1 .\" $OpenBSD: ssh-keygen.1,v 1.109 2012/07/06 00:41:59 dtucker Exp $
3 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 .\" All rights reserved
7 .\" As far as I am concerned, the code I have written for this software
8 .\" can be used freely for any purpose. Any derived versions of this
9 .\" software must be clearly marked as such, and if the derived work is
10 .\" incompatible with the protocol description in the RFC file, it must be
11 .\" called by a name other than "ssh" or "Secure Shell".
14 .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
15 .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
16 .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
18 .\" Redistribution and use in source and binary forms, with or without
19 .\" modification, are permitted provided that the following conditions
21 .\" 1. Redistributions of source code must retain the above copyright
22 .\" notice, this list of conditions and the following disclaimer.
23 .\" 2. Redistributions in binary form must reproduce the above copyright
24 .\" notice, this list of conditions and the following disclaimer in the
25 .\" documentation and/or other materials provided with the distribution.
27 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28 .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29 .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30 .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31 .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32 .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33 .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34 .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 .Dd $Mdocdate: July 6 2012 $
43 .Nd authentication key generation, management and conversion
50 .Op Fl N Ar new_passphrase
52 .Op Fl f Ar output_keyfile
55 .Op Fl P Ar old_passphrase
56 .Op Fl N Ar new_passphrase
60 .Op Fl m Ar key_format
61 .Op Fl f Ar input_keyfile
64 .Op Fl m Ar key_format
65 .Op Fl f Ar input_keyfile
68 .Op Fl f Ar input_keyfile
71 .Op Fl P Ar passphrase
76 .Op Fl f Ar input_keyfile
79 .Op Fl f Ar input_keyfile
84 .Op Fl f Ar known_hosts_file
88 .Op Fl f Ar known_hosts_file
91 .Op Fl f Ar known_hosts_file
94 .Op Fl f Ar input_keyfile
101 .Op Fl S Ar start_point
106 .Op Fl a Ar num_trials
107 .Op Fl J Ar num_lines
108 .Op Fl j Ar start_line
110 .Op Fl W Ar generator
113 .Fl I Ar certificate_identity
115 .Op Fl n Ar principals
117 .Op Fl V Ar validity_interval
118 .Op Fl z Ar serial_number
122 .Op Fl f Ar input_keyfile
128 generates, manages and converts authentication keys for
131 can create RSA keys for use by SSH protocol version 1 and DSA, ECDSA or RSA
132 keys for use by SSH protocol version 2.
133 The type of key to be generated is specified with the
136 If invoked without any arguments,
138 will generate an RSA key for use in SSH protocol 2 connections.
141 is also used to generate groups for use in Diffie-Hellman group
144 .Sx MODULI GENERATION
147 Normally each user wishing to use SSH
148 with public key authentication runs this once to create the authentication
150 .Pa ~/.ssh/identity ,
151 .Pa ~/.ssh/id_ecdsa ,
155 Additionally, the system administrator may use this to generate host keys,
159 Normally this program generates the key and asks for a file in which
160 to store the private key.
161 The public key is stored in a file with the same name but
164 The program also asks for a passphrase.
165 The passphrase may be empty to indicate no passphrase
166 (host keys must have an empty passphrase), or it may be a string of
168 A passphrase is similar to a password, except it can be a phrase with a
169 series of words, punctuation, numbers, whitespace, or any string of
171 Good passphrases are 10-30 characters long, are
172 not simple sentences or otherwise easily guessable (English
173 prose has only 1-2 bits of entropy per character, and provides very bad
174 passphrases), and contain a mix of upper and lowercase letters,
175 numbers, and non-alphanumeric characters.
176 The passphrase can be changed later by using the
180 There is no way to recover a lost passphrase.
181 If the passphrase is lost or forgotten, a new key must be generated
182 and the corresponding public key copied to other machines.
185 there is also a comment field in the key file that is only for
186 convenience to the user to help identify the key.
