1 .\" $OpenBSD: ssh-keygen.1,v 1.106 2011/04/13 04:09:37 djm Exp $
3 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 .\" All rights reserved
7 .\" As far as I am concerned, the code I have written for this software
8 .\" can be used freely for any purpose. Any derived versions of this
9 .\" software must be clearly marked as such, and if the derived work is
10 .\" incompatible with the protocol description in the RFC file, it must be
11 .\" called by a name other than "ssh" or "Secure Shell".
14 .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
15 .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
16 .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
18 .\" Redistribution and use in source and binary forms, with or without
19 .\" modification, are permitted provided that the following conditions
21 .\" 1. Redistributions of source code must retain the above copyright
22 .\" notice, this list of conditions and the following disclaimer.
23 .\" 2. Redistributions in binary form must reproduce the above copyright
24 .\" notice, this list of conditions and the following disclaimer in the
25 .\" documentation and/or other materials provided with the distribution.
27 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28 .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29 .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30 .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31 .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32 .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33 .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34 .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 .Dd $Mdocdate: April 13 2011 $
43 .Nd authentication key generation, management and conversion
50 .Op Fl N Ar new_passphrase
52 .Op Fl f Ar output_keyfile
55 .Op Fl P Ar old_passphrase
56 .Op Fl N Ar new_passphrase
60 .Op Fl m Ar key_format
61 .Op Fl f Ar input_keyfile
64 .Op Fl m Ar key_format
65 .Op Fl f Ar input_keyfile
68 .Op Fl f Ar input_keyfile
71 .Op Fl P Ar passphrase
76 .Op Fl f Ar input_keyfile
79 .Op Fl f Ar input_keyfile
84 .Op Fl f Ar known_hosts_file
88 .Op Fl f Ar known_hosts_file
91 .Op Fl f Ar known_hosts_file
94 .Op Fl f Ar input_keyfile
101 .Op Fl S Ar start_point
106 .Op Fl a Ar num_trials
107 .Op Fl W Ar generator
110 .Fl I Ar certificate_identity
112 .Op Fl n Ar principals
114 .Op Fl V Ar validity_interval
115 .Op Fl z Ar serial_number
119 .Op Fl f Ar input_keyfile
125 generates, manages and converts authentication keys for
128 can create RSA keys for use by SSH protocol version 1 and DSA, ECDSA or RSA
129 keys for use by SSH protocol version 2.
130 The type of key to be generated is specified with the
133 If invoked without any arguments,
135 will generate an RSA key for use in SSH protocol 2 connections.
138 is also used to generate groups for use in Diffie-Hellman group
141 .Sx MODULI GENERATION
144 Normally each user wishing to use SSH
145 with public key authentication runs this once to create the authentication
147 .Pa ~/.ssh/identity ,
148 .Pa ~/.ssh/id_ecdsa ,
152 Additionally, the system administrator may use this to generate host keys,
156 Normally this program generates the key and asks for a file in which
157 to store the private key.
158 The public key is stored in a file with the same name but
161 The program also asks for a passphrase.
162 The passphrase may be empty to indicate no passphrase
163 (host keys must have an empty passphrase), or it may be a string of
165 A passphrase is similar to a password, except it can be a phrase with a
166 series of words, punctuation, numbers, whitespace, or any string of
168 Good passphrases are 10-30 characters long, are
169 not simple sentences or otherwise easily guessable (English
170 prose has only 1-2 bits of entropy per character, and provides very bad
171 passphrases), and contain a mix of upper and lowercase letters,
172 numbers, and non-alphanumeric characters.
173 The passphrase can be changed later by using the
177 There is no way to recover a lost passphrase.
178 If the passphrase is lost or forgotten, a new key must be generated
179 and the corresponding public key copied to other machines.
182 there is also a comment field in the key file that is only for
183 convenience to the user to help identify the key.
184 The comment can tell what the key is for, or whatever is useful.
185 The comment is initialized to
187 when the key is created, but can be changed using the
191 After a key is generated, instructions below detail where the keys
192 should be placed to be activated.
194 The options are as follows:
197 For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys
198 do not exist, generate the host keys with the default key file path,
199 an empty passphrase, default bits for the key type, and default comment.
202 to generate new host keys.
204 Specifies the number of primality tests to perform when screening DH-GEX
209 Show the bubblebabble digest of specified private or public key file.
211 Specifies the number of bits in the key to create.
212 For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
213 Generally, 2048 bits is considered sufficient.
214 DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
217 flag determines they key length by selecting from one of three elliptic
218 curve sizes: 256, 384 or 521 bits.
219 Attempting to use bit lengths other than these three values for ECDSA keys
222 Provides a new comment.
224 Requests changing the comment in the private and public key files.
225 This operation is only supported for RSA1 keys.
226 The program will prompt for the file containing the private keys, for
227 the passphrase if the key has one, and for the new comment.
229 Download the RSA public keys provided by the PKCS#11 shared library
231 When used in combination with
233 this option indicates that a CA key resides in a PKCS#11 token (see the
235 section for details).
