1.\" $OpenBSD: ssh-keygen.1,v 1.101 2010/10/28 18:33:28 jmc Exp $ 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this 9.\" software must be clearly marked as such, and if the derived work is 10.\" incompatible with the protocol description in the RFC file, it must be 11.\" called by a name other than "ssh" or "Secure Shell". 12.\" 13.\" 14.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 15.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 16.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 17.\" 18.\" Redistribution and use in source and binary forms, with or without 19.\" modification, are permitted provided that the following conditions 20.\" are met: 21.\" 1. Redistributions of source code must retain the above copyright 22.\" notice, this list of conditions and the following disclaimer. 23.\" 2. Redistributions in binary form must reproduce the above copyright 24.\" notice, this list of conditions and the following disclaimer in the 25.\" documentation and/or other materials provided with the distribution. 26.\" 27.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 28.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 29.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 37.\" 38.Dd $Mdocdate: October 28 2010 $ 39.Dt SSH-KEYGEN 1 40.Os 41.Sh NAME 42.Nm ssh-keygen 43.Nd authentication key generation, management and conversion 44.Sh SYNOPSIS 45.Bk -words 46.Nm ssh-keygen 47.Op Fl q 48.Op Fl b Ar bits 49.Fl t Ar type 50.Op Fl N Ar new_passphrase 51.Op Fl C Ar comment 52.Op Fl f Ar output_keyfile 53.Nm ssh-keygen 54.Fl p 55.Op Fl P Ar old_passphrase 56.Op Fl N Ar new_passphrase 57.Op Fl f Ar keyfile 58.Nm ssh-keygen 59.Fl i 60.Op Fl m Ar key_format 61.Op Fl f Ar input_keyfile 62.Nm ssh-keygen 63.Fl e 64.Op Fl m Ar key_format 65.Op Fl f Ar input_keyfile 66.Nm ssh-keygen 67.Fl y 68.Op Fl f Ar input_keyfile 69.Nm ssh-keygen 70.Fl c 71.Op Fl P Ar passphrase 72.Op Fl C Ar comment 73.Op Fl f Ar keyfile 74.Nm ssh-keygen 75.Fl l 76.Op Fl f Ar input_keyfile 77.Nm ssh-keygen 78.Fl B 79.Op Fl f Ar input_keyfile 80.Nm ssh-keygen 81.Fl D Ar pkcs11 82.Nm ssh-keygen 83.Fl F Ar hostname 84.Op Fl f Ar known_hosts_file 85.Op Fl l 86.Nm ssh-keygen 87.Fl H 88.Op Fl f Ar known_hosts_file 89.Nm ssh-keygen 90.Fl R Ar hostname 91.Op Fl f Ar known_hosts_file 92.Nm ssh-keygen 93.Fl r Ar hostname 94.Op Fl f Ar input_keyfile 95.Op Fl g 96.Nm ssh-keygen 97.Fl G Ar output_file 98.Op Fl v 99.Op Fl b Ar bits 100.Op Fl M Ar memory 101.Op Fl S Ar start_point 102.Nm ssh-keygen 103.Fl T Ar output_file 104.Fl f Ar input_file 105.Op Fl v 106.Op Fl a Ar num_trials 107.Op Fl W Ar generator 108.Nm ssh-keygen 109.Fl s Ar ca_key 110.Fl I Ar certificate_identity 111.Op Fl h 112.Op Fl n Ar principals 113.Op Fl O Ar option 114.Op Fl V Ar validity_interval 115.Op Fl z Ar serial_number 116.Ar 117.Nm ssh-keygen 118.Fl L 119.Op Fl f Ar input_keyfile 120.Ek 121.Sh DESCRIPTION 122.Nm 123generates, manages and converts authentication keys for 124.Xr ssh 1 . 125.Nm 126can create RSA keys for use by SSH protocol version 1 and DSA, ECDSA or RSA 127keys for use by SSH protocol version 2. 128The type of key to be generated is specified with the 129.Fl t 130option. 131If invoked without any arguments, 132.Nm 133will generate an RSA key for use in SSH protocol 2 connections. 134.Pp 135.Nm 136is also used to generate groups for use in Diffie-Hellman group 137exchange (DH-GEX). 138See the 139.Sx MODULI GENERATION 140section for details. 141.Pp 142Normally each user wishing to use SSH 143with public key authentication runs this once to create the authentication 144key in 145.Pa ~/.ssh/identity , 146.Pa ~/.ssh/id_ecdsa , 147.Pa ~/.ssh/id_dsa 148or 149.Pa ~/.ssh/id_rsa . 150Additionally, the system administrator may use this to generate host keys, 151as seen in 152.Pa /etc/rc . 153.Pp 154Normally this program generates the key and asks for a file in which 155to store the private key. 156The public key is stored in a file with the same name but 157.Dq .pub 158appended. 159The program also asks for a passphrase. 160The passphrase may be empty to indicate no passphrase 161(host keys must have an empty passphrase), or it may be a string of 162arbitrary length. 