187 The comment can tell what the key is for, or whatever is useful.
188 The comment is initialized to
190 when the key is created, but can be changed using the
194 After a key is generated, instructions below detail where the keys
195 should be placed to be activated.
197 The options are as follows:
200 For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys
201 do not exist, generate the host keys with the default key file path,
202 an empty passphrase, default bits for the key type, and default comment.
205 to generate new host keys.
207 Specifies the number of primality tests to perform when screening DH-GEX
212 Show the bubblebabble digest of specified private or public key file.
214 Specifies the number of bits in the key to create.
215 For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
216 Generally, 2048 bits is considered sufficient.
217 DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
220 flag determines the key length by selecting from one of three elliptic
221 curve sizes: 256, 384 or 521 bits.
222 Attempting to use bit lengths other than these three values for ECDSA keys
225 Provides a new comment.
227 Requests changing the comment in the private and public key files.
228 This operation is only supported for RSA1 keys.
229 The program will prompt for the file containing the private keys, for
230 the passphrase if the key has one, and for the new comment.
232 Download the RSA public keys provided by the PKCS#11 shared library
234 When used in combination with
236 this option indicates that a CA key resides in a PKCS#11 token (see the
238 section for details).
240 This option will read a private or public OpenSSH key file and
241 print to stdout the key in one of the formats specified by the
244 The default export format is
246 This option allows exporting OpenSSH keys for use by other programs, including
247 several commercial SSH implementations.
249 Search for the specified
253 file, listing any occurrences found.
254 This option is useful to find hashed host names or addresses and may also be
255 used in conjunction with the
257 option to print found keys in a hashed format.
259 Specifies the filename of the key file.
260 .It Fl G Ar output_file
261 Generate candidate primes for DH-GEX.
262 These primes must be screened for
267 Use generic DNS format when printing fingerprint resource records using the
274 This replaces all hostnames and addresses with hashed representations
275 within the specified file; the original content is moved to a file with
277 These hashes may be used normally by
281 but they do not reveal identifying information should the file's contents
283 This option will not modify existing hashed hostnames and is therefore safe
284 to use on files that mix hashed and non-hashed names.
286 When signing a key, create a host certificate instead of a user
291 .It Fl I Ar certificate_identity
292 Specify the key identity when signing a public key.
297 This option will read an unencrypted private (or public) key file
298 in the format specified by the
300 option and print an OpenSSH compatible private
301 (or public) key to stdout.
302 .It Fl J Ar num_lines
303 Exit after screening the specified number of lines
304 while performing DH candidate screening using the
307 .It Fl j Ar start_line
308 Start screening at the specified line number
309 while performing DH candidate screening using the
313 Write the last line processed to the file
315 while performing DH candidate screening using the
318 This will be used to skip lines in the input file that have already been
319 processed if the job is restarted.
320 This option allows importing keys from other software, including several
321 commercial SSH implementations.
322 The default import format is
325 Prints the contents of a certificate.
327 Show fingerprint of specified public key file.
328 Private RSA1 keys are also supported.
331 tries to find the matching public key file and prints its fingerprint.
334 an ASCII art representation of the key is supplied with the fingerprint.
336 Specify the amount of memory to use (in megabytes) when generating
337 candidate moduli for DH-GEX.
338 .It Fl m Ar key_format
339 Specify a key format for the
343 (export) conversion options.
344 The supported key formats are:
346 (RFC 4716/SSH2 public or private key),
348 (PEM PKCS8 public key)
352 The default conversion format is
354 .It Fl N Ar new_passphrase
355 Provides the new passphrase.
356 .It Fl n Ar principals
357 Specify one or more principals (user or host names) to be included in
358 a certificate when signing a key.
359 Multiple principals may be specified, separated by commas.
364 Specify a certificate option when signing a key.
365 This option may be specified multiple times.
369 The options that are valid for user certificates are:
372 Clear all enabled permissions.
373 This is useful for clearing the default set of permissions so permissions may
374 be added individually.
