1 .\" $OpenBSD: ssh-keygen.1,v 1.58 2003/05/20 12:09:31 jmc Exp $
5 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
6 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 .\" All rights reserved
9 .\" As far as I am concerned, the code I have written for this software
10 .\" can be used freely for any purpose. Any derived versions of this
11 .\" software must be clearly marked as such, and if the derived work is
12 .\" incompatible with the protocol description in the RFC file, it must be
13 .\" called by a name other than "ssh" or "Secure Shell".
16 .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
17 .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
18 .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
20 .\" Redistribution and use in source and binary forms, with or without
21 .\" modification, are permitted provided that the following conditions
23 .\" 1. Redistributions of source code must retain the above copyright
24 .\" notice, this list of conditions and the following disclaimer.
25 .\" 2. Redistributions in binary form must reproduce the above copyright
26 .\" notice, this list of conditions and the following disclaimer in the
27 .\" documentation and/or other materials provided with the distribution.
29 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
30 .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
31 .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
32 .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
33 .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
34 .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
35 .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
36 .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
37 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
40 .Dd September 25, 1999
45 .Nd authentication key generation, management and conversion
52 .Op Fl N Ar new_passphrase
54 .Op Fl f Ar output_keyfile
58 .Op Fl P Ar old_passphrase
59 .Op Fl N Ar new_passphrase
63 .Op Fl f Ar input_keyfile
66 .Op Fl f Ar input_keyfile
69 .Op Fl f Ar input_keyfile
72 .Op Fl P Ar passphrase
77 .Op Fl f Ar input_keyfile
80 .Op Fl f Ar input_keyfile
85 .Op Fl f Ar input_keyfile
88 .Op Fl f Ar input_keyfile
92 generates, manages and converts authentication keys for
95 can create RSA keys for use by SSH protocol version 1 and RSA or DSA
96 keys for use by SSH protocol version 2.
97 The type of key to be generated is specified with the
101 Normally each user wishing to use SSH
102 with RSA or DSA authentication runs this once to create the authentication
104 .Pa $HOME/.ssh/identity ,
105 .Pa $HOME/.ssh/id_dsa
107 .Pa $HOME/.ssh/id_rsa .
108 Additionally, the system administrator may use this to generate host keys,
112 Normally this program generates the key and asks for a file in which
113 to store the private key.
114 The public key is stored in a file with the same name but
117 The program also asks for a passphrase.
118 The passphrase may be empty to indicate no passphrase
119 (host keys must have an empty passphrase), or it may be a string of
121 A passphrase is similar to a password, except it can be a phrase with a
122 series of words, punctuation, numbers, whitespace, or any string of
124 Good passphrases are 10-30 characters long, are
125 not simple sentences or otherwise easily guessable (English
126 prose has only 1-2 bits of entropy per character, and provides very bad
127 passphrases), and contain a mix of upper and lowercase letters,
128 numbers, and non-alphanumeric characters.
129 The passphrase can be changed later by using the
133 There is no way to recover a lost passphrase.
135 lost or forgotten, a new key must be generated and copied to the
136 corresponding public key to other machines.
139 there is also a comment field in the key file that is only for
140 convenience to the user to help identify the key.
141 The comment can tell what the key is for, or whatever is useful.
142 The comment is initialized to
144 when the key is created, but can be changed using the
148 After a key is generated, instructions below detail where the keys
149 should be placed to be activated.
151 The options are as follows:
154 Specifies the number of bits in the key to create.
156 Generally, 1024 bits is considered sufficient.
157 The default is 1024 bits.
159 Requests changing the comment in the private and public key files.
160 This operation is only supported for RSA1 keys.
161 The program will prompt for the file containing the private keys, for
162 the passphrase if the key has one, and for the new comment.
164 This option will read a private or public OpenSSH key file and
166 .Sq SECSH Public Key File Format
168 This option allows exporting keys for use by several commercial
171 Use generic DNS resource record format.
173 Specifies the filename of the key file.
175 This option will read an unencrypted private (or public) key file
176 in SSH2-compatible format and print an OpenSSH compatible private
177 (or public) key to stdout.
180 .Sq SECSH Public Key File Format .
181 This option allows importing keys from several commercial
184 Show fingerprint of specified public key file.
185 Private RSA1 keys are also supported.
188 tries to find the matching public key file and prints its fingerprint.
190 Requests changing the passphrase of a private key file instead of
191 creating a new private key.
192 The program will prompt for the file
193 containing the private key, for the old passphrase, and twice for the
200 when creating a new key.
202 This option will read a private
203 OpenSSH format file and print an OpenSSH public key to stdout.
205 Specifies the type of the key to create.
206 The possible values are
208 for protocol version 1 and
212 for protocol version 2.
214 Show the bubblebabble digest of specified private or public key file.
216 Provides the new comment.
218 Download the RSA public key stored in the smartcard in
220 .It Fl N Ar new_passphrase
221 Provides the new passphrase.
222 .It Fl P Ar passphrase
223 Provides the (old) passphrase.
225 Upload an existing RSA private key into the smartcard in
228 Print DNS resource record with the specified
233 .It Pa $HOME/.ssh/identity
234 Contains the protocol version 1 RSA authentication identity of the user.
235 This file should not be readable by anyone but the user.
237 specify a passphrase when generating the key; that passphrase will be
238 used to encrypt the private part of this file using 3DES.
239 This file is not automatically accessed by
241 but it is offered as the default file for the private key.
243 will read this file when a login attempt is made.
244 .It Pa $HOME/.ssh/identity.pub
245 Contains the protocol version 1 RSA public key for authentication.
246 The contents of this file should be added to
247 .Pa $HOME/.ssh/authorized_keys
249 where the user wishes to log in using RSA authentication.
250 There is no need to keep the contents of this file secret.
251 .It Pa $HOME/.ssh/id_dsa
252 Contains the protocol version 2 DSA authentication identity of the user.
253 This file should not be readable by anyone but the user.
255 specify a passphrase when generating the key; that passphrase will be
256 used to encrypt the private part of this file using 3DES.
257 This file is not automatically accessed by
259 but it is offered as the default file for the private key.
261 will read this file when a login attempt is made.
262 .It Pa $HOME/.ssh/id_dsa.pub
263 Contains the protocol version 2 DSA public key for authentication.
264 The contents of this file should be added to
265 .Pa $HOME/.ssh/authorized_keys
267 where the user wishes to log in using public key authentication.
268 There is no need to keep the contents of this file secret.
269 .It Pa $HOME/.ssh/id_rsa
270 Contains the protocol version 2 RSA authentication identity of the user.
271 This file should not be readable by anyone but the user.
273 specify a passphrase when generating the key; that passphrase will be
274 used to encrypt the private part of this file using 3DES.
275 This file is not automatically accessed by
277 but it is offered as the default file for the private key.
279 will read this file when a login attempt is made.
280 .It Pa $HOME/.ssh/id_rsa.pub
281 Contains the protocol version 2 RSA public key for authentication.
282 The contents of this file should be added to
283 .Pa $HOME/.ssh/authorized_keys
285 where the user wishes to log in using public key authentication.
286 There is no need to keep the contents of this file secret.
289 OpenSSH is a derivative of the original and free
290 ssh 1.2.12 release by Tatu Ylonen.
291 Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
292 Theo de Raadt and Dug Song
293 removed many bugs, re-added newer features and
295 Markus Friedl contributed the support for SSH
296 protocol versions 1.5 and 2.0.
305 .%T "SECSH Public Key File Format"
306 .%N draft-ietf-secsh-publickeyfile-01.txt
308 .%O work in progress material