1.\" $NetBSD: ssh-keygen.1,v 1.6 2011/09/07 17:49:19 christos Exp $ 2.\" $OpenBSD: ssh-keygen.1,v 1.106 2011/04/13 04:09:37 djm Exp $ 3.\" 4.\" -*- nroff -*- 5.\" 6.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 7.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8.\" All rights reserved 9.\" 10.\" As far as I am concerned, the code I have written for this software 11.\" can be used freely for any purpose. Any derived versions of this 12.\" software must be clearly marked as such, and if the derived work is 13.\" incompatible with the protocol description in the RFC file, it must be 14.\" called by a name other than "ssh" or "Secure Shell". 15.\" 16.\" 17.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 18.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 19.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 20.\" 21.\" Redistribution and use in source and binary forms, with or without 22.\" modification, are permitted provided that the following conditions 23.\" are met: 24.\" 1. Redistributions of source code must retain the above copyright 25.\" notice, this list of conditions and the following disclaimer. 26.\" 2. Redistributions in binary form must reproduce the above copyright 27.\" notice, this list of conditions and the following disclaimer in the 28.\" documentation and/or other materials provided with the distribution. 29.\" 30.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 31.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 32.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 33.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 34.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 35.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 36.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 37.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 38.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 39.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 40.\" 41.Dd April 13 2011 42.Dt SSH-KEYGEN 1 43.Os 44.Sh NAME 45.Nm ssh-keygen 46.Nd authentication key generation, management and conversion 47.Sh SYNOPSIS 48.Bk -words 49.Nm ssh-keygen 50.Op Fl q 51.Op Fl b Ar bits 52.Fl t Ar type 53.Op Fl N Ar new_passphrase 54.Op Fl C Ar comment 55.Op Fl f Ar output_keyfile 56.Nm ssh-keygen 57.Fl p 58.Op Fl P Ar old_passphrase 59.Op Fl N Ar new_passphrase 60.Op Fl f Ar keyfile 61.Nm ssh-keygen 62.Fl i 63.Op Fl m Ar key_format 64.Op Fl f Ar input_keyfile 65.Nm ssh-keygen 66.Fl e 67.Op Fl m Ar key_format 68.Op Fl f Ar input_keyfile 69.Nm ssh-keygen 70.Fl y 71.Op Fl f Ar input_keyfile 72.Nm ssh-keygen 73.Fl c 74.Op Fl P Ar passphrase 75.Op Fl C Ar comment 76.Op Fl f Ar keyfile 77.Nm ssh-keygen 78.Fl l 79.Op Fl f Ar input_keyfile 80.Nm ssh-keygen 81.Fl B 82.Op Fl f Ar input_keyfile 83.Nm ssh-keygen 84.Fl D Ar pkcs11 85.Nm ssh-keygen 86.Fl F Ar hostname 87.Op Fl f Ar known_hosts_file 88.Op Fl l 89.Nm ssh-keygen 90.Fl H 91.Op Fl f Ar known_hosts_file 92.Nm ssh-keygen 93.Fl R Ar hostname 94.Op Fl f Ar known_hosts_file 95.Nm ssh-keygen 96.Fl r Ar hostname 97.Op Fl f Ar input_keyfile 98.Op Fl g 99.Nm ssh-keygen 100.Fl G Ar output_file 101.Op Fl v 102.Op Fl b Ar bits 103.Op Fl M Ar memory 104.Op Fl S Ar start_point 105.Nm ssh-keygen 106.Fl T Ar output_file 107.Fl f Ar input_file 108.Op Fl v 109.Op Fl a Ar num_trials 110.Op Fl W Ar generator 111.Nm ssh-keygen 112.Fl s Ar ca_key 113.Fl I Ar certificate_identity 114.Op Fl h 115.Op Fl n Ar principals 116.Op Fl O Ar option 117.Op Fl V Ar validity_interval 118.Op Fl z Ar serial_number 119.Ar 120.Nm ssh-keygen 121.Fl L 122.Op Fl f Ar input_keyfile 123.Nm ssh-keygen 124.Fl A 125.Ek 126.Sh DESCRIPTION 127.Nm 128generates, manages and converts authentication keys for 129.Xr ssh 1 . 130.Nm 131can create RSA keys for use by SSH protocol version 1 and DSA, ECDSA or RSA 132keys for use by SSH protocol version 2. 133The type of key to be generated is specified with the 134.Fl t 135option. 136If invoked without any arguments, 137.Nm 138will generate an RSA key for use in SSH protocol 2 connections. 139.Pp 140.Nm 141is also used to generate groups for use in Diffie-Hellman group 142exchange (DH-GEX). 143See the 144.Sx MODULI GENERATION 145section for details. 146.Pp 147Normally each user wishing to use SSH 148with public key authentication runs this once to create the authentication 149key in 150.Pa ~/.ssh/identity , 151.Pa ~/.ssh/id_ecdsa , 152.Pa ~/.ssh/id_dsa 153or 154.Pa ~/.ssh/id_rsa . 155Additionally, the system administrator may use this to generate host keys, 156as seen in 157.Pa /etc/rc.d/sshd . 