[openssh.git] / ssh-keygen.1

.\"  -*- nroff -*-
.\"
.\" ssh-keygen.1
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\"
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
.\"                    All rights reserved
.\"
.\" Created: Sat Apr 22 23:55:14 1995 ylo
.\"
.\" $Id$
.\"
.Dd September 25, 1999
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
.Nm ssh-keygen
.Nd authentication key generation
.Sh SYNOPSIS
.Nm ssh-keygen
.Op Fl q
.Op Fl b Ar bits
.Op Fl N Ar new_passphrase
.Op Fl C Ar comment
.Op Fl f Ar keyfile
.Nm ssh-keygen
.Fl p
.Op Fl P Ar old_passphrase
.Op Fl N Ar new_passphrase
.Op Fl f Ar keyfile
.Nm ssh-keygen
.Fl c
.Op Fl P Ar passphrase
.Op Fl C Ar comment
.Op Fl f Ar keyfile
.Nm ssh-keygen
.Fl l
.Op Fl f Ar keyfile
.Nm ssh-keygen
.Fl R
.Sh DESCRIPTION
.Nm
generates and manages authentication keys for
.Xr ssh 1 .
Normally each user wishing to use SSH
with RSA authentication runs this once to create the authentication
key in
.Pa $HOME/.ssh/identity .
Additionally, the system administrator may use this to generate host keys.
.Pp
Normally this program generates the key and asks for a file in which
to store the private key.
The public key is stored in a file with the same name but
.Dq .pub
appended.
The program also asks for a passphrase.
The passphrase may be empty to indicate no passphrase
(host keys must have empty passphrase), or it may be a string of
arbitrary length.
Good passphrases are 10-30 characters long and are
not simple sentences or otherwise easily guessable (English
prose has only 1-2 bits of entropy per word, and provides very bad
passphrases).
The passphrase can be changed later by using the
.Fl p
option.
.Pp
There is no way to recover a lost passphrase.
If the passphrase is
lost or forgotten, you will have to generate a new key and copy the
corresponding public key to other machines.
.Pp
There is also a comment field in the key file that is only for
convenience to the user to help identify the key.
The comment can tell what the key is for, or whatever is useful.
The comment is initialized to
.Dq user@host
when the key is created, but can be changed using the
.Fl c
option.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl b Ar bits
Specifies the number of bits in the key to create.
Minimum is 512 bits.
Generally 1024 bits is considered sufficient, and key sizes
above that no longer improve security but make things slower.
The default is 1024 bits.
.It Fl c
Requests changing the comment in the private and public key files.
The program will prompt for the file containing the private keys, for
passphrase if the key has one, and for the new comment.
.It Fl f
Specifies the filename of the key file.
.It Fl l
Show fingerprint of specified private or public key file.
.It Fl p
Requests changing the passphrase of a private key file instead of
creating a new private key.
The program will prompt for the file
containing the private key, for the old passphrase, and twice for the
new passphrase.
.It Fl q
Silence
.Nm ssh-keygen .
Used by
.Pa /etc/rc
when creating a new key.
.It Fl C Ar comment
Provides the new comment.
.It Fl N Ar new_passphrase
Provides the new passphrase.
.It Fl P Ar passphrase
Provides the (old) passphrase.
.It Fl R
If RSA support is functional, immediately exits with code 0.  If RSA
support is not functional, exits with code 1.  This flag will be
removed once the RSA patent expires.
.El
.Sh FILES
.Bl -tag -width Ds
.It Pa $HOME/.ssh/identity
Contains the RSA authentication identity of the user.
This file should not be readable by anyone but the user.
It is possible to
specify a passphrase when generating the key; that passphrase will be
used to encrypt the private part of this file using 3DES.
This file is not automatically accessed by
.Nm
but it is offered as the default file for the private key.
.It Pa $HOME/.ssh/identity.pub
Contains the public key for authentication.
The contents of this file should be added to
.Pa $HOME/.ssh/authorized_keys
on all machines
where you wish to log in using RSA authentication.