375 .It Ic force-command Ns = Ns Ar command
376 Forces the execution of
378 instead of any shell or command specified by the user when
379 the certificate is used for authentication.
380 .It Ic no-agent-forwarding
383 forwarding (permitted by default).
384 .It Ic no-port-forwarding
385 Disable port forwarding (permitted by default).
387 Disable PTY allocation (permitted by default).
393 (permitted by default).
394 .It Ic no-x11-forwarding
395 Disable X11 forwarding (permitted by default).
396 .It Ic permit-agent-forwarding
400 .It Ic permit-port-forwarding
401 Allows port forwarding.
403 Allows PTY allocation.
404 .It Ic permit-user-rc
409 .It Ic permit-x11-forwarding
410 Allows X11 forwarding.
411 .It Ic source-address Ns = Ns Ar address_list
412 Restrict the source addresses from which the certificate is considered valid.
415 is a comma-separated list of one or more address/netmask pairs in CIDR
419 At present, no options are valid for host keys.
420 .It Fl P Ar passphrase
421 Provides the (old) passphrase.
423 Requests changing the passphrase of a private key file instead of
424 creating a new private key.
425 The program will prompt for the file
426 containing the private key, for the old passphrase, and twice for the
432 Removes all keys belonging to
437 This option is useful to delete hashed hosts (see the
441 Print the SSHFP fingerprint resource record named
443 for the specified public key file.
445 Specify start point (in hex) when generating candidate moduli for DH-GEX.
447 Certify (sign) a public key using the specified CA key.
451 .It Fl T Ar output_file
452 Test DH group exchange candidate primes (generated using the
456 Specifies the type of key to create.
457 The possible values are
459 for protocol version 1 and
464 for protocol version 2.
465 .It Fl V Ar validity_interval
466 Specify a validity interval when signing a certificate.
467 A validity interval may consist of a single time, indicating that the
468 certificate is valid beginning now and expiring at that time, or may consist
469 of two times separated by a colon to indicate an explicit time interval.
470 The start time may be specified as a date in YYYYMMDD format, a time
471 in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
472 of a minus sign followed by a relative time in the format described in the
476 The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
477 a relative time starting with a plus character.
481 (valid from now to 52 weeks and one day from now),
483 (valid from four weeks ago to four weeks from now),
484 .Dq 20100101123000:20110101123000
485 (valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
487 (valid from yesterday to midnight, January 1st, 2011).
492 to print debugging messages about its progress.
493 This is helpful for debugging moduli generation.
496 options increase the verbosity.
498 .It Fl W Ar generator
499 Specify desired generator when testing candidate moduli for DH-GEX.
501 This option will read a private
502 OpenSSH format file and print an OpenSSH public key to stdout.
503 .It Fl z Ar serial_number
504 Specifies a serial number to be embedded in the certificate to distinguish
505 this certificate from others from the same CA.
506 The default serial number is zero.
508 .Sh MODULI GENERATION
510 may be used to generate groups for the Diffie-Hellman Group Exchange
512 Generating these groups is a two-step process: first, candidate
513 primes are generated using a fast, but memory intensive process.
514 These candidate primes are then tested for suitability (a CPU-intensive
517 Generation of primes is performed using the
520 The desired length of the primes may be specified by the
525 .Dl # ssh-keygen -G moduli-2048.candidates -b 2048
527 By default, the search for primes begins at a random point in the
528 desired length range.
529 This may be overridden using the
531 option, which specifies a different start point (in hex).
533 Once a set of candidates have been generated, they must be screened for
535 This may be performed using the
540 will read candidates from standard input (or a file specified using the
545 .Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates
547 By default, each candidate will be subjected to 100 primality tests.
548 This may be overridden using the
551 The DH generator value will be chosen automatically for the
552 prime under consideration.
553 If a specific generator is desired, it may be requested using the
556 Valid generator values are 2, 3, and 5.
558 Screened DH groups may be installed in
560 It is important that this file contains moduli of a range of bit lengths and
561 that both ends of a connection share common moduli.
