[openssh.git] / ssh-keygen.1

.\"  -*- nroff -*-
.\"
.\" ssh-keygen.1
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\"
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
.\"                    All rights reserved
.\"
.\" Created: Sat Apr 22 23:55:14 1995 ylo
.\"
.\" $Id$
.\"
.Dd September 25, 1999
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
.Nm ssh-keygen
.Nd authentication key generation
.Sh SYNOPSIS
.Nm ssh-keygen
.Op Fl dq
.Op Fl b Ar bits
.Op Fl N Ar new_passphrase
.Op Fl C Ar comment
.Op Fl f Ar keyfile
.Nm ssh-keygen
.Fl p
.Op Fl P Ar old_passphrase
.Op Fl N Ar new_passphrase
.Op Fl f Ar keyfile
.Nm ssh-keygen
.Fl x
.Op Fl f Ar keyfile
.Nm ssh-keygen
.Fl X
.Op Fl f Ar keyfile
.Nm ssh-keygen
.Fl y
.Op Fl f Ar keyfile
.Nm ssh-keygen
.Fl c
.Op Fl P Ar passphrase
.Op Fl C Ar comment
.Op Fl f Ar keyfile
.Nm ssh-keygen
.Fl l
.Op Fl f Ar keyfile
.Nm ssh-keygen
.Fl R
.Sh DESCRIPTION
.Nm
generates and manages authentication keys for
.Xr ssh 1 .
.Nm
defaults to generating an RSA key for use by protocols 1.3 and 1.5;
specifying the
.Fl d
flag will create a DSA key instead for use by protocol 2.0.
.Pp
Normally each user wishing to use SSH
with RSA or DSA authentication runs this once to create the authentication
key in
.Pa $HOME/.ssh/identity
or
.Pa $HOME/.ssh/id_dsa .
Additionally, the system administrator may use this to generate host keys,
as seen in
.Pa /etc/rc .
.Pp
Normally this program generates the key and asks for a file in which
to store the private key.
The public key is stored in a file with the same name but
.Dq .pub
appended.
The program also asks for a passphrase.
The passphrase may be empty to indicate no passphrase
(host keys must have empty passphrase), or it may be a string of
arbitrary length.
Good passphrases are 10-30 characters long and are
not simple sentences or otherwise easily guessable (English
prose has only 1-2 bits of entropy per word, and provides very bad
passphrases).
The passphrase can be changed later by using the
.Fl p
option.
.Pp
There is no way to recover a lost passphrase.
If the passphrase is
lost or forgotten, you will have to generate a new key and copy the
corresponding public key to other machines.
.Pp
For RSA, there is also a comment field in the key file that is only for
convenience to the user to help identify the key.
The comment can tell what the key is for, or whatever is useful.
The comment is initialized to
.Dq user@host
when the key is created, but can be changed using the
.Fl c
option.
.Pp
After a key is generated, instructions below detail where the keys
should be placed to be activated.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl b Ar bits
Specifies the number of bits in the key to create.
Minimum is 512 bits.
Generally 1024 bits is considered sufficient, and key sizes
above that no longer improve security but make things slower.
The default is 1024 bits.
.It Fl c
Requests changing the comment in the private and public key files.
The program will prompt for the file containing the private keys, for
passphrase if the key has one, and for the new comment.
.It Fl f
Specifies the filename of the key file.
.It Fl l
Show fingerprint of specified private or public key file.
.It Fl p
Requests changing the passphrase of a private key file instead of
creating a new private key.
The program will prompt for the file
containing the private key, for the old passphrase, and twice for the
new passphrase.
.It Fl q
Silence
.Nm ssh-keygen .
Used by
.Pa /etc/rc
when creating a new key.
.It Fl C Ar comment
Provides the new comment.
.It Fl N Ar new_passphrase
Provides the new passphrase.
.It Fl P Ar passphrase
Provides the (old) passphrase.
.It Fl R
If RSA support is functional, immediately exits with code 0.  If RSA
support is not functional, exits with code 1.  This flag will be
removed once the RSA patent expires.
