blob: f0e76aab15e6c94cbba0e63e45a26f3000f71aec [file] [log] [blame]
jmc@openbsd.org072f3b82020-02-03 08:15:37 +00001.\" $OpenBSD: ssh-keygen.1,v 1.199 2020/02/03 08:15:37 jmc Exp $
Damien Miller32aa1441999-10-29 09:15:49 +10002.\"
Damien Miller32aa1441999-10-29 09:15:49 +10003.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
Damien Miller32aa1441999-10-29 09:15:49 +10004.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\" All rights reserved
6.\"
Damien Millere4340be2000-09-16 13:29:08 +11007.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose. Any derived versions of this
9.\" software must be clearly marked as such, and if the derived work is
10.\" incompatible with the protocol description in the RFC file, it must be
11.\" called by a name other than "ssh" or "Secure Shell".
Damien Miller32aa1441999-10-29 09:15:49 +100012.\"
Damien Millere4340be2000-09-16 13:29:08 +110013.\"
Ben Lindstrom92a2e382001-03-05 06:59:27 +000014.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
15.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
16.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
Damien Millere4340be2000-09-16 13:29:08 +110017.\"
18.\" Redistribution and use in source and binary forms, with or without
19.\" modification, are permitted provided that the following conditions
20.\" are met:
21.\" 1. Redistributions of source code must retain the above copyright
22.\" notice, this list of conditions and the following disclaimer.
23.\" 2. Redistributions in binary form must reproduce the above copyright
24.\" notice, this list of conditions and the following disclaimer in the
25.\" documentation and/or other materials provided with the distribution.
26.\"
27.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Damien Miller32aa1441999-10-29 09:15:49 +100037.\"
jmc@openbsd.org072f3b82020-02-03 08:15:37 +000038.Dd $Mdocdate: February 3 2020 $
Damien Miller32aa1441999-10-29 09:15:49 +100039.Dt SSH-KEYGEN 1
40.Os
41.Sh NAME
42.Nm ssh-keygen
jmc@openbsd.org483cc722019-11-30 07:07:59 +000043.Nd OpenSSH authentication key utility
Damien Miller32aa1441999-10-29 09:15:49 +100044.Sh SYNOPSIS
Damien Millerbad5e032010-07-16 13:59:59 +100045.Nm ssh-keygen
Damien Miller0bc1bd82000-11-13 22:57:25 +110046.Op Fl q
Damien Miller32aa1441999-10-29 09:15:49 +100047.Op Fl b Ar bits
Damien Miller32aa1441999-10-29 09:15:49 +100048.Op Fl C Ar comment
Damien Miller1a425f32000-09-02 10:08:09 +110049.Op Fl f Ar output_keyfile
djm@openbsd.orgecd2f332019-01-22 11:40:42 +000050.Op Fl m Ar format
djm@openbsd.org97dc5d12019-11-18 04:50:45 +000051.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
jmc@openbsd.org69189742019-10-03 17:07:50 +000052.Op Fl N Ar new_passphrase
naddy@openbsd.org0d005d62020-01-14 15:07:30 +000053.Op Fl O Ar option
naddy@openbsd.orgaa4c6402019-11-07 08:38:38 +000054.Op Fl w Ar provider
Damien Miller32aa1441999-10-29 09:15:49 +100055.Nm ssh-keygen
56.Fl p
Damien Miller10f6f6b1999-11-17 17:29:08 +110057.Op Fl f Ar keyfile
djm@openbsd.orgecd2f332019-01-22 11:40:42 +000058.Op Fl m Ar format
jmc@openbsd.org69189742019-10-03 17:07:50 +000059.Op Fl N Ar new_passphrase
60.Op Fl P Ar old_passphrase
Damien Miller32aa1441999-10-29 09:15:49 +100061.Nm ssh-keygen
Ben Lindstrom5a707822001-04-22 17:15:46 +000062.Fl i
Damien Miller1a425f32000-09-02 10:08:09 +110063.Op Fl f Ar input_keyfile
jmc@openbsd.org69189742019-10-03 17:07:50 +000064.Op Fl m Ar key_format
Damien Millere247cc42000-05-07 12:03:14 +100065.Nm ssh-keygen
Ben Lindstrom5a707822001-04-22 17:15:46 +000066.Fl e
Damien Miller1a425f32000-09-02 10:08:09 +110067.Op Fl f Ar input_keyfile
jmc@openbsd.org69189742019-10-03 17:07:50 +000068.Op Fl m Ar key_format
Damien Millere247cc42000-05-07 12:03:14 +100069.Nm ssh-keygen
70.Fl y
Damien Miller1a425f32000-09-02 10:08:09 +110071.Op Fl f Ar input_keyfile
Damien Millere247cc42000-05-07 12:03:14 +100072.Nm ssh-keygen
Damien Miller32aa1441999-10-29 09:15:49 +100073.Fl c
Damien Miller32aa1441999-10-29 09:15:49 +100074.Op Fl C Ar comment
Damien Miller10f6f6b1999-11-17 17:29:08 +110075.Op Fl f Ar keyfile
jmc@openbsd.org69189742019-10-03 17:07:50 +000076.Op Fl P Ar passphrase
Damien Miller10f6f6b1999-11-17 17:29:08 +110077.Nm ssh-keygen
78.Fl l
naddy@openbsd.org6288e3a2015-02-24 15:24:05 +000079.Op Fl v
djm@openbsd.org56d1c832014-12-21 22:27:55 +000080.Op Fl E Ar fingerprint_hash
Ben Lindstrom8fd372b2001-03-12 03:02:17 +000081.Op Fl f Ar input_keyfile