163A passphrase is similar to a password, except it can be a phrase with a 164series of words, punctuation, numbers, whitespace, or any string of 165characters you want. 166Good passphrases are 10-30 characters long, are 167not simple sentences or otherwise easily guessable (English 168prose has only 1-2 bits of entropy per character, and provides very bad 169passphrases), and contain a mix of upper and lowercase letters, 170numbers, and non-alphanumeric characters. 171The passphrase can be changed later by using the 172.Fl p 173option. 174.Pp 175There is no way to recover a lost passphrase. 176If the passphrase is 177lost or forgotten, a new key must be generated and copied to the 178corresponding public key to other machines. 179.Pp 180For RSA1 keys, 181there is also a comment field in the key file that is only for 182convenience to the user to help identify the key. 183The comment can tell what the key is for, or whatever is useful. 184The comment is initialized to 185.Dq user@host 186when the key is created, but can be changed using the 187.Fl c 188option. 189.Pp 190After a key is generated, instructions below detail where the keys 191should be placed to be activated. 192.Pp 193The options are as follows: 194.Bl -tag -width Ds 195.It Fl a Ar trials 196Specifies the number of primality tests to perform when screening DH-GEX 197candidates using the 198.Fl T 199command. 200.It Fl B 201Show the bubblebabble digest of specified private or public key file. 202.It Fl b Ar bits 203Specifies the number of bits in the key to create. 204For RSA keys, the minimum size is 768 bits and the default is 2048 bits. 205Generally, 2048 bits is considered sufficient. 206DSA keys must be exactly 1024 bits as specified by FIPS 186-2. 207.It Fl C Ar comment 208Provides a new comment. 209.It Fl c 210Requests changing the comment in the private and public key files. 211This operation is only supported for RSA1 keys. 212The program will prompt for the file containing the private keys, for 213the passphrase if the key has one, and for the new comment. 214.It Fl D Ar pkcs11 215Download the RSA public keys provided by the PKCS#11 shared library 216.Ar pkcs11 . 217When used in combination with 218.Fl s , 219this option indicates that a CA key resides in a PKCS#11 token (see the 220.Sx CERTIFICATES 221section for details). 222.It Fl e 223This option will read a private or public OpenSSH key file and 224print to stdout the key in one of the formats specified by the 225.Fl m 226option. 227The default export format is 228.Dq RFC4716 . 229This option allows exporting OpenSSH keys for use by other programs, including 230several commercial SSH implementations. 231.It Fl F Ar hostname 232Search for the specified 233.Ar hostname 234in a 235.Pa known_hosts 236file, listing any occurrences found. 237This option is useful to find hashed host names or addresses and may also be 238used in conjunction with the 239.Fl H 240option to print found keys in a hashed format. 241.It Fl f Ar filename 242Specifies the filename of the key file. 243.It Fl G Ar output_file 244Generate candidate primes for DH-GEX. 245These primes must be screened for 246safety (using the 247.Fl T 248option) before use. 249.It Fl g 250Use generic DNS format when printing fingerprint resource records using the 251.Fl r 252command. 253.It Fl H 254Hash a 255.Pa known_hosts 256file. 257This replaces all hostnames and addresses with hashed representations 258within the specified file; the original content is moved to a file with 259a .old suffix. 260These hashes may be used normally by 261.Nm ssh 262and 263.Nm sshd , 264but they do not reveal identifying information should the file's contents 265be disclosed. 266This option will not modify existing hashed hostnames and is therefore safe 267to use on files that mix hashed and non-hashed names. 268.It Fl h 269When signing a key, create a host certificate instead of a user 270certificate. 271Please see the 272.Sx CERTIFICATES 273section for details. 274.It Fl I Ar certificate_identity 275Specify the key identity when signing a public key. 276Please see the 277.Sx CERTIFICATES 278section for details. 279.It Fl i 280This option will read an unencrypted private (or public) key file 281in the format specified by the 282.Fl m 283option and print an OpenSSH compatible private 284(or public) key to stdout. 285This option allows importing keys from other software, including several 286commercial SSH implementations. 