158.Pp 159Normally this program generates the key and asks for a file in which 160to store the private key. 161The public key is stored in a file with the same name but 162.Dq .pub 163appended. 164The program also asks for a passphrase. 165The passphrase may be empty to indicate no passphrase 166(host keys must have an empty passphrase), or it may be a string of 167arbitrary length. 168A passphrase is similar to a password, except it can be a phrase with a 169series of words, punctuation, numbers, whitespace, or any string of 170characters you want. 171Good passphrases are 10-30 characters long, are 172not simple sentences or otherwise easily guessable (English 173prose has only 1-2 bits of entropy per character, and provides very bad 174passphrases), and contain a mix of upper and lowercase letters, 175numbers, and non-alphanumeric characters. 176The passphrase can be changed later by using the 177.Fl p 178option. 179.Pp 180There is no way to recover a lost passphrase. 181If the passphrase is lost or forgotten, a new key must be generated 182and the corresponding public key copied to other machines. 183.Pp 184For RSA1 keys, 185there is also a comment field in the key file that is only for 186convenience to the user to help identify the key. 187The comment can tell what the key is for, or whatever is useful. 188The comment is initialized to 189.Dq user@host 190when the key is created, but can be changed using the 191.Fl c 192option. 193.Pp 194After a key is generated, instructions below detail where the keys 195should be placed to be activated. 196.Pp 197The options are as follows: 198.Bl -tag -width Ds 199.It Fl A 200For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys 201do not exist, generate the host keys with the default key file path, 202an empty passphrase, default bits for the key type, and default comment. 203This is used by 204.Pa /etc/rc 205to generate new host keys. 206.It Fl a Ar trials 207Specifies the number of primality tests to perform when screening DH-GEX 208candidates using the 209.Fl T 210command. 211.It Fl B 212Show the bubblebabble digest of specified private or public key file. 213.It Fl b Ar bits 214Specifies the number of bits in the key to create. 215For RSA keys, the minimum size is 768 bits and the default is 2048 bits. 216Generally, 2048 bits is considered sufficient. 217DSA keys must be exactly 1024 bits as specified by FIPS 186-2. 218For ECDSA keys, the 219.Fl b 220flag determines they key length by selecting from one of three elliptic 221curve sizes: 256, 384 or 521 bits. 222Attempting to use bit lengths other than these three values for ECDSA keys 223will fail. 224.It Fl C Ar comment 225Provides a new comment. 226.It Fl c 227Requests changing the comment in the private and public key files. 228This operation is only supported for RSA1 keys. 229The program will prompt for the file containing the private keys, for 230the passphrase if the key has one, and for the new comment. 231.It Fl D Ar pkcs11 232Download the RSA public keys provided by the PKCS#11 shared library 233.Ar pkcs11 . 234When used in combination with 235.Fl s , 236this option indicates that a CA key resides in a PKCS#11 token (see the 237.Sx CERTIFICATES 238section for details). 239.It Fl e 240This option will read a private or public OpenSSH key file and 241print to stdout the key in one of the formats specified by the 242.Fl m 243option. 244The default export format is 245.Dq RFC4716 . 246This option allows exporting OpenSSH keys for use by other programs, including 247several commercial SSH implementations. 248.It Fl F Ar hostname 249Search for the specified 250.Ar hostname 251in a 252.Pa known_hosts 253file, listing any occurrences found. 254This option is useful to find hashed host names or addresses and may also be 255used in conjunction with the 256.Fl H 257option to print found keys in a hashed format. 258.It Fl f Ar filename 259Specifies the filename of the key file. 260.It Fl G Ar output_file 261Generate candidate primes for DH-GEX. 262These primes must be screened for 263safety (using the 264.Fl T 265option) before use. 266.It Fl g 267Use generic DNS format when printing fingerprint resource records using the 268.Fl r 269command. 270.It Fl H 271Hash a 272.Pa known_hosts 273file. 274This replaces all hostnames and addresses with hashed representations 275within the specified file; the original content is moved to a file with 276a .old suffix. 277These hashes may be used normally by 278.Nm ssh 279and 280.Nm sshd , 281but they do not reveal identifying information should the file's contents 282be disclosed. 