[openssh.git] / ssh-keygen.1

.\"  -*- nroff -*-
.\"
.\" ssh-keygen.1
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\"
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
.\"                    All rights reserved
.\"
.\" Created: Sat Apr 22 23:55:14 1995 ylo
.\"
.\" $Id$
.\"
.Dd September 25, 1999
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
.Nm ssh-keygen
.Nd authentication key generation
.Sh SYNOPSIS
.Nm ssh-keygen
.Op Fl q
.Op Fl b Ar bits
.Op Fl N Ar new_passphrase
.Op Fl C Ar comment
.Op Fl f Ar keyfile
.Nm ssh-keygen
.Fl p
.Op Fl P Ar old_passphrase
.Op Fl N Ar new_passphrase
.Op Fl f Ar keyfile
.Nm ssh-keygen
.Fl c
.Op Fl P Ar passphrase
.Op Fl C Ar comment
.Op Fl f Ar keyfile
.Nm ssh-keygen
.Fl l
.Op Fl f Ar keyfile
.Sh DESCRIPTION 
.Nm
generates and manages authentication keys for 
.Xr ssh 1 .
Normally each user wishing to use SSH
with RSA authentication runs this once to create the authentication
key in
.Pa $HOME/.ssh/identity .
Additionally, the system administrator may use this to generate host keys.
.Pp
Normally this program generates the key and asks for a file in which
to store the private key.  The public key is stored in a file with the
same name but
.Dq .pub
appended.  The program also asks for a
passphrase.  The passphrase may be empty to indicate no passphrase
(host keys must have empty passphrase), or it may be a string of
arbitrary length.  Good passphrases are 10-30 characters long and are
not simple sentences or otherwise easily guessable (English
prose has only 1-2 bits of entropy per word, and provides very bad
passphrases).  The passphrase can be changed later by using the
.Fl p
option.
.Pp
There is no way to recover a lost passphrase.  If the passphrase is
lost or forgotten, you will have to generate a new key and copy the
corresponding public key to other machines.
.Pp
There is also a comment field in the key file that is only for
convenience to the user to help identify the key.  The comment can
tell what the key is for, or whatever is useful.  The comment is
initialized to
.Dq user@host
when the key is created, but can be changed using the
.Fl c
option.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl b Ar bits
Specifies the number of bits in the key to create.  Minimum is 512
bits.  Generally 1024 bits is considered sufficient, and key sizes
above that no longer improve security but make things slower.  The
default is 1024 bits.
.It Fl c
Requests changing the comment in the private and public key files.
The program will prompt for the file containing the private keys, for
passphrase if the key has one, and for the new comment.
.It Fl f
Specifies the filename of the key file.
.It Fl l
Show fingerprint of specified private or public key file.
.It Fl p
Requests changing the passphrase of a private key file instead of
creating a new private key.  The program will prompt for the file
containing the private key, for the old passphrase, and twice for the
new passphrase.
.It Fl q
Silence
.Nm ssh-keygen .
Used by
.Pa /etc/rc
when creating a new key.
.It Fl C Ar comment
Provides the new comment.
.It Fl N Ar new_passphrase
Provides the new passphrase.
.It Fl P Ar passphrase
Provides the (old) passphrase.
.El
.Sh FILES
.Bl -tag -width Ds
.It Pa $HOME/.ssh/random_seed
Used for seeding the random number generator.  This file should not be
readable by anyone but the user.  This file is created the first time
the program is run, and is updated every time.
.It Pa $HOME/.ssh/identity
Contains the RSA authentication identity of the user.  This file
should not be readable by anyone but the user.  It is possible to
specify a passphrase when generating the key; that passphrase will be
used to encrypt the private part of this file using 3DES.  This file
is not automatically accessed by
.Nm
but it is offered as the default file for the private key.
.It Pa $HOME/.ssh/identity.pub
Contains the public key for authentication.  The contents of this file
should be added to
.Pa $HOME/.ssh/authorized_keys
on all machines
where you wish to log in using RSA authentication.  There is no
need to keep the contents of this file secret.
.Sh AUTHOR
Tatu Ylonen <ylo@cs.hut.fi>
.Pp
OpenSSH
is a derivative of the original (free) ssh 1.2.12 release, but with bugs
removed and newer features re-added.   Rapidly after the 1.2.12 release,
newer versions bore successively more restrictive licenses.  This version
of OpenSSH
.Bl -bullet
.It
has all components of a restrictive nature (ie. patents, see
.Xr ssl 8 )
directly removed from the source code; any licensed or patented components
are chosen from
external libraries.
.It
has been updated to support ssh protocol 1.5.
.It
contains added support for 
.Xr kerberos 8
authentication and ticket passing.
.It
supports one-time password authentication with
.Xr skey 1 .
.El
.Pp
The libraries described in
.Xr ssl 8
are required for proper operation.
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
.Xr sshd 8 ,
.Xr ssl 8
Commit	Line	Data
bf740959	1	.\" -- nroff --
	2	.\"
	3	.\" ssh-keygen.1
	4	.\"
	5	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
	6	.\"
	7	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
	8	.\" All rights reserved
	9	.\"
	10	.\" Created: Sat Apr 22 23:55:14 1995 ylo
	11	.\"
	12	.\" $Id$
	13	.\"
	14	.Dd September 25, 1999
	15	.Dt SSH-KEYGEN 1
	16	.Os
	17	.Sh NAME
	18	.Nm ssh-keygen
	19	.Nd authentication key generation
	20	.Sh SYNOPSIS
	21	.Nm ssh-keygen
	22	.Op Fl q
	23	.Op Fl b Ar bits
	24	.Op Fl N Ar new_passphrase
	25	.Op Fl C Ar comment
f095fcc7	26	.Op Fl f Ar keyfile
bf740959	27	.Nm ssh-keygen
	28	.Fl p
	29	.Op Fl P Ar old_passphrase
	30	.Op Fl N Ar new_passphrase
f095fcc7	31	.Op Fl f Ar keyfile
bf740959	32	.Nm ssh-keygen
	33	.Fl c
	34	.Op Fl P Ar passphrase
	35	.Op Fl C Ar comment
f095fcc7	36	.Op Fl f Ar keyfile
	37	.Nm ssh-keygen
	38	.Fl l
	39	.Op Fl f Ar keyfile
bf740959	40	.Sh DESCRIPTION
	41	.Nm
	42	generates and manages authentication keys for
	43	.Xr ssh 1 .