There is no need to keep the contents of this file secret.
.Sh AUTHOR
Tatu Ylonen <ylo@cs.hut.fi>
.Pp
OpenSSH
is a derivative of the original (free) ssh 1.2.12 release, but with bugs
removed and newer features re-added.
Rapidly after the 1.2.12 release,
newer versions bore successively more restrictive licenses.
This version of OpenSSH
.Bl -bullet
.It
has all components of a restrictive nature (i.e., patents)
directly removed from the source code; any licensed or patented components
are chosen from
external libraries.
.It
has been updated to support ssh protocol 1.5.
.It
contains added support for
.Xr kerberos 8
authentication and ticket passing.
.It
supports one-time password authentication with
.Xr skey 1 .
.El
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
.Xr sshd 8 ,
Commit	Line	Data
bf740959	1	.\" -- nroff --
	2	.\"
	3	.\" ssh-keygen.1
	4	.\"
	5	.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
	6	.\"
	7	.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
	8	.\" All rights reserved
	9	.\"
	10	.\" Created: Sat Apr 22 23:55:14 1995 ylo
	11	.\"
	12	.\" $Id$
	13	.\"
	14	.Dd September 25, 1999
	15	.Dt SSH-KEYGEN 1
	16	.Os
	17	.Sh NAME
	18	.Nm ssh-keygen
	19	.Nd authentication key generation
	20	.Sh SYNOPSIS
	21	.Nm ssh-keygen
	22	.Op Fl q
	23	.Op Fl b Ar bits
	24	.Op Fl N Ar new_passphrase
	25	.Op Fl C Ar comment
f095fcc7	26	.Op Fl f Ar keyfile
bf740959	27	.Nm ssh-keygen
	28	.Fl p
	29	.Op Fl P Ar old_passphrase
	30	.Op Fl N Ar new_passphrase
f095fcc7	31	.Op Fl f Ar keyfile
bf740959	32	.Nm ssh-keygen
	33	.Fl c
	34	.Op Fl P Ar passphrase
	35	.Op Fl C Ar comment
f095fcc7	36	.Op Fl f Ar keyfile
	37	.Nm ssh-keygen
	38	.Fl l
	39	.Op Fl f Ar keyfile
a306f2dd	40	.Nm ssh-keygen
a306f2dd	41	.Fl R
f54651ce	42	.Sh DESCRIPTION
bf740959	43	.Nm
f54651ce	44	generates and manages authentication keys for
bf740959	45	.Xr ssh 1 .
	46	Normally each user wishing to use SSH
	47	with RSA authentication runs this once to create the authentication
	48	key in
	49	.Pa $HOME/.ssh/identity .
	50	Additionally, the system administrator may use this to generate host keys.
	51	.Pp
	52	Normally this program generates the key and asks for a file in which
4fe2af09	53	to store the private key.
4fe2af09	54	The public key is stored in a file with the same name but
bf740959	55	.Dq .pub
4fe2af09	56	appended.
	57	The program also asks for a passphrase.
	58	The passphrase may be empty to indicate no passphrase
bf740959	59	(host keys must have empty passphrase), or it may be a string of
4fe2af09	60	arbitrary length.
4fe2af09	61	Good passphrases are 10-30 characters long and are
bf740959	62	not simple sentences or otherwise easily guessable (English
bf740959	63	prose has only 1-2 bits of entropy per word, and provides very bad
4fe2af09	64	passphrases).
4fe2af09	65	The passphrase can be changed later by using the
bf740959	66	.Fl p
	67	option.
	68	.Pp
4fe2af09	69	There is no way to recover a lost passphrase.
4fe2af09	70	If the passphrase is
bf740959	71	lost or forgotten, you will have to generate a new key and copy the
	72	corresponding public key to other machines.
	73	.Pp
	74	There is also a comment field in the key file that is only for
4fe2af09	75	convenience to the user to help identify the key.