283This option will not modify existing hashed hostnames and is therefore safe 284to use on files that mix hashed and non-hashed names. 285.It Fl h 286When signing a key, create a host certificate instead of a user 287certificate. 288Please see the 289.Sx CERTIFICATES 290section for details. 291.It Fl I Ar certificate_identity 292Specify the key identity when signing a public key. 293Please see the 294.Sx CERTIFICATES 295section for details. 296.It Fl i 297This option will read an unencrypted private (or public) key file 298in the format specified by the 299.Fl m 300option and print an OpenSSH compatible private 301(or public) key to stdout. 302This option allows importing keys from other software, including several 303commercial SSH implementations. 304The default import format is 305.Dq RFC4716 . 306.It Fl L 307Prints the contents of a certificate. 308.It Fl l 309Show fingerprint of specified public key file. 310Private RSA1 keys are also supported. 311For RSA and DSA keys 312.Nm 313tries to find the matching public key file and prints its fingerprint. 314If combined with 315.Fl v , 316an ASCII art representation of the key is supplied with the fingerprint. 317.It Fl M Ar memory 318Specify the amount of memory to use (in megabytes) when generating 319candidate moduli for DH-GEX. 320.It Fl m Ar key_format 321Specify a key format for the 322.Fl i 323(import) or 324.Fl e 325(export) conversion options. 326The supported key formats are: 327.Dq RFC4716 328(RFC 4716/SSH2 public or private key), 329.Dq PKCS8 330(PEM PKCS8 public key) 331or 332.Dq PEM 333(PEM public key). 334The default conversion format is 335.Dq RFC4716 . 336.It Fl N Ar new_passphrase 337Provides the new passphrase. 338.It Fl n Ar principals 339Specify one or more principals (user or host names) to be included in 340a certificate when signing a key. 341Multiple principals may be specified, separated by commas. 342Please see the 343.Sx CERTIFICATES 344section for details. 345.It Fl O Ar option 346Specify a certificate option when signing a key. 347This option may be specified multiple times. 348Please see the 349.Sx CERTIFICATES 350section for details. 351The options that are valid for user certificates are: 352.Bl -tag -width Ds 353.It Ic clear 354Clear all enabled permissions. 355This is useful for clearing the default set of permissions so permissions may 356be added individually. 357.It Ic force-command Ns = Ns Ar command 358Forces the execution of 359.Ar command 360instead of any shell or command specified by the user when 361the certificate is used for authentication. 362.It Ic no-agent-forwarding 363Disable 364.Xr ssh-agent 1 365forwarding (permitted by default). 366.It Ic no-port-forwarding 367Disable port forwarding (permitted by default). 368.It Ic no-pty 369Disable PTY allocation (permitted by default). 370.It Ic no-user-rc 371Disable execution of 372.Pa ~/.ssh/rc 373by 374.Xr sshd 8 375(permitted by default). 376.It Ic no-x11-forwarding 377Disable X11 forwarding (permitted by default). 378.It Ic permit-agent-forwarding 379Allows 380.Xr ssh-agent 1 381forwarding. 382.It Ic permit-port-forwarding 383Allows port forwarding. 384.It Ic permit-pty 385Allows PTY allocation. 386.It Ic permit-user-rc 387Allows execution of 388.Pa ~/.ssh/rc 389by 390.Xr sshd 8 . 391.It Ic permit-x11-forwarding 392Allows X11 forwarding. 393.It Ic source-address Ns = Ns Ar address_list 394Restrict the source addresses from which the certificate is considered valid. 395The 396.Ar address_list 397is a comma-separated list of one or more address/netmask pairs in CIDR 398format. 399.El 400.Pp 401At present, no options are valid for host keys. 402.It Fl P Ar passphrase 403Provides the (old) passphrase. 404.It Fl p 405Requests changing the passphrase of a private key file instead of 406creating a new private key. 407The program will prompt for the file 408containing the private key, for the old passphrase, and twice for the 409new passphrase. 410.It Fl q 411Silence 412.Nm ssh-keygen . 413<<<<<<< ssh-keygen.1 414Used by 415.Pa /etc/rc.d/sshd 416when creating a new key. 417======= 418>>>>>>> 1.1.1.4 419.It Fl R Ar hostname 420Removes all keys belonging to 421.Ar hostname 422from a 423.Pa known_hosts 424file. 425This option is useful to delete hashed hosts (see the 426.Fl H 427option above). 428.It Fl r Ar hostname 429Print the SSHFP fingerprint resource record named 430.Ar hostname 431for the specified public key file. 432.It Fl S Ar start 433Specify start point (in hex) when generating candidate moduli for DH-GEX. 434.It Fl s Ar ca_key 435Certify (sign) a public key using the specified CA key. 436Please see the 437.Sx CERTIFICATES 438section for details. 