	44	Normally each user wishing to use SSH
	45	with RSA authentication runs this once to create the authentication
	46	key in
	47	.Pa $HOME/.ssh/identity .
	48	Additionally, the system administrator may use this to generate host keys.
	49	.Pp
	50	Normally this program generates the key and asks for a file in which
	51	to store the private key. The public key is stored in a file with the
	52	same name but
	53	.Dq .pub
	54	appended. The program also asks for a
	55	passphrase. The passphrase may be empty to indicate no passphrase
	56	(host keys must have empty passphrase), or it may be a string of
	57	arbitrary length. Good passphrases are 10-30 characters long and are
	58	not simple sentences or otherwise easily guessable (English
	59	prose has only 1-2 bits of entropy per word, and provides very bad
	60	passphrases). The passphrase can be changed later by using the
	61	.Fl p
	62	option.
	63	.Pp
	64	There is no way to recover a lost passphrase. If the passphrase is
	65	lost or forgotten, you will have to generate a new key and copy the
	66	corresponding public key to other machines.
	67	.Pp
	68	There is also a comment field in the key file that is only for
	69	convenience to the user to help identify the key. The comment can
	70	tell what the key is for, or whatever is useful. The comment is
	71	initialized to
	72	.Dq user@host
	73	when the key is created, but can be changed using the
	74	.Fl c
	75	option.
	76	.Pp
	77	The options are as follows:
	78	.Bl -tag -width Ds
	79	.It Fl b Ar bits
	80	Specifies the number of bits in the key to create. Minimum is 512
	81	bits. Generally 1024 bits is considered sufficient, and key sizes
	82	above that no longer improve security but make things slower. The
	83	default is 1024 bits.
	84	.It Fl c
	85	Requests changing the comment in the private and public key files.
	86	The program will prompt for the file containing the private keys, for
	87	passphrase if the key has one, and for the new comment.
f095fcc7	88	.It Fl f
	89	Specifies the filename of the key file.
	90	.It Fl l
	91	Show fingerprint of specified private or public key file.
bf740959	92	.It Fl p
	93	Requests changing the passphrase of a private key file instead of
	94	creating a new private key. The program will prompt for the file
	95	containing the private key, for the old passphrase, and twice for the
	96	new passphrase.
	97	.It Fl q
	98	Silence
	99	.Nm ssh-keygen .
	100	Used by
	101	.Pa /etc/rc
	102	when creating a new key.
	103	.It Fl C Ar comment
	104	Provides the new comment.
	105	.It Fl N Ar new_passphrase
	106	Provides the new passphrase.
	107	.It Fl P Ar passphrase
	108	Provides the (old) passphrase.
	109	.El
	110	.Sh FILES
	111	.Bl -tag -width Ds
	112	.It Pa $HOME/.ssh/random_seed
	113	Used for seeding the random number generator. This file should not be
	114	readable by anyone but the user. This file is created the first time
	115	the program is run, and is updated every time.
	116	.It Pa $HOME/.ssh/identity
	117	Contains the RSA authentication identity of the user. This file
	118	should not be readable by anyone but the user. It is possible to
	119	specify a passphrase when generating the key; that passphrase will be
	120	used to encrypt the private part of this file using 3DES. This file
	121	is not automatically accessed by
	122	.Nm
	123	but it is offered as the default file for the private key.
	124	.It Pa $HOME/.ssh/identity.pub
	125	Contains the public key for authentication. The contents of this file
	126	should be added to
	127	.Pa $HOME/.ssh/authorized_keys
	128	on all machines
	129	where you wish to log in using RSA authentication. There is no
	130	need to keep the contents of this file secret.
	131	.Sh AUTHOR
	132	Tatu Ylonen <ylo@cs.hut.fi>
	133	.Pp
	134	OpenSSH
	135	is a derivative of the original (free) ssh 1.2.12 release, but with bugs
	136	removed and newer features re-added. Rapidly after the 1.2.12 release,
	137	newer versions bore successively more restrictive licenses. This version
	138	of OpenSSH
	139	.Bl -bullet
	140	.It
	141	has all components of a restrictive nature (ie. patents, see
	142	.Xr ssl 8 )
	143	directly removed from the source code; any licensed or patented components
	144	are chosen from
	145	external libraries.
	146	.It
	147	has been updated to support ssh protocol 1.5.
	148	.It
	149	contains added support for
	150	.Xr kerberos 8
	151	authentication and ticket passing.
	152	.It
	153	supports one-time password authentication with
	154	.Xr skey 1 .
	155	.El
156	.Pp
157	The libraries described in
158	.Xr ssl 8
159	are required for proper operation.
160	.Sh SEE ALSO
161	.Xr ssh 1 ,
162	.Xr ssh-add 1 ,
0c372277	163	.Xr ssh-agent 1 ,
bf740959	164	.Xr sshd 8 ,
bf740959	165	.Xr ssl 8