222 lines
7.5 KiB
Groff
222 lines
7.5 KiB
Groff
|
.\" -*- nroff -*-
|
||
|
.\"
|
||
|
.\" $NetBSD: ssh-keygen.1,v 1.1.1.1 2000/09/28 22:10:29 thorpej Exp $
|
||
|
.\"
|
||
|
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||
|
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||
|
.\" All rights reserved
|
||
|
.\"
|
||
|
.\" As far as I am concerned, the code I have written for this software
|
||
|
.\" can be used freely for any purpose. Any derived versions of this
|
||
|
.\" software must be clearly marked as such, and if the derived work is
|
||
|
.\" incompatible with the protocol description in the RFC file, it must be
|
||
|
.\" called by a name other than "ssh" or "Secure Shell".
|
||
|
.\"
|
||
|
.\"
|
||
|
.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
|
||
|
.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
|
||
|
.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
|
||
|
.\"
|
||
|
.\" Redistribution and use in source and binary forms, with or without
|
||
|
.\" modification, are permitted provided that the following conditions
|
||
|
.\" are met:
|
||
|
.\" 1. Redistributions of source code must retain the above copyright
|
||
|
.\" notice, this list of conditions and the following disclaimer.
|
||
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||
|
.\" notice, this list of conditions and the following disclaimer in the
|
||
|
.\" documentation and/or other materials provided with the distribution.
|
||
|
.\"
|
||
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||
|
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||
|
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||
|
.\"
|
||
|
.Dd August 6, 2000
|
||
|
.Dt SSH-KEYGEN 1
|
||
|
.Os
|
||
|
.Sh NAME
|
||
|
.Nm ssh-keygen
|
||
|
.Nd generate Secure Shell authentication keys
|
||
|
.Sh SYNOPSIS
|
||
|
.Nm ssh-keygen
|
||
|
.Op Fl dq
|
||
|
.Op Fl b Ar bits
|
||
|
.Op Fl N Ar new_passphrase
|
||
|
.Op Fl C Ar comment
|
||
|
.Op Fl f Ar output_keyfile
|
||
|
.Nm ssh-keygen
|
||
|
.Fl p
|
||
|
.Op Fl P Ar old_passphrase
|
||
|
.Op Fl N Ar new_passphrase
|
||
|
.Op Fl f Ar keyfile
|
||
|
.Nm ssh-keygen
|
||
|
.Fl x
|
||
|
.Op Fl f Ar input_keyfile
|
||
|
.Nm ssh-keygen
|
||
|
.Fl X
|
||
|
.Op Fl f Ar input_keyfile
|
||
|
.Nm ssh-keygen
|
||
|
.Fl y
|
||
|
.Op Fl f Ar input_keyfile
|
||
|
.Nm ssh-keygen
|
||
|
.Fl c
|
||
|
.Op Fl P Ar passphrase
|
||
|
.Op Fl C Ar comment
|
||
|
.Op Fl f Ar keyfile
|
||
|
.Nm ssh-keygen
|
||
|
.Fl l
|
||
|
.Op Fl f Ar input_keyfile
|
||
|
.Nm ssh-keygen
|
||
|
.Fl R
|
||
|
.Sh DESCRIPTION
|
||
|
.Nm
|
||
|
generates and manages authentication keys for
|
||
|
.Xr ssh 1 .
|
||
|
.Nm
|
||
|
defaults to generating an RSA key for use by protocols 1.3 and 1.5;
|
||
|
specifying the
|
||
|
.Fl d
|
||
|
flag will create a DSA key for use by protocol 2.0.
|
||
|
.Pp
|
||
|
Normally each user wishing to use Secure Shell
|
||
|
with RSA or DSA authentication runs this once to create the
|
||
|
authentication key in
|
||
|
.Pa $HOME/.ssh/identity
|
||
|
or
|
||
|
.Pa $HOME/.ssh/id_dsa .
|
||
|
Additionally, the system administrator may use this to generate host keys;
|
||
|
An example of this can be found in the
|
||
|
.Xr sshd 8
|
||
|
startup script
|
||
|
.Pa /etc/rc.d/sshd .
|
||
|
.Pp
|
||
|
Normally this program generates the key and asks for a file in which
|
||
|
to store the private key.
|
||
|
The public key is stored in a file with the same name but
|
||
|
.Dq .pub
|
||
|
appended.
|
||
|
The program also asks for a passphrase.
|
||
|
The passphrase may be empty to indicate no passphrase
|
||
|
(host keys must have empty passphrase), or it may be a string of
|
||
|
arbitrary length.
|
||
|
Good passphrases are 10-30 characters long and are
|
||
|
not simple sentences or otherwise easily guessable (English
|
||
|
prose has only 1-2 bits of entropy per word, and makes very bad
|
||
|
passphrases).
|
||
|
The passphrase can be changed later by using the
|
||
|
.Fl p
|
||
|
option.
|
||
|
.Pp
|
||
|
There is no way to recover a lost passphrase. If the passphrase is
|
||
|
lost or forgotten, you will have to generate a new key and copy the
|
||
|
corresponding public key to other machines.