564 supports signing of keys to produce certificates that may be used for
565 user or host authentication.
566 Certificates consist of a public key, some identity information, zero or
567 more principal (user or host) names and a set of options that
568 are signed by a Certification Authority (CA) key.
569 Clients or servers may then trust only the CA key and verify its signature
570 on a certificate rather than trusting many user/host keys.
571 Note that OpenSSH certificates are a different, and much simpler, format to
572 the X.509 certificates used in
576 supports two types of certificates: user and host.
577 User certificates authenticate users to servers, whereas host certificates
578 authenticate server hosts to users.
579 To generate a user certificate:
581 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
583 The resultant certificate will be placed in
584 .Pa /path/to/user_key-cert.pub .
585 A host certificate requires the
589 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
591 The host certificate will be output to
592 .Pa /path/to/host_key-cert.pub .
594 It is possible to sign using a CA key stored in a PKCS#11 token by
595 providing the token library using
597 and identifying the CA key by providing its public half as an argument
601 .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub
605 is a "key identifier" that is logged by the server when the certificate
606 is used for authentication.
608 Certificates may be limited to be valid for a set of principal (user/host)
610 By default, generated certificates are valid for all users or hosts.
611 To generate a certificate for a specified set of principals:
613 .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
614 .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
616 Additional limitations on the validity and use of user certificates may
617 be specified through certificate options.
618 A certificate option may disable features of the SSH session, may be
619 valid only when presented from particular source addresses or may
620 force the use of a specific command.
621 For a list of valid certificate options, see the documentation for the
625 Finally, certificates may be defined with a validity lifetime.
628 option allows specification of certificate start and end times.
629 A certificate that is presented at a time outside this range will not be
631 By default, certificates have a maximum validity interval.
633 For certificates to be used for user or host authentication, the CA
634 public key must be trusted by
638 Please refer to those manual pages for details.
640 .Bl -tag -width Ds -compact
641 .It Pa ~/.ssh/identity
642 Contains the protocol version 1 RSA authentication identity of the user.
643 This file should not be readable by anyone but the user.
645 specify a passphrase when generating the key; that passphrase will be
646 used to encrypt the private part of this file using 3DES.
647 This file is not automatically accessed by
649 but it is offered as the default file for the private key.
651 will read this file when a login attempt is made.
653 .It Pa ~/.ssh/identity.pub
654 Contains the protocol version 1 RSA public key for authentication.
655 The contents of this file should be added to
656 .Pa ~/.ssh/authorized_keys
658 where the user wishes to log in using RSA authentication.
659 There is no need to keep the contents of this file secret.
662 .It Pa ~/.ssh/id_ecdsa
664 Contains the protocol version 2 DSA, ECDSA or RSA authentication identity of the user.
665 This file should not be readable by anyone but the user.
667 specify a passphrase when generating the key; that passphrase will be
668 used to encrypt the private part of this file using 128-bit AES.
669 This file is not automatically accessed by
671 but it is offered as the default file for the private key.
673 will read this file when a login attempt is made.
675 .It Pa ~/.ssh/id_dsa.pub
676 .It Pa ~/.ssh/id_ecdsa.pub
677 .It Pa ~/.ssh/id_rsa.pub
678 Contains the protocol version 2 DSA, ECDSA or RSA public key for authentication.
679 The contents of this file should be added to
680 .Pa ~/.ssh/authorized_keys
682 where the user wishes to log in using public key authentication.
683 There is no need to keep the contents of this file secret.
686 Contains Diffie-Hellman groups used for DH-GEX.
687 The file format is described in
698 .%T "The Secure Shell (SSH) Public Key File Format"
702 OpenSSH is a derivative of the original and free
703 ssh 1.2.12 release by Tatu Ylonen.
704 Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
705 Theo de Raadt and Dug Song
706 removed many bugs, re-added newer features and
708 Markus Friedl contributed the support for SSH
709 protocol versions 1.5 and 2.0.