1 .\" $OpenBSD: ssh-keygen.1,v 1.50 2001/10/25 21:14:32 markus Exp $
5 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
6 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 .\" All rights reserved
9 .\" As far as I am concerned, the code I have written for this software
10 .\" can be used freely for any purpose. Any derived versions of this
11 .\" software must be clearly marked as such, and if the derived work is
12 .\" incompatible with the protocol description in the RFC file, it must be
13 .\" called by a name other than "ssh" or "Secure Shell".
16 .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
17 .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
18 .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
20 .\" Redistribution and use in source and binary forms, with or without
21 .\" modification, are permitted provided that the following conditions
23 .\" 1. Redistributions of source code must retain the above copyright
24 .\" notice, this list of conditions and the following disclaimer.
25 .\" 2. Redistributions in binary form must reproduce the above copyright
26 .\" notice, this list of conditions and the following disclaimer in the
27 .\" documentation and/or other materials provided with the distribution.
29 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
30 .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
31 .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
32 .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
33 .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
34 .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
35 .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
36 .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
37 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
40 .Dd September 25, 1999
45 .Nd authentication key generation, management and conversion
51 .Op Fl N Ar new_passphrase
53 .Op Fl f Ar output_keyfile
56 .Op Fl P Ar old_passphrase
57 .Op Fl N Ar new_passphrase
61 .Op Fl f Ar input_keyfile
64 .Op Fl f Ar input_keyfile
67 .Op Fl f Ar input_keyfile
70 .Op Fl P Ar passphrase
75 .Op Fl f Ar input_keyfile
78 .Op Fl f Ar input_keyfile
83 .Op Fl f Ar input_keyfile
86 generates, manages and converts authentication keys for
89 defaults to generating a RSA1 key for use by SSH protocol version 1.
92 option instead creates a key for use by SSH protocol version 2.
94 Normally each user wishing to use SSH
95 with RSA or DSA authentication runs this once to create the authentication
97 .Pa $HOME/.ssh/identity ,
100 .Pa $HOME/.ssh/id_rsa .
101 Additionally, the system administrator may use this to generate host keys,
105 Normally this program generates the key and asks for a file in which
106 to store the private key.
107 The public key is stored in a file with the same name but
110 The program also asks for a passphrase.
111 The passphrase may be empty to indicate no passphrase
112 (host keys must have an empty passphrase), or it may be a string of
114 Good passphrases are 10-30 characters long and are
115 not simple sentences or otherwise easily guessable (English
116 prose has only 1-2 bits of entropy per character, and provides very bad
118 The passphrase can be changed later by using the
122 There is no way to recover a lost passphrase.
124 lost or forgotten, a new key must be generated and copied to the
125 corresponding public key to other machines.
128 there is also a comment field in the key file that is only for
129 convenience to the user to help identify the key.
130 The comment can tell what the key is for, or whatever is useful.
131 The comment is initialized to
133 when the key is created, but can be changed using the
137 After a key is generated, instructions below detail where the keys
138 should be placed to be activated.
140 The options are as follows:
143 Specifies the number of bits in the key to create.
145 Generally 1024 bits is considered sufficient, and key sizes
146 above that no longer improve security but make things slower.
147 The default is 1024 bits.
149 Requests changing the comment in the private and public key files.
150 This operation is only supported for RSA1 keys.
151 The program will prompt for the file containing the private keys, for
152 the passphrase if the key has one, and for the new comment.
154 This option will read a private or public OpenSSH key file and
156 .Sq SECSH Public Key File Format
158 This option allows exporting keys for use by several commercial
161 Specifies the filename of the key file.
163 This option will read an unencrypted private (or public) key file
164 in SSH2-compatible format and print an OpenSSH compatible private
165 (or public) key to stdout.
168 .Sq SECSH Public Key File Format .
169 This option allows importing keys from several commercial
172 Show fingerprint of specified public key file.
173 Private RSA1 keys are also supported.
176 tries to find the matching public key file and prints its fingerprint.
178 Requests changing the passphrase of a private key file instead of
179 creating a new private key.
180 The program will prompt for the file
181 containing the private key, for the old passphrase, and twice for the
188 when creating a new key.
190 This option will read a private
191 OpenSSH format file and print an OpenSSH public key to stdout.
193 Specifies the type of the key to create.
194 The possible values are
196 for protocol version 1 and
200 for protocol version 2.
204 Show the bubblebabble digest of specified private or public key file.
206 Provides the new comment.
208 Download the RSA public key stored in the smartcard in
210 .It Fl N Ar new_passphrase
211 Provides the new passphrase.
212 .It Fl P Ar passphrase
213 Provides the (old) passphrase.
215 Upload an existing RSA private key into the smartcard in
220 .It Pa $HOME/.ssh/identity
221 Contains the protocol version 1 RSA authentication identity of the user.
222 This file should not be readable by anyone but the user.
224 specify a passphrase when generating the key; that passphrase will be
225 used to encrypt the private part of this file using 3DES.
226 This file is not automatically accessed by
228 but it is offered as the default file for the private key.
230 will read this file when a login attempt is made.
231 .It Pa $HOME/.ssh/identity.pub
232 Contains the protocol version 1 RSA public key for authentication.
233 The contents of this file should be added to
234 .Pa $HOME/.ssh/authorized_keys
236 where the user wishes to log in using RSA authentication.
237 There is no need to keep the contents of this file secret.
238 .It Pa $HOME/.ssh/id_dsa
239 Contains the protocol version 2 DSA authentication identity of the user.
240 This file should not be readable by anyone but the user.
242 specify a passphrase when generating the key; that passphrase will be
243 used to encrypt the private part of this file using 3DES.
244 This file is not automatically accessed by
246 but it is offered as the default file for the private key.
248 will read this file when a login attempt is made.
249 .It Pa $HOME/.ssh/id_dsa.pub
250 Contains the protocol version 2 DSA public key for authentication.
251 The contents of this file should be added to
252 .Pa $HOME/.ssh/authorized_keys
254 where the user wishes to log in using public key authentication.
255 There is no need to keep the contents of this file secret.
256 .It Pa $HOME/.ssh/id_rsa
257 Contains the protocol version 2 RSA authentication identity of the user.
258 This file should not be readable by anyone but the user.
260 specify a passphrase when generating the key; that passphrase will be
261 used to encrypt the private part of this file using 3DES.
262 This file is not automatically accessed by
264 but it is offered as the default file for the private key.
266 will read this file when a login attempt is made.
267 .It Pa $HOME/.ssh/id_rsa.pub
268 Contains the protocol version 2 RSA public key for authentication.
269 The contents of this file should be added to
270 .Pa $HOME/.ssh/authorized_keys
272 where the user wishes to log in using public key authentication.
273 There is no need to keep the contents of this file secret.
276 OpenSSH is a derivative of the original and free
277 ssh 1.2.12 release by Tatu Ylonen.
278 Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
279 Theo de Raadt and Dug Song
280 removed many bugs, re-added newer features and
282 Markus Friedl contributed the support for SSH
283 protocol versions 1.5 and 2.0.
292 .%T "SECSH Public Key File Format"
293 .%N draft-ietf-secsh-publickeyfile-01.txt
295 .%O work in progress material