.It Fl x
This option will read a private
OpenSSH DSA format file and print a SSH2-compatible public key to stdout.
.It Fl X
This option will read a
SSH2-compatible public key file and print an OpenSSH DSA compatible public key to stdout.
.It Fl y
This option will read a private
OpenSSH DSA format file and print an OpenSSH DSA public key to stdout.
.El
.Sh FILES
.Bl -tag -width Ds
.It Pa $HOME/.ssh/identity
Contains the RSA authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to
specify a passphrase when generating the key; that passphrase will be
used to encrypt the private part of this file using 3DES.
This file is not automatically accessed by
.Nm
but it is offered as the default file for the private key.
.Xr sshd 8
will read this file when a login attempt is made.
.It Pa $HOME/.ssh/identity.pub
Contains the public key for authentication.
The contents of this file should be added to
.Pa $HOME/.ssh/authorized_keys
on all machines
where you wish to log in using RSA authentication.
There is no need to keep the contents of this file secret.
.It Pa $HOME/.ssh/id_dsa
Contains the DSA authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to
specify a passphrase when generating the key; that passphrase will be
used to encrypt the private part of this file using 3DES.
This file is not automatically accessed by
.Nm
but it is offered as the default file for the private key.
.Xr sshd 8
will read this file when a login attempt is made.
.It Pa $HOME/.ssh/id_dsa.pub
Contains the public key for authentication.
The contents of this file should be added to
.Pa $HOME/.ssh/authorized_keys2
on all machines
where you wish to log in using DSA authentication.
There is no need to keep the contents of this file secret.
.Sh AUTHOR
Tatu Ylonen <ylo@cs.hut.fi>
.Pp
OpenSSH
is a derivative of the original (free) ssh 1.2.12 release, but with bugs
removed and newer features re-added.
Rapidly after the 1.2.12 release,
newer versions bore successively more restrictive licenses.
This version of OpenSSH
.Bl -bullet
.It
has all components of a restrictive nature (i.e., patents)
directly removed from the source code; any licensed or patented components
are chosen from
external libraries.
.It
has been updated to support ssh protocol 1.5.
.It
contains added support for
.Xr kerberos 8
authentication and ticket passing.
.It
supports one-time password authentication with
.Xr skey 1 .
.El
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
.Xr sshd 8 ,
Commit	Line	Data
bf740959	1	.\" -- nroff --
	2	.\"
	3	.\" ssh-keygen.1
	4	.\"
	5	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
	6	.\"
	7	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
	8	.\" All rights reserved
	9	.\"
	10	.\" Created: Sat Apr 22 23:55:14 1995 ylo
	11	.\"
	12	.\" $Id$
	13	.\"
	14	.Dd September 25, 1999
	15	.Dt SSH-KEYGEN 1
	16	.Os
	17	.Sh NAME
	18	.Nm ssh-keygen
	19	.Nd authentication key generation
	20	.Sh SYNOPSIS
	21	.Nm ssh-keygen
1d1ffb87	22	.Op Fl dq
bf740959	23	.Op Fl b Ar bits
	24	.Op Fl N Ar new_passphrase
	25	.Op Fl C Ar comment
f095fcc7	26	.Op Fl f Ar keyfile
bf740959	27	.Nm ssh-keygen
	28	.Fl p
	29	.Op Fl P Ar old_passphrase
	30	.Op Fl N Ar new_passphrase
f095fcc7	31	.Op Fl f Ar keyfile
bf740959	32	.Nm ssh-keygen
1d1ffb87	33	.Fl x
	34	.Op Fl f Ar keyfile
	35	.Nm ssh-keygen
	36	.Fl X
	37	.Op Fl f Ar keyfile
	38	.Nm ssh-keygen
	39	.Fl y
	40	.Op Fl f Ar keyfile
	41	.Nm ssh-keygen
bf740959	42	.Fl c
	43	.Op Fl P Ar passphrase
	44	.Op Fl C Ar comment
f095fcc7	45	.Op Fl f Ar keyfile
	46	.Nm ssh-keygen
	47	.Fl l
	48	.Op Fl f Ar keyfile
a306f2dd	49	.Nm ssh-keygen
a306f2dd	50	.Fl R
f54651ce	51	.Sh DESCRIPTION
bf740959	52	.Nm
f54651ce	53	generates and manages authentication keys for
bf740959	54	.Xr ssh 1 .