82.Nm ssh-keygen
83.Fl B
Damien Miller1a425f32000-09-02 10:08:09 +110084.Op Fl f Ar input_keyfile
Ben Lindstroma1ec4a92001-08-06 21:51:34 +000085.Nm ssh-keygen
Damien Miller048dc932010-02-12 09:22:04 +110086.Fl D Ar pkcs11
Ben Lindstroma1ec4a92001-08-06 21:51:34 +000087.Nm ssh-keygen
Damien Miller4b42d7f2005-03-01 21:48:35 +110088.Fl F Ar hostname
jmc@openbsd.org6c91d422019-09-29 16:31:57 +000089.Op Fl lv
Damien Miller4b42d7f2005-03-01 21:48:35 +110090.Op Fl f Ar known_hosts_file
91.Nm ssh-keygen
92.Fl H
93.Op Fl f Ar known_hosts_file
94.Nm ssh-keygen
djm@openbsd.org90399712020-01-02 22:40:09 +000095.Fl K
96.Op Fl w Ar provider
97.Nm ssh-keygen
Damien Miller4b42d7f2005-03-01 21:48:35 +110098.Fl R Ar hostname
99.Op Fl f Ar known_hosts_file
100.Nm ssh-keygen
Damien Miller37876e92003-05-15 10:19:46 +1000101.Fl r Ar hostname
Damien Miller37876e92003-05-15 10:19:46 +1000102.Op Fl g
jmc@openbsd.org6c91d422019-09-29 16:31:57 +0000103.Op Fl f Ar input_keyfile
Darren Tucker019cefe2003-08-02 22:40:07 +1000104.Nm ssh-keygen
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000105.Fl M Cm generate
106.Op Fl O Ar option
naddy@openbsd.org0d005d62020-01-14 15:07:30 +0000107.Ar output_file
Darren Tucker019cefe2003-08-02 22:40:07 +1000108.Nm ssh-keygen
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000109.Fl M Cm screen
naddy@openbsd.org0d005d62020-01-14 15:07:30 +0000110.Op Fl f Ar input_file
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000111.Op Fl O Ar option
naddy@openbsd.org0d005d62020-01-14 15:07:30 +0000112.Ar output_file
Damien Miller0a80ca12010-02-27 07:55:05 +1100113.Nm ssh-keygen
Damien Miller0a80ca12010-02-27 07:55:05 +1100114.Fl I Ar certificate_identity
jmc@openbsd.org69189742019-10-03 17:07:50 +0000115.Fl s Ar ca_key
jmc@openbsd.org6c91d422019-09-29 16:31:57 +0000116.Op Fl hU
djm@openbsd.orga98339e2017-06-28 01:09:22 +0000117.Op Fl D Ar pkcs11_provider
Damien Miller0a80ca12010-02-27 07:55:05 +1100118.Op Fl n Ar principals
Damien Miller4e270b02010-04-16 15:56:21 +1000119.Op Fl O Ar option
Damien Miller0a80ca12010-02-27 07:55:05 +1100120.Op Fl V Ar validity_interval
Damien Miller4e270b02010-04-16 15:56:21 +1000121.Op Fl z Ar serial_number
Damien Miller0a80ca12010-02-27 07:55:05 +1100122.Ar
Damien Millerf2b70ca2010-03-05 07:39:35 +1100123.Nm ssh-keygen
Damien Millerf2b70ca2010-03-05 07:39:35 +1100124.Fl L
125.Op Fl f Ar input_keyfile
Damien Miller58f1baf2011-05-05 14:06:15 +1000126.Nm ssh-keygen
127.Fl A
djm@openbsd.org853edbe2017-07-07 03:53:12 +0000128.Op Fl f Ar prefix_path
Damien Millerf3747bf2013-01-18 11:44:04 +1100129.Nm ssh-keygen
130.Fl k
131.Fl f Ar krl_file
132.Op Fl u
Damien Millerac5542b2013-01-20 22:33:02 +1100133.Op Fl s Ar ca_public
134.Op Fl z Ar version_number
Damien Millerf3747bf2013-01-18 11:44:04 +1100135.Ar
136.Nm ssh-keygen
137.Fl Q
138.Fl f Ar krl_file
139.Ar
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000140.Nm ssh-keygen
djm@openbsd.org72a8bea2020-01-23 23:31:52 +0000141.Fl Y Cm find-principals
djm@openbsd.org56cffcc2020-01-23 02:43:48 +0000142.Fl s Ar signature_file
143.Fl f Ar allowed_signers_file
144.Nm ssh-keygen
jmc@openbsd.org69189742019-10-03 17:07:50 +0000145.Fl Y Cm check-novalidate
146.Fl n Ar namespace
147.Fl s Ar signature_file
148.Nm ssh-keygen
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000149.Fl Y Cm sign
150.Fl f Ar key_file
151.Fl n Ar namespace
152.Ar
153.Nm ssh-keygen
154.Fl Y Cm verify
djm@openbsd.org8aa2aa32019-09-16 03:23:02 +0000155.Fl f Ar allowed_signers_file
jmc@openbsd.org69189742019-10-03 17:07:50 +0000156.Fl I Ar signer_identity
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000157.Fl n Ar namespace
158.Fl s Ar signature_file
159.Op Fl r Ar revocation_file
Damien Miller22c77262000-04-13 12:26:34 +1000160.Sh DESCRIPTION
Damien Miller32aa1441999-10-29 09:15:49 +1000161.Nm
Ben Lindstrom5a707822001-04-22 17:15:46 +0000162generates, manages and converts authentication keys for
Damien Miller32aa1441999-10-29 09:15:49 +1000163.Xr ssh 1 .
Damien Millere247cc42000-05-07 12:03:14 +1000164.Nm
jmc@openbsd.org2b6f7992017-05-03 06:32:02 +0000165can create keys for use by SSH protocol version 2.
jmc@openbsd.orga685ae82016-02-17 07:38:19 +0000166.Pp
Damien Millerfbf486b2003-05-23 18:44:23 +1000167The type of key to be generated is specified with the
Damien Miller0bc1bd82000-11-13 22:57:25 +1100168.Fl t
Damien Millera41c8b12002-01-22 23:05:08 +1100169option.