287The default import format is 288.Dq RFC4716 . 289.It Fl L 290Prints the contents of a certificate. 291.It Fl l 292Show fingerprint of specified public key file. 293Private RSA1 keys are also supported. 294For RSA and DSA keys 295.Nm 296tries to find the matching public key file and prints its fingerprint. 297If combined with 298.Fl v , 299an ASCII art representation of the key is supplied with the fingerprint. 300.It Fl M Ar memory 301Specify the amount of memory to use (in megabytes) when generating 302candidate moduli for DH-GEX. 303.It Fl m Ar key_format 304Specify a key format for the 305.Fl i 306(import) or 307.Fl e 308(export) conversion options. 309The supported key formats are: 310.Dq RFC4716 311(RFC 4716/SSH2 public or private key), 312.Dq PKCS8 313(PEM PKCS8 public key) 314or 315.Dq PEM 316(PEM public key). 317The default conversion format is 318.Dq RFC4716 . 319.It Fl N Ar new_passphrase 320Provides the new passphrase. 321.It Fl n Ar principals 322Specify one or more principals (user or host names) to be included in 323a certificate when signing a key. 324Multiple principals may be specified, separated by commas. 325Please see the 326.Sx CERTIFICATES 327section for details. 328.It Fl O Ar option 329Specify a certificate option when signing a key. 330This option may be specified multiple times. 331Please see the 332.Sx CERTIFICATES 333section for details. 334The options that are valid for user certificates are: 335.Bl -tag -width Ds 336.It Ic clear 337Clear all enabled permissions. 338This is useful for clearing the default set of permissions so permissions may 339be added individually. 340.It Ic force-command Ns = Ns Ar command 341Forces the execution of 342.Ar command 343instead of any shell or command specified by the user when 344the certificate is used for authentication. 345.It Ic no-agent-forwarding 346Disable 347.Xr ssh-agent 1 348forwarding (permitted by default). 349.It Ic no-port-forwarding 350Disable port forwarding (permitted by default). 351.It Ic no-pty 352Disable PTY allocation (permitted by default). 353.It Ic no-user-rc 354Disable execution of 355.Pa ~/.ssh/rc 356by 357.Xr sshd 8 358(permitted by default). 359.It Ic no-x11-forwarding 360Disable X11 forwarding (permitted by default). 361.It Ic permit-agent-forwarding 362Allows 363.Xr ssh-agent 1 364forwarding. 365.It Ic permit-port-forwarding 366Allows port forwarding. 367.It Ic permit-pty 368Allows PTY allocation. 369.It Ic permit-user-rc 370Allows execution of 371.Pa ~/.ssh/rc 372by 373.Xr sshd 8 . 374.It Ic permit-x11-forwarding 375Allows X11 forwarding. 376.It Ic source-address Ns = Ns Ar address_list 377Restrict the source addresses from which the certificate is considered valid. 378The 379.Ar address_list 380is a comma-separated list of one or more address/netmask pairs in CIDR 381format. 382.El 383.Pp 384At present, no options are valid for host keys. 385.It Fl P Ar passphrase 386Provides the (old) passphrase. 387.It Fl p 388Requests changing the passphrase of a private key file instead of 389creating a new private key. 390The program will prompt for the file 391containing the private key, for the old passphrase, and twice for the 392new passphrase. 393.It Fl q 394Silence 395.Nm ssh-keygen . 396Used by 397.Pa /etc/rc 398when creating a new key. 399.It Fl R Ar hostname 400Removes all keys belonging to 401.Ar hostname 402from a 403.Pa known_hosts 404file. 405This option is useful to delete hashed hosts (see the 406.Fl H 407option above). 408.It Fl r Ar hostname 409Print the SSHFP fingerprint resource record named 410.Ar hostname 411for the specified public key file. 412.It Fl S Ar start 413Specify start point (in hex) when generating candidate moduli for DH-GEX. 414.It Fl s Ar ca_key 415Certify (sign) a public key using the specified CA key. 416Please see the 417.Sx CERTIFICATES 418section for details. 419.It Fl T Ar output_file 420Test DH group exchange candidate primes (generated using the 421.Fl G 422option) for safety. 423.It Fl t Ar type 424Specifies the type of key to create. 425The possible values are 426.Dq rsa1 427for protocol version 1 and 428.Dq dsa , 429.Dq ecdsa 430or 431.Dq rsa 432for protocol version 2. 433.It Fl V Ar validity_interval 434Specify a validity interval when signing a certificate. 