1d1ffb87	55	.Nm
	56	defaults to generating an RSA key for use by protocols 1.3 and 1.5;
	57	specifying the
	58	.Fl d
	59	flag will create a DSA key instead for use by protocol 2.0.
	60	.Pp
bf740959	61	Normally each user wishing to use SSH
1d1ffb87	62	with RSA or DSA authentication runs this once to create the authentication
bf740959	63	key in
1d1ffb87	64	.Pa $HOME/.ssh/identity
	65	or
	66	.Pa $HOME/.ssh/id_dsa .
	67	Additionally, the system administrator may use this to generate host keys,
	68	as seen in
	69	.Pa /etc/rc .
bf740959	70	.Pp
bf740959	71	Normally this program generates the key and asks for a file in which
4fe2af09	72	to store the private key.
4fe2af09	73	The public key is stored in a file with the same name but
bf740959	74	.Dq .pub
4fe2af09	75	appended.
	76	The program also asks for a passphrase.
	77	The passphrase may be empty to indicate no passphrase
bf740959	78	(host keys must have empty passphrase), or it may be a string of
4fe2af09	79	arbitrary length.
4fe2af09	80	Good passphrases are 10-30 characters long and are
bf740959	81	not simple sentences or otherwise easily guessable (English
bf740959	82	prose has only 1-2 bits of entropy per word, and provides very bad
4fe2af09	83	passphrases).
4fe2af09	84	The passphrase can be changed later by using the
bf740959	85	.Fl p
	86	option.
	87	.Pp
4fe2af09	88	There is no way to recover a lost passphrase.
4fe2af09	89	If the passphrase is
bf740959	90	lost or forgotten, you will have to generate a new key and copy the
	91	corresponding public key to other machines.
	92	.Pp
1d1ffb87	93	For RSA, there is also a comment field in the key file that is only for
4fe2af09	94	convenience to the user to help identify the key.
	95	The comment can tell what the key is for, or whatever is useful.
	96	The comment is initialized to
bf740959	97	.Dq user@host
	98	when the key is created, but can be changed using the
	99	.Fl c
	100	option.
	101	.Pp
1d1ffb87	102	After a key is generated, instructions below detail where the keys
	103	should be placed to be activated.
	104	.Pp
bf740959	105	The options are as follows:
	106	.Bl -tag -width Ds
	107	.It Fl b Ar bits
4fe2af09	108	Specifies the number of bits in the key to create.
	109	Minimum is 512 bits.
	110	Generally 1024 bits is considered sufficient, and key sizes
	111	above that no longer improve security but make things slower.
	112	The default is 1024 bits.
bf740959	113	.It Fl c
	114	Requests changing the comment in the private and public key files.
	115	The program will prompt for the file containing the private keys, for
	116	passphrase if the key has one, and for the new comment.
f095fcc7	117	.It Fl f
	118	Specifies the filename of the key file.
	119	.It Fl l
	120	Show fingerprint of specified private or public key file.
bf740959	121	.It Fl p
bf740959	122	Requests changing the passphrase of a private key file instead of
4fe2af09	123	creating a new private key.
4fe2af09	124	The program will prompt for the file
bf740959	125	containing the private key, for the old passphrase, and twice for the
	126	new passphrase.
	127	.It Fl q
	128	Silence
	129	.Nm ssh-keygen .
	130	Used by
	131	.Pa /etc/rc
	132	when creating a new key.