Damien Millerf14be5c2005-11-05 15:15:49 +1100170If invoked without any arguments,
171.Nm
naddy@openbsd.org2e9c3242017-05-05 10:41:58 +0000172will generate an RSA key.
Damien Millere247cc42000-05-07 12:03:14 +1000173.Pp
Darren Tucker019cefe2003-08-02 22:40:07 +1000174.Nm
175is also used to generate groups for use in Diffie-Hellman group
176exchange (DH-GEX).
177See the
178.Sx MODULI GENERATION
179section for details.
180.Pp
Damien Millerf3747bf2013-01-18 11:44:04 +1100181Finally,
182.Nm
183can be used to generate and update Key Revocation Lists, and to test whether
Damien Millerac5542b2013-01-20 22:33:02 +1100184given keys have been revoked by one.
185See the
Damien Millerf3747bf2013-01-18 11:44:04 +1100186.Sx KEY REVOCATION LISTS
187section for details.
188.Pp
Damien Miller32aa1441999-10-29 09:15:49 +1000189Normally each user wishing to use SSH
Damien Millereb8b60e2010-08-31 22:41:14 +1000190with public key authentication runs this once to create the authentication
Damien Miller32aa1441999-10-29 09:15:49 +1000191key in
Damien Miller8ba0ead2013-12-18 17:46:27 +1100192.Pa ~/.ssh/id_dsa ,
Damien Millereb8b60e2010-08-31 22:41:14 +1000193.Pa ~/.ssh/id_ecdsa ,
naddy@openbsd.orgaa4c6402019-11-07 08:38:38 +0000194.Pa ~/.ssh/id_ecdsa_sk ,
naddy@openbsd.orgf0edda82019-11-18 23:16:49 +0000195.Pa ~/.ssh/id_ed25519 ,
196.Pa ~/.ssh/id_ed25519_sk
Damien Millere247cc42000-05-07 12:03:14 +1000197or
Damien Miller167ea5d2005-05-26 12:04:02 +1000198.Pa ~/.ssh/id_rsa .
Damien Millere247cc42000-05-07 12:03:14 +1000199Additionally, the system administrator may use this to generate host keys,
200as seen in
201.Pa /etc/rc .
Damien Miller32aa1441999-10-29 09:15:49 +1000202.Pp
203Normally this program generates the key and asks for a file in which
Damien Miller450a7a12000-03-26 13:04:51 +1000204to store the private key.
205The public key is stored in a file with the same name but
Damien Miller32aa1441999-10-29 09:15:49 +1000206.Dq .pub
Damien Miller450a7a12000-03-26 13:04:51 +1000207appended.
208The program also asks for a passphrase.
209The passphrase may be empty to indicate no passphrase
Ben Lindstrombf555ba2001-01-18 02:04:35 +0000210(host keys must have an empty passphrase), or it may be a string of
Damien Miller450a7a12000-03-26 13:04:51 +1000211arbitrary length.
Ben Lindstrom4e366d52001-12-06 16:43:21 +0000212A passphrase is similar to a password, except it can be a phrase with a
213series of words, punctuation, numbers, whitespace, or any string of
214characters you want.
215Good passphrases are 10-30 characters long, are
Damien Miller32aa1441999-10-29 09:15:49 +1000216not simple sentences or otherwise easily guessable (English
Ben Lindstrom2a097a42001-06-09 01:13:40 +0000217prose has only 1-2 bits of entropy per character, and provides very bad
Ben Lindstrom4e366d52001-12-06 16:43:21 +0000218passphrases), and contain a mix of upper and lowercase letters,
219numbers, and non-alphanumeric characters.
Damien Miller450a7a12000-03-26 13:04:51 +1000220The passphrase can be changed later by using the
Damien Miller32aa1441999-10-29 09:15:49 +1000221.Fl p
222option.
223.Pp
Damien Miller450a7a12000-03-26 13:04:51 +1000224There is no way to recover a lost passphrase.
Damien Miller085c90f2011-05-05 14:15:33 +1000225If the passphrase is lost or forgotten, a new key must be generated
226and the corresponding public key copied to other machines.
Damien Miller32aa1441999-10-29 09:15:49 +1000227.Pp
djm@openbsd.orgc45616a2019-01-22 11:00:15 +0000228.Nm
229will by default write keys in an OpenSSH-specific format.
230This format is preferred as it offers better protection for
231keys at rest as well as allowing storage of key comments within
232the private key file itself.
233The key comment may be useful to help identify the key.
Damien Miller450a7a12000-03-26 13:04:51 +1000234The comment is initialized to
Damien Miller32aa1441999-10-29 09:15:49 +1000235.Dq user@host
236when the key is created, but can be changed using the
237.Fl c
238option.
239.Pp
djm@openbsd.orgc45616a2019-01-22 11:00:15 +0000240It is still possible for
241.Nm
242to write the previously-used PEM format private keys using the
243.Fl m
244flag.
245This may be used when generating new keys, and existing new-format
246keys may be converted using this option in conjunction with the
247.Fl p
248(change passphrase) flag.
249.Pp
Damien Millere247cc42000-05-07 12:03:14 +1000250After a key is generated, instructions below detail where the keys
251should be placed to be activated.
252.Pp
Damien Miller32aa1441999-10-29 09:15:49 +1000253The options are as follows:
254.Bl -tag -width Ds
Damien Miller58f1baf2011-05-05 14:06:15 +1000255.It Fl A
djm@openbsd.org97dc5d12019-11-18 04:50:45 +0000256For each of the key types (rsa, dsa, ecdsa and ed25519)
Damien Miller8ba0ead2013-12-18 17:46:27 +1100257for which host keys
Damien Miller58f1baf2011-05-05 14:06:15 +1000258do not exist, generate the host keys with the default key file path,
259an empty passphrase, default bits for the key type, and default comment.
jmc@openbsd.orgdc44dd32017-07-08 18:32:54 +0000260If
djm@openbsd.org853edbe2017-07-07 03:53:12 +0000261.Fl f
jmc@openbsd.orgdc44dd32017-07-08 18:32:54 +0000262has also been specified, its argument is used as a prefix to the
djm@openbsd.org853edbe2017-07-07 03:53:12 +0000263default path for the resulting host key files.