237 This option will read a private or public OpenSSH key file and
238 print to stdout the key in one of the formats specified by the
241 The default export format is
243 This option allows exporting OpenSSH keys for use by other programs, including
244 several commercial SSH implementations.
246 Search for the specified
250 file, listing any occurrences found.
251 This option is useful to find hashed host names or addresses and may also be
252 used in conjunction with the
254 option to print found keys in a hashed format.
256 Specifies the filename of the key file.
257 .It Fl G Ar output_file
258 Generate candidate primes for DH-GEX.
259 These primes must be screened for
264 Use generic DNS format when printing fingerprint resource records using the
271 This replaces all hostnames and addresses with hashed representations
272 within the specified file; the original content is moved to a file with
274 These hashes may be used normally by
278 but they do not reveal identifying information should the file's contents
280 This option will not modify existing hashed hostnames and is therefore safe
281 to use on files that mix hashed and non-hashed names.
283 When signing a key, create a host certificate instead of a user
288 .It Fl I Ar certificate_identity
289 Specify the key identity when signing a public key.
294 This option will read an unencrypted private (or public) key file
295 in the format specified by the
297 option and print an OpenSSH compatible private
298 (or public) key to stdout.
299 This option allows importing keys from other software, including several
300 commercial SSH implementations.
301 The default import format is
304 Prints the contents of a certificate.
306 Show fingerprint of specified public key file.
307 Private RSA1 keys are also supported.
310 tries to find the matching public key file and prints its fingerprint.
313 an ASCII art representation of the key is supplied with the fingerprint.
315 Specify the amount of memory to use (in megabytes) when generating
316 candidate moduli for DH-GEX.
317 .It Fl m Ar key_format
318 Specify a key format for the
322 (export) conversion options.
323 The supported key formats are:
325 (RFC 4716/SSH2 public or private key),
327 (PEM PKCS8 public key)
331 The default conversion format is
333 .It Fl N Ar new_passphrase
334 Provides the new passphrase.
335 .It Fl n Ar principals
336 Specify one or more principals (user or host names) to be included in
337 a certificate when signing a key.
338 Multiple principals may be specified, separated by commas.
343 Specify a certificate option when signing a key.
344 This option may be specified multiple times.
348 The options that are valid for user certificates are:
351 Clear all enabled permissions.
352 This is useful for clearing the default set of permissions so permissions may
353 be added individually.
354 .It Ic force-command Ns = Ns Ar command
355 Forces the execution of
357 instead of any shell or command specified by the user when
358 the certificate is used for authentication.
359 .It Ic no-agent-forwarding
362 forwarding (permitted by default).
363 .It Ic no-port-forwarding
364 Disable port forwarding (permitted by default).
366 Disable PTY allocation (permitted by default).
372 (permitted by default).
373 .It Ic no-x11-forwarding
374 Disable X11 forwarding (permitted by default).
375 .It Ic permit-agent-forwarding
379 .It Ic permit-port-forwarding
380 Allows port forwarding.
382 Allows PTY allocation.
383 .It Ic permit-user-rc
388 .It Ic permit-x11-forwarding
389 Allows X11 forwarding.
390 .It Ic source-address Ns = Ns Ar address_list
391 Restrict the source addresses from which the certificate is considered valid.
394 is a comma-separated list of one or more address/netmask pairs in CIDR
398 At present, no options are valid for host keys.
399 .It Fl P Ar passphrase
400 Provides the (old) passphrase.
402 Requests changing the passphrase of a private key file instead of
403 creating a new private key.
404 The program will prompt for the file
405 containing the private key, for the old passphrase, and twice for the
411 Removes all keys belonging to
416 This option is useful to delete hashed hosts (see the
420 Print the SSHFP fingerprint resource record named
422 for the specified public key file.
424 Specify start point (in hex) when generating candidate moduli for DH-GEX.
426 Certify (sign) a public key using the specified CA key.
430 .It Fl T Ar output_file
431 Test DH group exchange candidate primes (generated using the
435 Specifies the type of key to create.
436 The possible values are
438 for protocol version 1 and
443 for protocol version 2.
444 .It Fl V Ar validity_interval
445 Specify a validity interval when signing a certificate.
446 A validity interval may consist of a single time, indicating that the
447 certificate is valid beginning now and expiring at that time, or may consist
448 of two times separated by a colon to indicate an explicit time interval.
449 The start time may be specified as a date in YYYYMMDD format, a time
450 in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
451 of a minus sign followed by a relative time in the format described in the
455 The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
456 a relative time starting with a plus character.
460 (valid from now to 52 weeks and one day from now),
462 (valid from four weeks ago to four weeks from now),
463 .Dq 20100101123000:20110101123000
464 (valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
466 (valid from yesterday to midnight, January 1st, 2011).
471 to print debugging messages about its progress.
472 This is helpful for debugging moduli generation.
475 options increase the verbosity.
477 .It Fl W Ar generator
478 Specify desired generator when testing candidate moduli for DH-GEX.
480 This option will read a private
481 OpenSSH format file and print an OpenSSH public key to stdout.
482 .It Fl z Ar serial_number
483 Specifies a serial number to be embedded in the certificate to distinguish
484 this certificate from others from the same CA.