439.It Fl T Ar output_file 440Test DH group exchange candidate primes (generated using the 441.Fl G 442option) for safety. 443.It Fl t Ar type 444Specifies the type of key to create. 445The possible values are 446.Dq rsa1 447for protocol version 1 and 448.Dq dsa , 449.Dq ecdsa 450or 451.Dq rsa 452for protocol version 2. 453.It Fl V Ar validity_interval 454Specify a validity interval when signing a certificate. 455A validity interval may consist of a single time, indicating that the 456certificate is valid beginning now and expiring at that time, or may consist 457of two times separated by a colon to indicate an explicit time interval. 458The start time may be specified as a date in YYYYMMDD format, a time 459in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting 460of a minus sign followed by a relative time in the format described in the 461.Sx TIME FORMATS 462section of 463.Xr sshd_config 5 . 464The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or 465a relative time starting with a plus character. 466.Pp 467For example: 468.Dq +52w1d 469(valid from now to 52 weeks and one day from now), 470.Dq -4w:+4w 471(valid from four weeks ago to four weeks from now), 472.Dq 20100101123000:20110101123000 473(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), 474.Dq -1d:20110101 475(valid from yesterday to midnight, January 1st, 2011). 476.It Fl v 477Verbose mode. 478Causes 479.Nm 480to print debugging messages about its progress. 481This is helpful for debugging moduli generation. 482Multiple 483.Fl v 484options increase the verbosity. 485The maximum is 3. 486.It Fl W Ar generator 487Specify desired generator when testing candidate moduli for DH-GEX. 488.It Fl y 489This option will read a private 490OpenSSH format file and print an OpenSSH public key to stdout. 491.It Fl z Ar serial_number 492Specifies a serial number to be embedded in the certificate to distinguish 493this certificate from others from the same CA. 494The default serial number is zero. 495.El 496.Sh MODULI GENERATION 497.Nm 498may be used to generate groups for the Diffie-Hellman Group Exchange 499(DH-GEX) protocol. 500Generating these groups is a two-step process: first, candidate 501primes are generated using a fast, but memory intensive process. 502These candidate primes are then tested for suitability (a CPU-intensive 503process). 504.Pp 505Generation of primes is performed using the 506.Fl G 507option. 508The desired length of the primes may be specified by the 509.Fl b 510option. 511For example: 512.Pp 513.Dl # ssh-keygen -G moduli-2048.candidates -b 2048 514.Pp 515By default, the search for primes begins at a random point in the 516desired length range. 517This may be overridden using the 518.Fl S 519option, which specifies a different start point (in hex). 520.Pp 521Once a set of candidates have been generated, they must be tested for 522suitability. 523This may be performed using the 524.Fl T 525option. 526In this mode 527.Nm 528will read candidates from standard input (or a file specified using the 529.Fl f 530option). 531For example: 532.Pp 533.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates 534.Pp 535By default, each candidate will be subjected to 100 primality tests. 536This may be overridden using the 537.Fl a 538option. 539The DH generator value will be chosen automatically for the 540prime under consideration. 541If a specific generator is desired, it may be requested using the 542.Fl W 543option. 544Valid generator values are 2, 3, and 5. 545.Pp 546Screened DH groups may be installed in 547.Pa /etc/moduli . 548It is important that this file contains moduli of a range of bit lengths and 549that both ends of a connection share common moduli. 550.Sh CERTIFICATES 551.Nm 552supports signing of keys to produce certificates that may be used for 553user or host authentication. 554Certificates consist of a public key, some identity information, zero or 555more principal (user or host) names and a set of options that 556are signed by a Certification Authority (CA) key. 557Clients or servers may then trust only the CA key and verify its signature 558on a certificate rather than trusting many user/host keys. 559Note that OpenSSH certificates are a different, and much simpler, format to 560the X.509 certificates used in 561.Xr ssl 8 . 562.Pp 563.Nm 564supports two types of certificates: user and host. 565User certificates authenticate users to servers, whereas host certificates 566authenticate server hosts to users. 567To generate a user certificate: 568.Pp 569.