Damien Miller3ca1eb32011-05-05 14:13:50 +1000264This is used by
Damien Miller58f1baf2011-05-05 14:06:15 +1000265.Pa /etc/rc
266to generate new host keys.
Damien Miller4f752cf2013-12-18 17:45:35 +1100267.It Fl a Ar rounds
jmc@openbsd.org3b44bf32019-09-27 20:03:24 +0000268When saving a private key, this option specifies the number of KDF
djm@openbsd.orged7bd5d2018-08-08 01:16:01 +0000269(key derivation function) rounds used.
Damien Miller4f752cf2013-12-18 17:45:35 +1100270Higher numbers result in slower passphrase verification and increased
271resistance to brute-force password cracking (should the keys be stolen).
Damien Miller265d3092005-03-02 12:05:06 +1100272.It Fl B
273Show the bubblebabble digest of specified private or public key file.
Damien Miller32aa1441999-10-29 09:15:49 +1000274.It Fl b Ar bits
Damien Miller450a7a12000-03-26 13:04:51 +1000275Specifies the number of bits in the key to create.
dtucker@openbsd.orgd7c6e382019-04-19 05:47:44 +0000276For RSA keys, the minimum size is 1024 bits and the default is 3072 bits.
277Generally, 3072 bits is considered sufficient.
Darren Tucker9f647332005-11-28 16:41:46 +1100278DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
Damien Millerad210322011-05-05 14:15:54 +1000279For ECDSA keys, the
280.Fl b
Damien Miller6232a162011-09-22 21:36:00 +1000281flag determines the key length by selecting from one of three elliptic
Damien Millerad210322011-05-05 14:15:54 +1000282curve sizes: 256, 384 or 521 bits.
283Attempting to use bit lengths other than these three values for ECDSA keys
284will fail.
naddy@openbsd.orgf0edda82019-11-18 23:16:49 +0000285ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length and the
Damien Miller8ba0ead2013-12-18 17:46:27 +1100286.Fl b
287flag will be ignored.
Damien Miller265d3092005-03-02 12:05:06 +1100288.It Fl C Ar comment
289Provides a new comment.
Damien Miller32aa1441999-10-29 09:15:49 +1000290.It Fl c
291Requests changing the comment in the private and public key files.
292The program will prompt for the file containing the private keys, for
Ben Lindstromaafff9c2001-05-06 03:01:02 +0000293the passphrase if the key has one, and for the new comment.
Damien Miller7ea845e2010-02-12 09:21:02 +1100294.It Fl D Ar pkcs11
naddy@openbsd.orgc13b7452019-03-05 16:17:12 +0000295Download the public keys provided by the PKCS#11 shared library
Damien Millera7618442010-02-12 09:26:02 +1100296.Ar pkcs11 .
Damien Miller757f34e2010-08-05 13:05:31 +1000297When used in combination with
298.Fl s ,
299this option indicates that a CA key resides in a PKCS#11 token (see the
300.Sx CERTIFICATES
301section for details).
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000302.It Fl E Ar fingerprint_hash
303Specifies the hash algorithm used when displaying key fingerprints.
304Valid options are:
305.Dq md5
306and
307.Dq sha256 .
308The default is
309.Dq sha256 .
Ben Lindstrom5a707822001-04-22 17:15:46 +0000310.It Fl e
Ben Lindstrom46c264f2001-04-24 16:56:58 +0000311This option will read a private or public OpenSSH key file and
djm@openbsd.org180b5202019-01-22 11:19:42 +0000312print to stdout a public key in one of the formats specified by the
Damien Miller44b25042010-07-02 13:35:01 +1000313.Fl m
314option.
315The default export format is
316.Dq RFC4716 .
Damien Millerea727282010-07-02 13:35:34 +1000317This option allows exporting OpenSSH keys for use by other programs, including
Damien Miller44b25042010-07-02 13:35:01 +1000318several commercial SSH implementations.
djm@openbsd.org737e4ed2018-12-07 03:32:26 +0000319.It Fl F Ar hostname | [hostname]:port
Damien Miller265d3092005-03-02 12:05:06 +1100320Search for the specified
321.Ar hostname
djm@openbsd.org737e4ed2018-12-07 03:32:26 +0000322(with optional port number)
Damien Miller265d3092005-03-02 12:05:06 +1100323in a
324.Pa known_hosts
325file, listing any occurrences found.
326This option is useful to find hashed host names or addresses and may also be
327used in conjunction with the
328.Fl H
329option to print found keys in a hashed format.
330.It Fl f Ar filename
331Specifies the filename of the key file.
Damien Miller37876e92003-05-15 10:19:46 +1000332.It Fl g
Darren Tucker0b42e6d2004-08-13 21:22:40 +1000333Use generic DNS format when printing fingerprint resource records using the
Darren Tucker6e370372004-08-13 21:23:25 +1000334.Fl r
Darren Tucker0b42e6d2004-08-13 21:22:40 +1000335command.
Damien Miller265d3092005-03-02 12:05:06 +1100336.It Fl H
337Hash a
338.Pa known_hosts
Darren Tuckerda1adbc2005-03-14 23:15:58 +1100339file.
340This replaces all hostnames and addresses with hashed representations
341within the specified file; the original content is moved to a file with
342a .old suffix.
Damien Miller265d3092005-03-02 12:05:06 +1100343These hashes may be used normally by
344.Nm ssh
345and
346.Nm sshd ,
347but they do not reveal identifying information should the file's contents
348be disclosed.
