[openssh.git] / ssh-keygen.1

.\"  -*- nroff -*-
.\"
.\" ssh-keygen.1
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\"
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
.\"                    All rights reserved
.\"
.\" Created: Sat Apr 22 23:55:14 1995 ylo
.\"
.\" $Id$
.\"
.Dd September 25, 1999
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
.Nm ssh-keygen
.Nd authentication key generation
.Sh SYNOPSIS
.Nm ssh-keygen
.Op Fl q
.Op Fl b Ar bits
.Op Fl N Ar new_passphrase
.Op Fl C Ar comment
.Op Fl f Ar keyfile
.Nm ssh-keygen
.Fl p
.Op Fl P Ar old_passphrase
.Op Fl N Ar new_passphrase
.Op Fl f Ar keyfile
.Nm ssh-keygen
.Fl c
.Op Fl P Ar passphrase
.Op Fl C Ar comment
.Op Fl f Ar keyfile
.Nm ssh-keygen
.Fl l
.Op Fl f Ar keyfile
.Sh DESCRIPTION
.Nm
generates and manages authentication keys for
.Xr ssh 1 .
Normally each user wishing to use SSH
with RSA authentication runs this once to create the authentication
key in
.Pa $HOME/.ssh/identity .
Additionally, the system administrator may use this to generate host keys.
.Pp
Normally this program generates the key and asks for a file in which
to store the private key.
The public key is stored in a file with the same name but
.Dq .pub
appended.
The program also asks for a passphrase.
The passphrase may be empty to indicate no passphrase
(host keys must have empty passphrase), or it may be a string of
arbitrary length.
Good passphrases are 10-30 characters long and are
not simple sentences or otherwise easily guessable (English
prose has only 1-2 bits of entropy per word, and provides very bad
passphrases).
The passphrase can be changed later by using the
.Fl p
option.
.Pp
There is no way to recover a lost passphrase.
If the passphrase is
lost or forgotten, you will have to generate a new key and copy the
corresponding public key to other machines.
.Pp
There is also a comment field in the key file that is only for
convenience to the user to help identify the key.
The comment can tell what the key is for, or whatever is useful.
The comment is initialized to
.Dq user@host
when the key is created, but can be changed using the
.Fl c
option.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl b Ar bits
Specifies the number of bits in the key to create.
Minimum is 512 bits.
Generally 1024 bits is considered sufficient, and key sizes
above that no longer improve security but make things slower.
The default is 1024 bits.
.It Fl c
Requests changing the comment in the private and public key files.
The program will prompt for the file containing the private keys, for
passphrase if the key has one, and for the new comment.
.It Fl f
Specifies the filename of the key file.
.It Fl l
Show fingerprint of specified private or public key file.
.It Fl p
Requests changing the passphrase of a private key file instead of
creating a new private key.
The program will prompt for the file
containing the private key, for the old passphrase, and twice for the
new passphrase.
.It Fl q
Silence
.Nm ssh-keygen .
Used by
.Pa /etc/rc
when creating a new key.
.It Fl C Ar comment
Provides the new comment.
.It Fl N Ar new_passphrase
Provides the new passphrase.
.It Fl P Ar passphrase
Provides the (old) passphrase.
.El
.Sh FILES
.Bl -tag -width Ds
.It Pa $HOME/.ssh/identity
Contains the RSA authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to
specify a passphrase when generating the key; that passphrase will be
used to encrypt the private part of this file using 3DES.
This file is not automatically accessed by
.Nm
but it is offered as the default file for the private key.
.It Pa $HOME/.ssh/identity.pub
Contains the public key for authentication.
The contents of this file should be added to
.Pa $HOME/.ssh/authorized_keys
on all machines
where you wish to log in using RSA authentication.
There is no need to keep the contents of this file secret.
.Sh AUTHOR
Tatu Ylonen <ylo@cs.hut.fi>
.Pp
OpenSSH
is a derivative of the original (free) ssh 1.2.12 release, but with bugs
removed and newer features re-added.
Rapidly after the 1.2.12 release,
newer versions bore successively more restrictive licenses.
This version of OpenSSH
.Bl -bullet
.It
has all components of a restrictive nature (i.e., patents)
directly removed from the source code; any licensed or patented components
are chosen from
external libraries.
.It
has been updated to support ssh protocol 1.5.
.It
contains added support for
.Xr kerberos 8
authentication and ticket passing.
.It
supports one-time password authentication with
.Xr skey 1 .
.El
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
.Xr sshd 8 ,
Commit	Line	Data
bf740959	1	.\" -- nroff --
	2	.\"
	3	.\" ssh-keygen.1
	4	.\"
	5	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
	6	.\"
	7	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
	8	.\" All rights reserved
	9	.\"
	10	.\" Created: Sat Apr 22 23:55:14 1995 ylo
	11	.\"
	12	.\" $Id$
	13	.\"
	14	.Dd September 25, 1999
	15	.Dt SSH-KEYGEN 1
	16	.Os
	17	.Sh NAME
	18	.Nm ssh-keygen
	19	.Nd authentication key generation
	20	.Sh SYNOPSIS
	21	.Nm ssh-keygen
	22	.Op Fl q
	23	.Op Fl b Ar bits
	24	.Op Fl N Ar new_passphrase
	25	.Op Fl C Ar comment
f095fcc7	26	.Op Fl f Ar keyfile
bf740959	27	.Nm ssh-keygen
	28	.Fl p
	29	.Op Fl P Ar old_passphrase
	30	.Op Fl N Ar new_passphrase
f095fcc7	31	.Op Fl f Ar keyfile
bf740959	32	.Nm ssh-keygen
	33	.Fl c
	34	.Op Fl P Ar passphrase
	35	.Op Fl C Ar comment
f095fcc7	36	.Op Fl f Ar keyfile
	37	.Nm ssh-keygen
	38	.Fl l
	39	.Op Fl f Ar keyfile
f54651ce	40	.Sh DESCRIPTION
bf740959	41	.Nm
f54651ce	42	generates and manages authentication keys for
bf740959	43	.Xr ssh 1 .