435A validity interval may consist of a single time, indicating that the 436certificate is valid beginning now and expiring at that time, or may consist 437of two times separated by a colon to indicate an explicit time interval. 438The start time may be specified as a date in YYYYMMDD format, a time 439in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting 440of a minus sign followed by a relative time in the format described in the 441.Sx TIME FORMATS 442section of 443.Xr sshd_config 5 . 444The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or 445a relative time starting with a plus character. 446.Pp 447For example: 448.Dq +52w1d 449(valid from now to 52 weeks and one day from now), 450.Dq -4w:+4w 451(valid from four weeks ago to four weeks from now), 452.Dq 20100101123000:20110101123000 453(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), 454.Dq -1d:20110101 455(valid from yesterday to midnight, January 1st, 2011). 456.It Fl v 457Verbose mode. 458Causes 459.Nm 460to print debugging messages about its progress. 461This is helpful for debugging moduli generation. 462Multiple 463.Fl v 464options increase the verbosity. 465The maximum is 3. 466.It Fl W Ar generator 467Specify desired generator when testing candidate moduli for DH-GEX. 468.It Fl y 469This option will read a private 470OpenSSH format file and print an OpenSSH public key to stdout. 471.It Fl z Ar serial_number 472Specifies a serial number to be embedded in the certificate to distinguish 473this certificate from others from the same CA. 474The default serial number is zero. 475.El 476.Sh MODULI GENERATION 477.Nm 478may be used to generate groups for the Diffie-Hellman Group Exchange 479(DH-GEX) protocol. 480Generating these groups is a two-step process: first, candidate 481primes are generated using a fast, but memory intensive process. 482These candidate primes are then tested for suitability (a CPU-intensive 483process). 484.Pp 485Generation of primes is performed using the 486.Fl G 487option. 488The desired length of the primes may be specified by the 489.Fl b 490option. 491For example: 492.Pp 493.Dl # ssh-keygen -G moduli-2048.candidates -b 2048 494.Pp 495By default, the search for primes begins at a random point in the 496desired length range. 497This may be overridden using the 498.Fl S 499option, which specifies a different start point (in hex). 500.Pp 501Once a set of candidates have been generated, they must be tested for 502suitability. 503This may be performed using the 504.Fl T 505option. 506In this mode 507.Nm 508will read candidates from standard input (or a file specified using the 509.Fl f 510option). 511For example: 512.Pp 513.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates 514.Pp 515By default, each candidate will be subjected to 100 primality tests. 516This may be overridden using the 517.Fl a 518option. 519The DH generator value will be chosen automatically for the 520prime under consideration. 521If a specific generator is desired, it may be requested using the 522.Fl W 523option. 524Valid generator values are 2, 3, and 5. 525.Pp 526Screened DH groups may be installed in 527.Pa /etc/moduli . 528It is important that this file contains moduli of a range of bit lengths and 529that both ends of a connection share common moduli. 530.Sh CERTIFICATES 531.Nm 532supports signing of keys to produce certificates that may be used for 533user or host authentication. 534Certificates consist of a public key, some identity information, zero or 535more principal (user or host) names and a set of options that 536are signed by a Certification Authority (CA) key. 537Clients or servers may then trust only the CA key and verify its signature 538on a certificate rather than trusting many user/host keys. 539Note that OpenSSH certificates are a different, and much simpler, format to 540the X.509 certificates used in 541.Xr ssl 8 . 542.Pp 543.Nm 544supports two types of certificates: user and host. 545User certificates authenticate users to servers, whereas host certificates 546authenticate server hosts to users. 547To generate a user certificate: 548.Pp 549.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub 550.Pp 551The resultant certificate will be placed in 552.Pa /path/to/user_key-cert.pub . 553A host certificate requires the 554.Fl h 555option: 556.Pp 557.