349This option will not modify existing hashed hostnames and is therefore safe
350to use on files that mix hashed and non-hashed names.
Damien Miller0a80ca12010-02-27 07:55:05 +1100351.It Fl h
352When signing a key, create a host certificate instead of a user
353certificate.
354Please see the
355.Sx CERTIFICATES
356section for details.
Damien Miller15f5b562010-03-03 10:25:21 +1100357.It Fl I Ar certificate_identity
Damien Miller0a80ca12010-02-27 07:55:05 +1100358Specify the key identity when signing a public key.
359Please see the
360.Sx CERTIFICATES
361section for details.
Ben Lindstrom5a707822001-04-22 17:15:46 +0000362.It Fl i
363This option will read an unencrypted private (or public) key file
Damien Miller44b25042010-07-02 13:35:01 +1000364in the format specified by the
365.Fl m
366option and print an OpenSSH compatible private
Ben Lindstrom5a707822001-04-22 17:15:46 +0000367(or public) key to stdout.
Damien Miller43b156c2014-04-20 13:23:03 +1000368This option allows importing keys from other software, including several
369commercial SSH implementations.
370The default import format is
371.Dq RFC4716 .
jmc@openbsd.orgc593cc52020-01-03 07:33:33 +0000372.It Fl K
djm@openbsd.org90399712020-01-02 22:40:09 +0000373Download resident keys from a FIDO authenticator.
374Public and private key files will be written to the current directory for
375each downloaded key.
376.It Fl k
Damien Millerf3747bf2013-01-18 11:44:04 +1100377Generate a KRL file.
378In this mode,
379.Nm
380will generate a KRL file at the location specified via the
381.Fl f
Damien Miller881a7a22013-01-20 22:34:46 +1100382flag that revokes every key or certificate presented on the command line.
Damien Millerf3747bf2013-01-18 11:44:04 +1100383Keys/certificates to be revoked may be specified by public key file or
384using the format described in the
385.Sx KEY REVOCATION LISTS
386section.
Damien Millerf2b70ca2010-03-05 07:39:35 +1100387.It Fl L
djm@openbsd.org94bc0b72015-11-13 04:34:15 +0000388Prints the contents of one or more certificates.
Damien Miller10f6f6b1999-11-17 17:29:08 +1100389.It Fl l
Darren Tucker35c45532008-06-13 04:43:15 +1000390Show fingerprint of specified public key file.
Damien Millereb5fec62001-11-12 10:52:44 +1100391For RSA and DSA keys
392.Nm
Darren Tuckerf09e8252008-06-13 05:18:03 +1000393tries to find the matching public key file and prints its fingerprint.
394If combined with
395.Fl v ,
jmc@openbsd.org92838842016-05-03 18:38:12 +0000396a visual ASCII art representation of the key is supplied with the
djm@openbsd.orgcdcd9412016-05-03 14:54:08 +0000397fingerprint.
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000398.It Fl M Cm generate
399Generate candidate Diffie-Hellman Group Exchange (DH-GEX) parameters for
400eventual use by the
401.Sq diffie-hellman-group-exchange-*
402key exchange methods.
403The numbers generated by this operation must be further screened before
404use.
405See the
406.Sx MODULI GENERATION
407section for more information.
408.It Fl M Cm screen
409Screen candidate parameters for Diffie-Hellman Group Exchange.
410This will accept a list of candidate numbers and test that they are
411safe (Sophie Germain) primes with acceptable group generators.
412The results of this operation may be added to the
413.Pa /etc/moduli
414file.
415See the
416.Sx MODULI GENERATION
417section for more information.
Damien Miller44b25042010-07-02 13:35:01 +1000418.It Fl m Ar key_format
djm@openbsd.orgecd2f332019-01-22 11:40:42 +0000419Specify a key format for key generation, the
Damien Miller44b25042010-07-02 13:35:01 +1000420.Fl i
djm@openbsd.orgecd2f332019-01-22 11:40:42 +0000421(import),
Damien Miller44b25042010-07-02 13:35:01 +1000422.Fl e
djm@openbsd.orgecd2f332019-01-22 11:40:42 +0000423(export) conversion options, and the
424.Fl p
425change passphrase operation.
426The latter may be used to convert between OpenSSH private key and PEM
427private key formats.
Damien Miller44b25042010-07-02 13:35:01 +1000428The supported key formats are:
429.Dq RFC4716
Damien Millerea727282010-07-02 13:35:34 +1000430(RFC 4716/SSH2 public or private key),
Damien Miller44b25042010-07-02 13:35:01 +1000431.Dq PKCS8
djm@openbsd.orgeb0d8e72019-07-15 13:16:29 +0000432(PKCS8 public or private key)
Damien Miller44b25042010-07-02 13:35:01 +1000433or
434.Dq PEM
435(PEM public key).
djm@openbsd.orgeb0d8e72019-07-15 13:16:29 +0000436By default OpenSSH will write newly-generated private keys in its own
437format, but when converting public keys for export the default format is
Damien Miller44b25042010-07-02 13:35:01 +1000438.Dq RFC4716 .
djm@openbsd.orged7bd5d2018-08-08 01:16:01 +0000439Setting a format of
440.Dq PEM
441when generating or updating a supported private key type will cause the
442key to be stored in the legacy PEM private key format.
Damien Miller265d3092005-03-02 12:05:06 +1100443.It Fl N Ar new_passphrase
444Provides the new passphrase.
Damien Miller0a80ca12010-02-27 07:55:05 +1100445.It Fl n Ar principals
446Specify one or more principals (user or host names) to be included in
447a certificate when signing a key.
448Multiple principals may be specified, separated by commas.
449Please see the
450.Sx CERTIFICATES
451section for details.
Damien Miller4e270b02010-04-16 15:56:21 +1000452.It Fl O Ar option
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000453Specify a key/value option.
454These are specific to the operation that
455.Nm
456has been requested to perform.
