1 .\" $OpenBSD: ssh-keygen.1,v 1.35 2001/03/11 22:33:23 markus Exp $
5 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
6 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7 .\" All rights reserved
9 .\" As far as I am concerned, the code I have written for this software
10 .\" can be used freely for any purpose. Any derived versions of this
11 .\" software must be clearly marked as such, and if the derived work is
12 .\" incompatible with the protocol description in the RFC file, it must be
13 .\" called by a name other than "ssh" or "Secure Shell".
16 .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
17 .\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
18 .\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
20 .\" Redistribution and use in source and binary forms, with or without
21 .\" modification, are permitted provided that the following conditions
23 .\" 1. Redistributions of source code must retain the above copyright
24 .\" notice, this list of conditions and the following disclaimer.
25 .\" 2. Redistributions in binary form must reproduce the above copyright
26 .\" notice, this list of conditions and the following disclaimer in the
27 .\" documentation and/or other materials provided with the distribution.
29 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
30 .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
31 .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
32 .\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
33 .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
34 .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
35 .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
36 .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
37 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
40 .Dd September 25, 1999
45 .Nd authentication key generation
51 .Op Fl N Ar new_passphrase
53 .Op Fl f Ar output_keyfile
56 .Op Fl P Ar old_passphrase
57 .Op Fl N Ar new_passphrase
61 .Op Fl f Ar input_keyfile
64 .Op Fl f Ar input_keyfile
67 .Op Fl f Ar input_keyfile
70 .Op Fl P Ar passphrase
75 .Op Fl f Ar input_keyfile
78 .Op Fl f Ar input_keyfile
81 generates and manages authentication keys for
84 defaults to generating an RSA key for use by protocols 1.3 and 1.5;
87 option allows you to create a key for use by protocol 2.0.
89 Normally each user wishing to use SSH
90 with RSA or DSA authentication runs this once to create the authentication
92 .Pa $HOME/.ssh/identity
94 .Pa $HOME/.ssh/id_dsa .
95 Additionally, the system administrator may use this to generate host keys,
99 Normally this program generates the key and asks for a file in which
100 to store the private key.
101 The public key is stored in a file with the same name but
104 The program also asks for a passphrase.
105 The passphrase may be empty to indicate no passphrase
106 (host keys must have an empty passphrase), or it may be a string of
108 Good passphrases are 10-30 characters long and are
109 not simple sentences or otherwise easily guessable (English
110 prose has only 1-2 bits of entropy per word, and provides very bad
112 The passphrase can be changed later by using the
116 There is no way to recover a lost passphrase.
118 lost or forgotten, you will have to generate a new key and copy the
119 corresponding public key to other machines.
121 For RSA, there is also a comment field in the key file that is only for
122 convenience to the user to help identify the key.
123 The comment can tell what the key is for, or whatever is useful.
124 The comment is initialized to
126 when the key is created, but can be changed using the
130 After a key is generated, instructions below detail where the keys
131 should be placed to be activated.
133 The options are as follows:
136 Specifies the number of bits in the key to create.
138 Generally 1024 bits is considered sufficient, and key sizes
139 above that no longer improve security but make things slower.
140 The default is 1024 bits.
142 Requests changing the comment in the private and public key files.
143 The program will prompt for the file containing the private keys, for
144 passphrase if the key has one, and for the new comment.
146 Specifies the filename of the key file.
148 Show fingerprint of specified private or public key file.
150 Requests changing the passphrase of a private key file instead of
151 creating a new private key.
152 The program will prompt for the file
153 containing the private key, for the old passphrase, and twice for the
160 when creating a new key.
162 Specifies the type of the key to create.
163 The possible values are
165 for protocol version 1 and
169 for protocol version 2.
173 Show the bubblebabble digest of specified private or public key file.
175 Provides the new comment.
176 .It Fl N Ar new_passphrase
177 Provides the new passphrase.
178 .It Fl P Ar passphrase
179 Provides the (old) passphrase.
181 This option will read a private
182 OpenSSH DSA format file and print a SSH2-compatible public key to stdout.
184 This option will read a unencrypted
185 SSH2-compatible private (or public) key file and
186 print an OpenSSH compatible private (or public) key to stdout.
188 This option will read a private
189 OpenSSH format file and print an OpenSSH public key to stdout.
193 .It Pa $HOME/.ssh/identity
194 Contains the RSA authentication identity of the user.
195 This file should not be readable by anyone but the user.
197 specify a passphrase when generating the key; that passphrase will be
198 used to encrypt the private part of this file using 3DES.
199 This file is not automatically accessed by
201 but it is offered as the default file for the private key.
203 will read this file when a login attempt is made.
204 .It Pa $HOME/.ssh/identity.pub
205 Contains the public key for authentication.
206 The contents of this file should be added to
207 .Pa $HOME/.ssh/authorized_keys
209 where you wish to log in using RSA authentication.
210 There is no need to keep the contents of this file secret.
211 .It Pa $HOME/.ssh/id_dsa
212 Contains the DSA authentication identity of the user.
213 This file should not be readable by anyone but the user.
215 specify a passphrase when generating the key; that passphrase will be
216 used to encrypt the private part of this file using 3DES.
217 This file is not automatically accessed by
219 but it is offered as the default file for the private key.
221 will read this file when a login attempt is made.
222 .It Pa $HOME/.ssh/id_dsa.pub
223 Contains the public key for authentication.
224 The contents of this file should be added to
225 .Pa $HOME/.ssh/authorized_keys2
227 where you wish to log in using public key authentication.
228 There is no need to keep the contents of this file secret.
231 OpenSSH is a derivative of the original and free
232 ssh 1.2.12 release by Tatu Ylonen.
233 Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
234 Theo de Raadt and Dug Song
235 removed many bugs, re-added newer features and
237 Markus Friedl contributed the support for SSH
238 protocol versions 1.5 and 2.0.