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub 570.Pp 571The resultant certificate will be placed in 572.Pa /path/to/user_key-cert.pub . 573A host certificate requires the 574.Fl h 575option: 576.Pp 577.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub 578.Pp 579The host certificate will be output to 580.Pa /path/to/host_key-cert.pub . 581.Pp 582It is possible to sign using a CA key stored in a PKCS#11 token by 583providing the token library using 584.Fl D 585and identifying the CA key by providing its public half as an argument 586to 587.Fl s : 588.Pp 589.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub 590.Pp 591In all cases, 592.Ar key_id 593is a "key identifier" that is logged by the server when the certificate 594is used for authentication. 595.Pp 596Certificates may be limited to be valid for a set of principal (user/host) 597names. 598By default, generated certificates are valid for all users or hosts. 599To generate a certificate for a specified set of principals: 600.Pp 601.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub 602.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" 603.Pp 604Additional limitations on the validity and use of user certificates may 605be specified through certificate options. 606A certificate option may disable features of the SSH session, may be 607valid only when presented from particular source addresses or may 608force the use of a specific command. 609For a list of valid certificate options, see the documentation for the 610.Fl O 611option above. 612.Pp 613Finally, certificates may be defined with a validity lifetime. 614The 615.Fl V 616option allows specification of certificate start and end times. 617A certificate that is presented at a time outside this range will not be 618considered valid. 619By default, certificates have a maximum validity interval. 620.Pp 621For certificates to be used for user or host authentication, the CA 622public key must be trusted by 623.Xr sshd 8 624or 625.Xr ssh 1 . 626Please refer to those manual pages for details. 627.Sh FILES 628.Bl -tag -width Ds -compact 629.It Pa ~/.ssh/identity 630Contains the protocol version 1 RSA authentication identity of the user. 631This file should not be readable by anyone but the user. 632It is possible to 633specify a passphrase when generating the key; that passphrase will be 634used to encrypt the private part of this file using 3DES. 635This file is not automatically accessed by 636.Nm 637but it is offered as the default file for the private key. 638.Xr ssh 1 639will read this file when a login attempt is made. 640.Pp 641.It Pa ~/.ssh/identity.pub 642Contains the protocol version 1 RSA public key for authentication. 643The contents of this file should be added to 644.Pa ~/.ssh/authorized_keys 645on all machines 646where the user wishes to log in using RSA authentication. 647There is no need to keep the contents of this file secret. 648.Pp 649.It Pa ~/.ssh/id_dsa 650.It Pa ~/.ssh/id_ecdsa 651.It Pa ~/.ssh/id_rsa 652Contains the protocol version 2 DSA, ECDSA or RSA authentication identity of the user. 653This file should not be readable by anyone but the user. 654It is possible to 655specify a passphrase when generating the key; that passphrase will be 656used to encrypt the private part of this file using 128-bit AES. 657This file is not automatically accessed by 658.Nm 659but it is offered as the default file for the private key. 660.Xr ssh 1 661will read this file when a login attempt is made. 662.Pp 663.It Pa ~/.ssh/id_dsa.pub 664.It Pa ~/.ssh/id_ecdsa.pub 665.It Pa ~/.ssh/id_rsa.pub 666Contains the protocol version 2 DSA, ECDSA or RSA public key for authentication. 667The contents of this file should be added to 668.Pa ~/.ssh/authorized_keys 669on all machines 670where the user wishes to log in using public key authentication. 671There is no need to keep the contents of this file secret. 672.Pp 673.It Pa /etc/moduli 674Contains Diffie-Hellman groups used for DH-GEX. 675The file format is described in 676.Xr moduli 5 . 677.El 678.Sh SEE ALSO 679.Xr ssh 1 , 680.Xr ssh-add 1 , 681.Xr ssh-agent 1 , 682.Xr moduli 5 , 683.Xr sshd 8 684.Rs 685.%R RFC 4716 686.%T "The Secure Shell (SSH) Public Key File Format" 687.%D 2006 688.Re 689.Sh AUTHORS 690OpenSSH is a derivative of the original and free 691ssh 1.2.12 release by Tatu Ylonen. 692Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 693Theo de Raadt and Dug Song 694removed many bugs, re-added newer features and 695created OpenSSH. 696Markus Friedl contributed the support for SSH 697protocol versions 1.5 and 2.0. 698