457.Pp
458When signing certificates, one of the options listed in the
Damien Miller0a80ca12010-02-27 07:55:05 +1100459.Sx CERTIFICATES
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000460section may be specified here.
461.Pp
462When performing moduli generation or screening, one of the options
463listed in the
464.Sx MODULI GENERATION
465section may be specified.
466.Pp
jmc@openbsd.orgcd534762020-01-06 07:43:28 +0000467When generating a key that will be hosted on a FIDO authenticator,
468this flag may be used to specify key-specific options.
469Those supported at present are:
470.Bl -tag -width Ds
471.It Cm application
472Override the default FIDO application/origin string of
djm@openbsd.orgc312ca02020-01-06 02:00:46 +0000473.Dq ssh: .
jmc@openbsd.orgcd534762020-01-06 07:43:28 +0000474This may be useful when generating host or domain-specific resident keys.
jmc@openbsd.org072f3b82020-02-03 08:15:37 +0000475.It Cm challenge Ns = Ns Ar path
jmc@openbsd.org0facae72020-02-02 07:36:50 +0000476Specifies a path to a challenge string that will be passed to the
477FIDO token during key generation.
jmc@openbsd.org072f3b82020-02-03 08:15:37 +0000478The challenge string may be used as part of an out-of-band
479protocol for key enrollment
480(a random challenge is used by default).
jmc@openbsd.orgcd534762020-01-06 07:43:28 +0000481.It Cm device
482Explicitly specify a
djm@openbsd.orgc312ca02020-01-06 02:00:46 +0000483.Xr fido 4
484device to use, rather than letting the token middleware select one.
jmc@openbsd.orgcd534762020-01-06 07:43:28 +0000485.It Cm no-touch-required
486Indicate that the generated private key should not require touch
djm@openbsd.org3093d122019-12-30 09:49:52 +0000487events (user presence) when making signatures.
488Note that
489.Xr sshd 8
490will refuse such signatures by default, unless overridden via
491an authorized_keys option.
jmc@openbsd.orgcd534762020-01-06 07:43:28 +0000492.It Cm resident
493Indicate that the key should be stored on the FIDO authenticator itself.
djm@openbsd.org3093d122019-12-30 09:49:52 +0000494Resident keys may be supported on FIDO2 tokens and typically require that
495a PIN be set on the token prior to generation.
496Resident keys may be loaded off the token using
497.Xr ssh-add 1 .
jmc@openbsd.orgcd534762020-01-06 07:43:28 +0000498.It Cm user
499A username to be associated with a resident key,
djm@openbsd.orgc312ca02020-01-06 02:00:46 +0000500overriding the empty default username.
501Specifying a username may be useful when generating multiple resident keys
502for the same application name.
jmc@openbsd.org072f3b82020-02-03 08:15:37 +0000503.It Cm write-attestation Ns = Ns Ar path
djm@openbsd.org24c0f752020-01-28 08:01:34 +0000504May be used at key generation time to record the attestation certificate
505returned from FIDO tokens during key generation.
506By default this information is discarded.
jmc@openbsd.orgcd534762020-01-06 07:43:28 +0000507.El
djm@openbsd.org3093d122019-12-30 09:49:52 +0000508.Pp
509The
510.Fl O
511option may be specified multiple times.
Damien Miller265d3092005-03-02 12:05:06 +1100512.It Fl P Ar passphrase
513Provides the (old) passphrase.
Damien Miller32aa1441999-10-29 09:15:49 +1000514.It Fl p
515Requests changing the passphrase of a private key file instead of
Damien Miller450a7a12000-03-26 13:04:51 +1000516creating a new private key.
517The program will prompt for the file
Damien Miller32aa1441999-10-29 09:15:49 +1000518containing the private key, for the old passphrase, and twice for the
519new passphrase.
Damien Miller072fdcd2013-01-20 22:34:04 +1100520.It Fl Q
521Test whether keys have been revoked in a KRL.
Damien Miller32aa1441999-10-29 09:15:49 +1000522.It Fl q
523Silence
524.Nm ssh-keygen .
djm@openbsd.org63bba572018-12-07 03:33:18 +0000525.It Fl R Ar hostname | [hostname]:port
djm@openbsd.org737e4ed2018-12-07 03:32:26 +0000526Removes all keys belonging to the specified
Damien Miller4b42d7f2005-03-01 21:48:35 +1100527.Ar hostname
djm@openbsd.org737e4ed2018-12-07 03:32:26 +0000528(with optional port number)
Damien Miller4c9c6fd2005-03-02 12:03:43 +1100529from a
Damien Miller4b42d7f2005-03-01 21:48:35 +1100530.Pa known_hosts
531file.
Damien Miller4c9c6fd2005-03-02 12:03:43 +1100532This option is useful to delete hashed hosts (see the
Damien Miller4b42d7f2005-03-01 21:48:35 +1100533.Fl H
534option above).
Damien Miller265d3092005-03-02 12:05:06 +1100535.It Fl r Ar hostname
536Print the SSHFP fingerprint resource record named
537.Ar hostname
538for the specified public key file.
Damien Miller0a80ca12010-02-27 07:55:05 +1100539.It Fl s Ar ca_key
540Certify (sign) a public key using the specified CA key.
541Please see the
542.Sx CERTIFICATES
543section for details.
Damien Millerf3747bf2013-01-18 11:44:04 +1100544.Pp
545When generating a KRL,
546.Fl s
Damien Millerac5542b2013-01-20 22:33:02 +1100547specifies a path to a CA public key file used to revoke certificates directly
Damien Millerf3747bf2013-01-18 11:44:04 +1100548by key ID or serial number.
549See the
550.Sx KEY REVOCATION LISTS
551section for details.
djm@openbsd.org97dc5d12019-11-18 04:50:45 +0000552.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
Damien Miller265d3092005-03-02 12:05:06 +1100553Specifies the type of key to create.
