the
737 This option reads one or more files from the command line and generates a new
739 The files may either contain a KRL specification (see below) or public keys,
741 Plain public keys are revoked by listing their hash or contents in the KRL and
742 certificates revoked by serial number or key ID (if the serial is zero or
745 Revoking keys using a KRL specification offers explicit control over the
746 types of record used to revoke keys and may be used to directly revoke
747 certificates by serial number or key ID without having the complete original
749 A KRL specification consists of lines containing one of the following directives
750 followed by a colon and some directive-specific information.
752 .It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
753 Revokes a certificate with the specified serial number.
754 Serial numbers are 64-bit values, not including zero and may be expressed
755 in decimal, hex or octal.
756 If two serial numbers are specified separated by a hyphen, then the range
757 of serial numbers including and between each is revoked.
758 The CA key must have been specified on the
760 command line using the
763 .It Cm id : Ar key_id
764 Revokes a certificate with the specified key ID string.
765 The CA key must have been specified on the
767 command line using the
770 .It Cm key : Ar public_key
771 Revokes the specified key.
772 If a certificate is listed, then it is revoked as a plain public key.
773 .It Cm sha1 : Ar public_key
774 Revokes the specified key by its SHA1 hash.
777 KRLs may be updated using the
781 When this option is specified, keys listed via the command line are merged into
782 the KRL, adding to those already there.
784 It is also possible, given a KRL, to test whether it revokes a particular key
788 flag will query an existing KRL, testing each key specified on the command line.
789 If any key listed on the command line has been revoked (or an error encountered)
792 will exit with a non-zero exit status.
793 A zero exit status will only be returned if no key was revoked.
795 .Bl -tag -width Ds -compact
796 .It Pa ~/.ssh/identity
797 Contains the protocol version 1 RSA authentication identity of the user.
798 This file should not be readable by anyone but the user.
800 specify a passphrase when generating the key; that passphrase will be
801 used to encrypt the private part of this file using 3DES.
802 This file is not automatically accessed by
804 but it is offered as the default file for the private key.
806 will read this file when a login attempt is made.
808 .It Pa ~/.ssh/identity.pub
809 Contains the protocol version 1 RSA public key for authentication.
810 The contents of this file should be added to
811 .Pa ~/.ssh/authorized_keys
813 where the user wishes to log in using RSA authentication.
814 There is no need to keep the contents of this file secret.
817 .It Pa ~/.ssh/id_ecdsa
818 .It Pa ~/.ssh/id_ed25519
820 Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
821 authentication identity of the user.
822 This file should not be readable by anyone but the user.
824 specify a passphrase when generating the key; that passphrase will be
825 used to encrypt the private part of this file using 128-bit AES.
826 This file is not automatically accessed by
828 but it is offered as the default file for the private key.
830 will read this file when a login attempt is made.
832 .It Pa ~/.ssh/id_dsa.pub
833 .It Pa ~/.ssh/id_ecdsa.pub
834 .It Pa ~/.ssh/id_ed25519.pub
835 .It Pa ~/.ssh/id_rsa.pub
836 Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
837 public key for authentication.
838 The contents of this file should be added to
839 .Pa ~/.ssh/authorized_keys
841 where the user wishes to log in using public key authentication.
842 There is no need to keep the contents of this file secret.
845 Contains Diffie-Hellman groups used for DH-GEX.
846 The file format is described in
857 .%T "The Secure Shell (SSH) Public Key File Format"
861 OpenSSH is a derivative of the original and free
862 ssh 1.2.12 release by Tatu Ylonen.
863 Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
864 Theo de Raadt and Dug Song
865 removed many bugs, re-added newer features and
867 Markus Friedl contributed the support for SSH
868 protocol versions 1.5 and 2.0.