	44	Normally each user wishing to use SSH
	45	with RSA authentication runs this once to create the authentication
	46	key in
	47	.Pa $HOME/.ssh/identity .
	48	Additionally, the system administrator may use this to generate host keys.
	49	.Pp
	50	Normally this program generates the key and asks for a file in which
4fe2af09	51	to store the private key.
4fe2af09	52	The public key is stored in a file with the same name but
bf740959	53	.Dq .pub
4fe2af09	54	appended.
	55	The program also asks for a passphrase.
	56	The passphrase may be empty to indicate no passphrase
bf740959	57	(host keys must have empty passphrase), or it may be a string of
4fe2af09	58	arbitrary length.
4fe2af09	59	Good passphrases are 10-30 characters long and are
bf740959	60	not simple sentences or otherwise easily guessable (English
bf740959	61	prose has only 1-2 bits of entropy per word, and provides very bad
4fe2af09	62	passphrases).
4fe2af09	63	The passphrase can be changed later by using the
bf740959	64	.Fl p
	65	option.
	66	.Pp
4fe2af09	67	There is no way to recover a lost passphrase.
4fe2af09	68	If the passphrase is
bf740959	69	lost or forgotten, you will have to generate a new key and copy the
	70	corresponding public key to other machines.
	71	.Pp
	72	There is also a comment field in the key file that is only for
4fe2af09	73	convenience to the user to help identify the key.
	74	The comment can tell what the key is for, or whatever is useful.
	75	The comment is initialized to
bf740959	76	.Dq user@host
	77	when the key is created, but can be changed using the
	78	.Fl c
	79	option.
	80	.Pp
	81	The options are as follows:
	82	.Bl -tag -width Ds
	83	.It Fl b Ar bits
4fe2af09	84	Specifies the number of bits in the key to create.
	85	Minimum is 512 bits.
	86	Generally 1024 bits is considered sufficient, and key sizes
	87	above that no longer improve security but make things slower.
	88	The default is 1024 bits.
bf740959	89	.It Fl c
	90	Requests changing the comment in the private and public key files.
	91	The program will prompt for the file containing the private keys, for
	92	passphrase if the key has one, and for the new comment.
f095fcc7	93	.It Fl f
	94	Specifies the filename of the key file.
	95	.It Fl l
	96	Show fingerprint of specified private or public key file.
bf740959	97	.It Fl p
bf740959	98	Requests changing the passphrase of a private key file instead of
4fe2af09	99	creating a new private key.
4fe2af09	100	The program will prompt for the file
bf740959	101	containing the private key, for the old passphrase, and twice for the
	102	new passphrase.
	103	.It Fl q
	104	Silence
	105	.Nm ssh-keygen .
	106	Used by
	107	.Pa /etc/rc
	108	when creating a new key.
	109	.It Fl C Ar comment
	110	Provides the new comment.
	111	.It Fl N Ar new_passphrase
	112	Provides the new passphrase.
	113	.It Fl P Ar passphrase
	114	Provides the (old) passphrase.
	115	.El
	116	.Sh FILES
	117	.Bl -tag -width Ds
bf740959	118	.It Pa $HOME/.ssh/identity
4fe2af09	119	Contains the RSA authentication identity of the user.
	120	This file should not be readable by anyone but the user.
	121	It is possible to
bf740959	122	specify a passphrase when generating the key; that passphrase will be
4fe2af09	123	used to encrypt the private part of this file using 3DES.
4fe2af09	124	This file is not automatically accessed by
bf740959	125	.Nm
	126	but it is offered as the default file for the private key.
	127	.It Pa $HOME/.ssh/identity.pub
4fe2af09	128	Contains the public key for authentication.
4fe2af09	129	The contents of this file should be added to
bf740959	130	.Pa $HOME/.ssh/authorized_keys
bf740959	131	on all machines
4fe2af09	132	where you wish to log in using RSA authentication.
4fe2af09	133	There is no need to keep the contents of this file secret.
bf740959	134	.Sh AUTHOR
	135	Tatu Ylonen <ylo@cs.hut.fi>
	136	.Pp
	137	OpenSSH
	138	is a derivative of the original (free) ssh 1.2.12 release, but with bugs
4fe2af09	139	removed and newer features re-added.
	140	Rapidly after the 1.2.12 release,
	141	newer versions bore successively more restrictive licenses.
	142	This version of OpenSSH
bf740959	143	.Bl -bullet
bf740959	144	.It
371ecff9	145	has all components of a restrictive nature (i.e., patents)
bf740959	146	directly removed from the source code; any licensed or patented components
	147	are chosen from
	148	external libraries.
	149	.It
	150	has been updated to support ssh protocol 1.5.
	151	.It
f54651ce	152	contains added support for
bf740959	153	.Xr kerberos 8
	154	authentication and ticket passing.
	155	.It
	156	supports one-time password authentication with
	157	.Xr skey 1 .
	158	.El
bf740959	159	.Sh SEE ALSO
	160	.Xr ssh 1 ,
	161	.Xr ssh-add 1 ,
0c372277	162	.Xr ssh-agent 1 ,
bf740959	163	.Xr sshd 8 ,