554The possible values are
Damien Miller6186bbc2010-09-24 22:00:54 +1000555.Dq dsa ,
Damien Miller8ba0ead2013-12-18 17:46:27 +1100556.Dq ecdsa ,
naddy@openbsd.orgaa4c6402019-11-07 08:38:38 +0000557.Dq ecdsa-sk ,
Damien Miller8ba0ead2013-12-18 17:46:27 +1100558.Dq ed25519 ,
djm@openbsd.org97dc5d12019-11-18 04:50:45 +0000559.Dq ed25519-sk ,
Damien Miller265d3092005-03-02 12:05:06 +1100560or
jmc@openbsd.orgf10c0d32017-05-02 17:04:09 +0000561.Dq rsa .
djm@openbsd.org476e3552019-05-20 00:20:35 +0000562.Pp
563This flag may also be used to specify the desired signature type when
jmc@openbsd.org85ceb0e2019-05-20 06:01:59 +0000564signing certificates using an RSA CA key.
djm@openbsd.org476e3552019-05-20 00:20:35 +0000565The available RSA signature variants are
566.Dq ssh-rsa
567(SHA1 signatures, not recommended),
jmc@openbsd.org85ceb0e2019-05-20 06:01:59 +0000568.Dq rsa-sha2-256 ,
569and
djm@openbsd.org476e3552019-05-20 00:20:35 +0000570.Dq rsa-sha2-512
571(the default).
djm@openbsd.orga98339e2017-06-28 01:09:22 +0000572.It Fl U
573When used in combination with
574.Fl s ,
575this option indicates that a CA key resides in a
576.Xr ssh-agent 1 .
577See the
578.Sx CERTIFICATES
579section for more information.
Damien Millerac5542b2013-01-20 22:33:02 +1100580.It Fl u
581Update a KRL.
582When specified with
583.Fl k ,
Damien Miller881a7a22013-01-20 22:34:46 +1100584keys listed via the command line are added to the existing KRL rather than
Damien Millerac5542b2013-01-20 22:33:02 +1100585a new KRL being created.
Damien Miller0a80ca12010-02-27 07:55:05 +1100586.It Fl V Ar validity_interval
587Specify a validity interval when signing a certificate.
588A validity interval may consist of a single time, indicating that the
589certificate is valid beginning now and expiring at that time, or may consist
590of two times separated by a colon to indicate an explicit time interval.
djm@openbsd.org@openbsd.orgd52131a2017-11-03 05:14:04 +0000591.Pp
592The start time may be specified as the string
593.Dq always
594to indicate the certificate has no specified start time,
djm@openbsd.orgbf0fbf22018-03-12 00:52:01 +0000595a date in YYYYMMDD format, a time in YYYYMMDDHHMM[SS] format,
djm@openbsd.org@openbsd.orgd52131a2017-11-03 05:14:04 +0000596a relative time (to the current time) consisting of a minus sign followed by
597an interval in the format described in the
Damien Millerfecfd112013-07-18 16:11:50 +1000598TIME FORMATS section of
Damien Miller77497e12010-03-22 05:50:51 +1100599.Xr sshd_config 5 .
djm@openbsd.org@openbsd.orgd52131a2017-11-03 05:14:04 +0000600.Pp
djm@openbsd.orgbf0fbf22018-03-12 00:52:01 +0000601The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMM[SS] time,
djm@openbsd.org@openbsd.orgd52131a2017-11-03 05:14:04 +0000602a relative time starting with a plus character or the string
603.Dq forever
604to indicate that the certificate has no expirty date.
Damien Miller0a80ca12010-02-27 07:55:05 +1100605.Pp
606For example:
607.Dq +52w1d
608(valid from now to 52 weeks and one day from now),
609.Dq -4w:+4w
610(valid from four weeks ago to four weeks from now),
611.Dq 20100101123000:20110101123000
612(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
613.Dq -1d:20110101
614(valid from yesterday to midnight, January 1st, 2011).
djm@openbsd.org@openbsd.orgd52131a2017-11-03 05:14:04 +0000615.Dq -1m:forever
616(valid from one minute ago and never expiring).
Darren Tucker06930c72003-12-31 11:34:51 +1100617.It Fl v
618Verbose mode.
619Causes
620.Nm
621to print debugging messages about its progress.
622This is helpful for debugging moduli generation.
623Multiple
624.Fl v
625options increase the verbosity.
626The maximum is 3.
naddy@openbsd.orgaa4c6402019-11-07 08:38:38 +0000627.It Fl w Ar provider
naddy@openbsd.org141df482019-12-21 20:22:34 +0000628Specifies a path to a library that will be used when creating
629FIDO authenticator-hosted keys, overriding the default of using
630the internal USB HID support.
djm@openbsd.org72a8bea2020-01-23 23:31:52 +0000631.It Fl Y Cm find-principals
632Find the principal(s) associated with the public key of a signature,
djm@openbsd.org56cffcc2020-01-23 02:43:48 +0000633provided using the
634.Fl s
635flag in an authorized signers file provided using the
636.Fl f
637flag.
638The format of the allowed signers file is documented in the
639.Sx ALLOWED SIGNERS
jmc@openbsd.org5533c2f2020-01-23 07:16:38 +0000640section below.
djm@openbsd.org72a8bea2020-01-23 23:31:52 +0000641If one or more matching principals are found, they are returned on
642standard output.
jmc@openbsd.org20ccd852019-12-27 08:28:44 +0000643.It Fl Y Cm check-novalidate
644Checks that a signature generated using
645.Nm
646.Fl Y Cm sign
647has a valid structure.
648This does not validate if a signature comes from an authorized signer.
649When testing a signature,
650.Nm
651accepts a message on standard input and a signature namespace using
652.Fl n .
653A file containing the corresponding signature must also be supplied using the
654.Fl s
655flag.