	76	The comment can tell what the key is for, or whatever is useful.
	77	The comment is initialized to
bf740959	78	.Dq user@host
	79	when the key is created, but can be changed using the
	80	.Fl c
	81	option.
	82	.Pp
	83	The options are as follows:
	84	.Bl -tag -width Ds
	85	.It Fl b Ar bits
4fe2af09	86	Specifies the number of bits in the key to create.
	87	Minimum is 512 bits.
	88	Generally 1024 bits is considered sufficient, and key sizes
	89	above that no longer improve security but make things slower.
	90	The default is 1024 bits.
bf740959	91	.It Fl c
	92	Requests changing the comment in the private and public key files.
	93	The program will prompt for the file containing the private keys, for
	94	passphrase if the key has one, and for the new comment.
f095fcc7	95	.It Fl f
	96	Specifies the filename of the key file.
	97	.It Fl l
	98	Show fingerprint of specified private or public key file.
bf740959	99	.It Fl p
bf740959	100	Requests changing the passphrase of a private key file instead of
4fe2af09	101	creating a new private key.
4fe2af09	102	The program will prompt for the file
bf740959	103	containing the private key, for the old passphrase, and twice for the
	104	new passphrase.
	105	.It Fl q
	106	Silence
	107	.Nm ssh-keygen .
	108	Used by
	109	.Pa /etc/rc
	110	when creating a new key.
	111	.It Fl C Ar comment
	112	Provides the new comment.
	113	.It Fl N Ar new_passphrase
	114	Provides the new passphrase.
	115	.It Fl P Ar passphrase
	116	Provides the (old) passphrase.
a306f2dd	117	.It Fl R
	118	If RSA support is functional, immediately exits with code 0. If RSA
	119	support is not functional, exits with code 1. This flag will be
	120	removed once the RSA patent expires.
bf740959	121	.El
	122	.Sh FILES
	123	.Bl -tag -width Ds
bf740959	124	.It Pa $HOME/.ssh/identity
4fe2af09	125	Contains the RSA authentication identity of the user.
	126	This file should not be readable by anyone but the user.
	127	It is possible to
bf740959	128	specify a passphrase when generating the key; that passphrase will be
4fe2af09	129	used to encrypt the private part of this file using 3DES.
4fe2af09	130	This file is not automatically accessed by
bf740959	131	.Nm
	132	but it is offered as the default file for the private key.
	133	.It Pa $HOME/.ssh/identity.pub
4fe2af09	134	Contains the public key for authentication.
4fe2af09	135	The contents of this file should be added to
bf740959	136	.Pa $HOME/.ssh/authorized_keys
bf740959	137	on all machines
4fe2af09	138	where you wish to log in using RSA authentication.
4fe2af09	139	There is no need to keep the contents of this file secret.
bf740959	140	.Sh AUTHOR
	141	Tatu Ylonen <ylo@cs.hut.fi>
	142	.Pp
	143	OpenSSH
	144	is a derivative of the original (free) ssh 1.2.12 release, but with bugs
4fe2af09	145	removed and newer features re-added.
	146	Rapidly after the 1.2.12 release,
	147	newer versions bore successively more restrictive licenses.
	148	This version of OpenSSH
bf740959	149	.Bl -bullet
bf740959	150	.It
371ecff9	151	has all components of a restrictive nature (i.e., patents)
bf740959	152	directly removed from the source code; any licensed or patented components
	153	are chosen from
	154	external libraries.
	155	.It
	156	has been updated to support ssh protocol 1.5.
	157	.It
f54651ce	158	contains added support for
bf740959	159	.Xr kerberos 8
	160	authentication and ticket passing.
	161	.It
	162	supports one-time password authentication with
	163	.Xr skey 1 .
	164	.El
bf740959	165	.Sh SEE ALSO
	166	.Xr ssh 1 ,
	167	.Xr ssh-add 1 ,
0c372277	168	.Xr ssh-agent 1 ,
bf740959	169	.Xr sshd 8 ,