|
||
|
.Pp
|
||
|
For RSA, there is also a comment field in the key file that is only for
|
||
|
convenience to the user to help identify the key.
|
||
|
The comment can tell what the key is for, or whatever is useful.
|
||
|
The comment is initialized to
|
||
|
.Dq user@host
|
||
|
when the key is created, but can be changed using the
|
||
|
.Fl c
|
||
|
option.
|
||
|
.Pp
|
||
|
After a key is generated, instructions below detail where the keys
|
||
|
should be placed to be activated.
|
||
|
.Pp
|
||
|
The options are as follows:
|
||
|
.Bl -tag -width Ds
|
||
|
.It Fl b Ar bits
|
||
|
Specifies the number of bits in the key to create.
|
||
|
Minimum is 512 bits.
|
||
|
Generally 1024 bits is considered sufficient, and key sizes
|
||
|
above that no longer improve security but make things slower.
|
||
|
The default is 1024 bits.
|
||
|
.It Fl c
|
||
|
Requests changing the comment in the private and public key files.
|
||
|
The program will prompt for the file containing the private keys, for
|
||
|
passphrase if the key has one, and for the new comment.
|
||
|
.It Fl f
|
||
|
Specifies the filename of the key file.
|
||
|
.It Fl l
|
||
|
Show fingerprint of specified private or public key file.
|
||
|
.It Fl p
|
||
|
Requests changing the passphrase of a private key file instead of
|
||
|
creating a new private key.
|
||
|
The program will prompt for the file
|
||
|
containing the private key, for the old passphrase, and twice for the
|
||
|
new passphrase.
|
||
|
.It Fl q
|
||
|
Silence
|
||
|
.Nm ssh-keygen .
|
||
|
Used by
|
||
|
.Pa /etc/rc.d/sshd
|
||
|
when creating a new key.
|
||
|
.It Fl C Ar comment
|
||
|
Provides the new comment.
|
||
|
.It Fl N Ar new_passphrase
|
||
|
Provides the new passphrase.
|
||
|
.It Fl P Ar passphrase
|
||
|
Provides the (old) passphrase.
|
||
|
.It Fl R
|
||
|
If RSA support is functional, immediately exits with code 0. If RSA
|
||
|
support is not functional, exits with code 1. This flag will be
|
||
|
removed once the RSA patent expires.
|
||
|
.It Fl x
|
||
|
This option will read a private OpenSSH-compatible DSA format file and
|
||
|
print a SSH2-compatible public key to stdout.
|
||
|
.It Fl X
|
||
|
This option will read a SSH2-compatible public key file and print an
|
||
|
OpenSSH-compatible DSA public key to stdout.
|
||
|
.It Fl y
|
||
|
This option will read a private OpenSSH-compatible DSA format file and
|
||
|
print an OpenSSH-compatible DSA public key to stdout.
|
||
|
.El
|
||
|
.Sh FILES
|
||
|
.Bl -tag -width Ds
|
||
|
.It Pa $HOME/.ssh/identity
|
||
|
Contains the RSA authentication identity of the user.
|
||
|
This file should not be readable by anyone but the user.
|
||
|
It is possible to specify a passphrase when generating the key; that
|
||
|
passphrase will be used to encrypt the private part of this file using
|
||
|
3DES. This file is not automatically accessed by
|
||
|
.Nm
|
||
|
but it is offered as the default file for the private key.
|
||
|
.Xr sshd 8
|
||
|
will read this file when a login attempt is made.
|
||
|
.It Pa $HOME/.ssh/identity.pub
|
||
|
Contains the public key for authentication. The contents of this file
|
||
|
should be added to
|
||
|
.Pa $HOME/.ssh/authorized_keys
|
||
|
on all machines where you wish to log in using RSA authentication.
|
||
|
There is no need to keep the contents of this file secret.
|
||
|
.It Pa $HOME/.ssh/id_dsa
|
||
|
Contains the DSA authentication identity of the user. This file
|
||
|
should not be readable by anyone but the user. It is possible to
|
||
|
specify a passphrase when generating the key; that passphrase will be
|
||
|
used to encrypt the private part of this file using 3DES.
|
||
|
This file is not automatically accessed by
|
||
|
.Nm
|
||
|
but it is offered as the default file for the private key.
|
||
|
.Xr sshd 8
|
||
|
will read this file when a login attempt is made.
|
||
|
.It Pa $HOME/.ssh/id_dsa.pub
|
||
|
Contains the public key for authentication. The contents of this
|
||
|
file should be added to
|
||
|
.Pa $HOME/.ssh/authorized_keys2
|
||
|
on all machines where you wish to log in using DSA authentication.
|
||
|
There is no need to keep the contents of this file secret.
|
||
|
.El
|
||
|
.Sh AUTHOR
|
||
|
Tatu Ylonen <ylo@cs.hut.fi>
|
||
|
.Sh SEE ALSO
|
||
|
.Xr ssh 1 ,
|
||
|
.Xr ssh-add 1 ,
|
||
|
.Xr ssh-agent 1 ,
|
||
|
.Xr sshd 8
|