	133	.It Fl C Ar comment
	134	Provides the new comment.
	135	.It Fl N Ar new_passphrase
	136	Provides the new passphrase.
	137	.It Fl P Ar passphrase
	138	Provides the (old) passphrase.
a306f2dd	139	.It Fl R
	140	If RSA support is functional, immediately exits with code 0. If RSA
	141	support is not functional, exits with code 1. This flag will be
	142	removed once the RSA patent expires.
1d1ffb87	143	.It Fl x
1d1ffb87	144	This option will read a private
d0c832f3	145	OpenSSH DSA format file and print a SSH2-compatible public key to stdout.
1d1ffb87	146	.It Fl X
1d1ffb87	147	This option will read a
d0c832f3	148	SSH2-compatible public key file and print an OpenSSH DSA compatible public key to stdout.
1d1ffb87	149	.It Fl y
1d1ffb87	150	This option will read a private
d0c832f3	151	OpenSSH DSA format file and print an OpenSSH DSA public key to stdout.
bf740959	152	.El
	153	.Sh FILES
	154	.Bl -tag -width Ds
bf740959	155	.It Pa $HOME/.ssh/identity
4fe2af09	156	Contains the RSA authentication identity of the user.
	157	This file should not be readable by anyone but the user.
	158	It is possible to
bf740959	159	specify a passphrase when generating the key; that passphrase will be
4fe2af09	160	used to encrypt the private part of this file using 3DES.
4fe2af09	161	This file is not automatically accessed by
bf740959	162	.Nm
bf740959	163	but it is offered as the default file for the private key.
1d1ffb87	164	.Xr sshd 8
1d1ffb87	165	will read this file when a login attempt is made.
bf740959	166	.It Pa $HOME/.ssh/identity.pub
4fe2af09	167	Contains the public key for authentication.
4fe2af09	168	The contents of this file should be added to
bf740959	169	.Pa $HOME/.ssh/authorized_keys
bf740959	170	on all machines
4fe2af09	171	where you wish to log in using RSA authentication.
4fe2af09	172	There is no need to keep the contents of this file secret.
1d1ffb87	173	.It Pa $HOME/.ssh/id_dsa
	174	Contains the DSA authentication identity of the user.
	175	This file should not be readable by anyone but the user.
	176	It is possible to
	177	specify a passphrase when generating the key; that passphrase will be
	178	used to encrypt the private part of this file using 3DES.
	179	This file is not automatically accessed by
	180	.Nm
	181	but it is offered as the default file for the private key.
	182	.Xr sshd 8
	183	will read this file when a login attempt is made.
	184	.It Pa $HOME/.ssh/id_dsa.pub
	185	Contains the public key for authentication.
	186	The contents of this file should be added to
	187	.Pa $HOME/.ssh/authorized_keys2
	188	on all machines
	189	where you wish to log in using DSA authentication.
	190	There is no need to keep the contents of this file secret.
bf740959	191	.Sh AUTHOR
	192	Tatu Ylonen <ylo@cs.hut.fi>
	193	.Pp
	194	OpenSSH
	195	is a derivative of the original (free) ssh 1.2.12 release, but with bugs
4fe2af09	196	removed and newer features re-added.
	197	Rapidly after the 1.2.12 release,
	198	newer versions bore successively more restrictive licenses.
	199	This version of OpenSSH
bf740959	200	.Bl -bullet
bf740959	201	.It
371ecff9	202	has all components of a restrictive nature (i.e., patents)
bf740959	203	directly removed from the source code; any licensed or patented components
	204	are chosen from
	205	external libraries.
	206	.It
	207	has been updated to support ssh protocol 1.5.
	208	.It
f54651ce	209	contains added support for
bf740959	210	.Xr kerberos 8
	211	authentication and ticket passing.
	212	.It
	213	supports one-time password authentication with
	214	.Xr skey 1 .
	215	.El
bf740959	216	.Sh SEE ALSO
	217	.Xr ssh 1 ,
	218	.Xr ssh-add 1 ,
0c372277	219	.Xr ssh-agent 1 ,
bf740959	220	.Xr sshd 8 ,