485 The default serial number is zero.
487 .Sh MODULI GENERATION
489 may be used to generate groups for the Diffie-Hellman Group Exchange
491 Generating these groups is a two-step process: first, candidate
492 primes are generated using a fast, but memory intensive process.
493 These candidate primes are then tested for suitability (a CPU-intensive
496 Generation of primes is performed using the
499 The desired length of the primes may be specified by the
504 .Dl # ssh-keygen -G moduli-2048.candidates -b 2048
506 By default, the search for primes begins at a random point in the
507 desired length range.
508 This may be overridden using the
510 option, which specifies a different start point (in hex).
512 Once a set of candidates have been generated, they must be tested for
514 This may be performed using the
519 will read candidates from standard input (or a file specified using the
524 .Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates
526 By default, each candidate will be subjected to 100 primality tests.
527 This may be overridden using the
530 The DH generator value will be chosen automatically for the
531 prime under consideration.
532 If a specific generator is desired, it may be requested using the
535 Valid generator values are 2, 3, and 5.
537 Screened DH groups may be installed in
539 It is important that this file contains moduli of a range of bit lengths and
540 that both ends of a connection share common moduli.
543 supports signing of keys to produce certificates that may be used for
544 user or host authentication.
545 Certificates consist of a public key, some identity information, zero or
546 more principal (user or host) names and a set of options that
547 are signed by a Certification Authority (CA) key.
548 Clients or servers may then trust only the CA key and verify its signature
549 on a certificate rather than trusting many user/host keys.
550 Note that OpenSSH certificates are a different, and much simpler, format to
551 the X.509 certificates used in
555 supports two types of certificates: user and host.
556 User certificates authenticate users to servers, whereas host certificates
557 authenticate server hosts to users.
558 To generate a user certificate:
560 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
562 The resultant certificate will be placed in
563 .Pa /path/to/user_key-cert.pub .
564 A host certificate requires the
568 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
570 The host certificate will be output to
571 .Pa /path/to/host_key-cert.pub .
573 It is possible to sign using a CA key stored in a PKCS#11 token by
574 providing the token library using
576 and identifying the CA key by providing its public half as an argument
580 .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub
584 is a "key identifier" that is logged by the server when the certificate
585 is used for authentication.
587 Certificates may be limited to be valid for a set of principal (user/host)
589 By default, generated certificates are valid for all users or hosts.
590 To generate a certificate for a specified set of principals:
592 .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
593 .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
595 Additional limitations on the validity and use of user certificates may
596 be specified through certificate options.
597 A certificate option may disable features of the SSH session, may be
598 valid only when presented from particular source addresses or may
599 force the use of a specific command.
600 For a list of valid certificate options, see the documentation for the
604 Finally, certificates may be defined with a validity lifetime.
607 option allows specification of certificate start and end times.
608 A certificate that is presented at a time outside this range will not be
610 By default, certificates have a maximum validity interval.
612 For certificates to be used for user or host authentication, the CA
613 public key must be trusted by
617 Please refer to those manual pages for details.
619 .Bl -tag -width Ds -compact
620 .It Pa ~/.ssh/identity
621 Contains the protocol version 1 RSA authentication identity of the user.
622 This file should not be readable by anyone but the user.
624 specify a passphrase when generating the key; that passphrase will be
625 used to encrypt the private part of this file using 3DES.
626 This file is not automatically accessed by
628 but it is offered as the default file for the private key.
630 will read this file when a login attempt is made.
632 .It Pa ~/.ssh/identity.pub
633 Contains the protocol version 1 RSA public key for authentication.
634 The contents of this file should be added to
635 .Pa ~/.ssh/authorized_keys
637 where the user wishes to log in using RSA authentication.
638 There is no need to keep the contents of this file secret.
641 .It Pa ~/.ssh/id_ecdsa
643 Contains the protocol version 2 DSA, ECDSA or RSA authentication identity of the user.
644 This file should not be readable by anyone but the user.
646 specify a passphrase when generating the key; that passphrase will be
647 used to encrypt the private part of this file using 128-bit AES.
648 This file is not automatically accessed by
650 but it is offered as the default file for the private key.
652 will read this file when a login attempt is made.
654 .It Pa ~/.ssh/id_dsa.pub
655 .It Pa ~/.ssh/id_ecdsa.pub
656 .It Pa ~/.ssh/id_rsa.pub
657 Contains the protocol version 2 DSA, ECDSA or RSA public key for authentication.
658 The contents of this file should be added to
659 .Pa ~/.ssh/authorized_keys
661 where the user wishes to log in using public key authentication.
662 There is no need to keep the contents of this file secret.
665 Contains Diffie-Hellman groups used for DH-GEX.
666 The file format is described in
677 .%T "The Secure Shell (SSH) Public Key File Format"
681 OpenSSH is a derivative of the original and free
682 ssh 1.2.12 release by Tatu Ylonen.
683 Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
684 Theo de Raadt and Dug Song
685 removed many bugs, re-added newer features and
687 Markus Friedl contributed the support for SSH
688 protocol versions 1.5 and 2.0.