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub 558.Pp 559The host certificate will be output to 560.Pa /path/to/host_key-cert.pub . 561.Pp 562It is possible to sign using a CA key stored in a PKCS#11 token by 563providing the token library using 564.Fl D 565and identifying the CA key by providing its public half as an argument 566to 567.Fl s : 568.Pp 569.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub 570.Pp 571In all cases, 572.Ar key_id 573is a "key identifier" that is logged by the server when the certificate 574is used for authentication. 575.Pp 576Certificates may be limited to be valid for a set of principal (user/host) 577names. 578By default, generated certificates are valid for all users or hosts. 579To generate a certificate for a specified set of principals: 580.Pp 581.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub 582.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" 583.Pp 584Additional limitations on the validity and use of user certificates may 585be specified through certificate options. 586A certificate option may disable features of the SSH session, may be 587valid only when presented from particular source addresses or may 588force the use of a specific command. 589For a list of valid certificate options, see the documentation for the 590.Fl O 591option above. 592.Pp 593Finally, certificates may be defined with a validity lifetime. 594The 595.Fl V 596option allows specification of certificate start and end times. 597A certificate that is presented at a time outside this range will not be 598considered valid. 599By default, certificates have a maximum validity interval. 600.Pp 601For certificates to be used for user or host authentication, the CA 602public key must be trusted by 603.Xr sshd 8 604or 605.Xr ssh 1 . 606Please refer to those manual pages for details. 607.Sh FILES 608.Bl -tag -width Ds -compact 609.It Pa ~/.ssh/identity 610Contains the protocol version 1 RSA authentication identity of the user. 611This file should not be readable by anyone but the user. 612It is possible to 613specify a passphrase when generating the key; that passphrase will be 614used to encrypt the private part of this file using 3DES. 615This file is not automatically accessed by 616.Nm 617but it is offered as the default file for the private key. 618.Xr ssh 1 619will read this file when a login attempt is made. 620.Pp 621.It Pa ~/.ssh/identity.pub 622Contains the protocol version 1 RSA public key for authentication. 623The contents of this file should be added to 624.Pa ~/.ssh/authorized_keys 625on all machines 626where the user wishes to log in using RSA authentication. 627There is no need to keep the contents of this file secret. 628.Pp 629.It Pa ~/.ssh/id_dsa 630.It Pa ~/.ssh/id_ecdsa 631.It Pa ~/.ssh/id_rsa 632Contains the protocol version 2 DSA, ECDSA or RSA authentication identity of the user. 633This file should not be readable by anyone but the user. 634It is possible to 635specify a passphrase when generating the key; that passphrase will be 636used to encrypt the private part of this file using 128-bit AES. 637This file is not automatically accessed by 638.Nm 639but it is offered as the default file for the private key. 640.Xr ssh 1 641will read this file when a login attempt is made. 642.Pp 643.It Pa ~/.ssh/id_dsa.pub 644.It Pa ~/.ssh/id_ecdsa.pub 645.It Pa ~/.ssh/id_rsa.pub 646Contains the protocol version 2 DSA, ECDSA or RSA public key for authentication. 647The contents of this file should be added to 648.Pa ~/.ssh/authorized_keys 649on all machines 650where the user wishes to log in using public key authentication. 651There is no need to keep the contents of this file secret. 652.Pp 653.It Pa /etc/moduli 654Contains Diffie-Hellman groups used for DH-GEX. 655The file format is described in 656.Xr moduli 5 . 657.El 658.Sh SEE ALSO 659.Xr ssh 1 , 660.Xr ssh-add 1 , 661.Xr ssh-agent 1 , 662.Xr moduli 5 , 663.Xr sshd 8 664.Rs 665.%R RFC 4716 666.%T "The Secure Shell (SSH) Public Key File Format" 667.%D 2006 668.Re 669.Sh AUTHORS 670OpenSSH is a derivative of the original and free 671ssh 1.2.12 release by Tatu Ylonen. 672Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 673Theo de Raadt and Dug Song 674removed many bugs, re-added newer features and 675created OpenSSH. 676Markus Friedl contributed the support for SSH 677protocol versions 1.5 and 2.0. 678