656Successful testing of the signature is signalled by
657.Nm
658returning a zero exit status.
jmc@openbsd.orgf23d91f2019-09-05 05:47:23 +0000659.It Fl Y Cm sign
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000660Cryptographically sign a file or some data using a SSH key.
661When signing,
662.Nm
663accepts zero or more files to sign on the command-line - if no files
664are specified then
665.Nm
666will sign data presented on standard input.
667Signatures are written to the path of the input file with
668.Dq .sig
669appended, or to standard output if the message to be signed was read from
670standard input.
671.Pp
672The key used for signing is specified using the
673.Fl f
674option and may refer to either a private key, or a public key with the private
675half available via
676.Xr ssh-agent 1 .
677An additional signature namespace, used to prevent signature confusion across
678different domains of use (e.g. file signing vs email signing) must be provided
679via the
680.Fl n
681flag.
682Namespaces are arbitrary strings, and may include:
683.Dq file
684for file signing,
685.Dq email
686for email signing.
687For custom uses, it is recommended to use names following a
688NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces.
jmc@openbsd.orgf23d91f2019-09-05 05:47:23 +0000689.It Fl Y Cm verify
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000690Request to verify a signature generated using
691.Nm
jmc@openbsd.orgf23d91f2019-09-05 05:47:23 +0000692.Fl Y Cm sign
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000693as described above.
694When verifying a signature,
695.Nm
696accepts a message on standard input and a signature namespace using
697.Fl n .
698A file containing the corresponding signature must also be supplied using the
699.Fl s
700flag, along with the identity of the signer using
701.Fl I
702and a list of allowed signers via the
703.Fl f
704flag.
705The format of the allowed signers file is documented in the
706.Sx ALLOWED SIGNERS
707section below.
708A file containing revoked keys can be passed using the
709.Fl r
jmc@openbsd.orgdb1e6f62019-09-04 05:56:54 +0000710flag.
711The revocation file may be a KRL or a one-per-line list of public keys.
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000712Successful verification by an authorized signer is signalled by
713.Nm
jmc@openbsd.org70fc9a62019-10-22 08:50:35 +0000714returning a zero exit status.
jmc@openbsd.org5b6c9542019-12-27 08:25:07 +0000715.It Fl y
716This option will read a private
717OpenSSH format file and print an OpenSSH public key to stdout.
Damien Miller4e270b02010-04-16 15:56:21 +1000718.It Fl z Ar serial_number
719Specifies a serial number to be embedded in the certificate to distinguish
720this certificate from others from the same CA.
djm@openbsd.orgbe063942019-01-23 04:51:02 +0000721If the
722.Ar serial_number
723is prefixed with a
724.Sq +
725character, then the serial number will be incremented for each certificate
726signed on a single command-line.
Damien Miller4e270b02010-04-16 15:56:21 +1000727The default serial number is zero.
Damien Millerf3747bf2013-01-18 11:44:04 +1100728.Pp
729When generating a KRL, the
730.Fl z
731flag is used to specify a KRL version number.
Damien Miller32aa1441999-10-29 09:15:49 +1000732.El
Darren Tucker019cefe2003-08-02 22:40:07 +1000733.Sh MODULI GENERATION
734.Nm
735may be used to generate groups for the Diffie-Hellman Group Exchange
736(DH-GEX) protocol.
737Generating these groups is a two-step process: first, candidate
738primes are generated using a fast, but memory intensive process.
739These candidate primes are then tested for suitability (a CPU-intensive
740process).
741.Pp
742Generation of primes is performed using the
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000743.Fl M Cm generate
Darren Tucker019cefe2003-08-02 22:40:07 +1000744option.
745The desired length of the primes may be specified by the
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000746.Fl O Cm bits
Darren Tucker019cefe2003-08-02 22:40:07 +1000747option.
748For example:
749.Pp
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000750.Dl # ssh-keygen -M generate -O bits=2048 moduli-2048.candidates
Darren Tucker019cefe2003-08-02 22:40:07 +1000751.Pp
752By default, the search for primes begins at a random point in the
753desired length range.
754This may be overridden using the
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000755.Fl O Cm start
Darren Tucker019cefe2003-08-02 22:40:07 +1000756option, which specifies a different start point (in hex).
757.Pp
Damien Millerdfceafe2012-07-06 13:44:19 +1000758Once a set of candidates have been generated, they must be screened for
Darren Tucker019cefe2003-08-02 22:40:07 +1000759suitability.
760This may be performed using the
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000761.Fl M Cm screen
Darren Tucker019cefe2003-08-02 22:40:07 +1000762option.
763In this mode
764.Nm
765will read candidates from standard input (or a file specified using the
766.Fl f
767option).
768For example:
769.Pp
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000770.Dl # ssh-keygen -M screen -f moduli-2048.candidates moduli-2048
Darren Tucker019cefe2003-08-02 22:40:07 +1000771.Pp
772By default, each candidate will be subjected to 100 primality tests.
773This may be overridden using the
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000774.Fl O Cm prime-tests
Darren Tucker019cefe2003-08-02 22:40:07 +1000775option.
776The DH generator value will be chosen automatically for the
777prime under consideration.
778If a specific generator is desired, it may be requested using the
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000779.Fl O Cm generator
Darren Tucker019cefe2003-08-02 22:40:07 +1000780option.
Damien Miller265d3092005-03-02 12:05:06 +1100781Valid generator values are 2, 3, and 5.
Darren Tucker019cefe2003-08-02 22:40:07 +1000782.Pp
783Screened DH groups may be installed in
784.Pa /etc/moduli .
785It is important that this file contains moduli of a range of bit lengths and
786that both ends of a connection share common moduli.
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000787.Pp
788A number of options are available for moduli generation and screening via the
789.Fl O
790flag:
jmc@openbsd.org3b1382f2019-12-30 16:10:00 +0000791.Bl -tag -width Ds
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000792.It Ic lines Ns = Ns Ar number
793Exit after screening the specified number of lines while performing DH
794candidate screening.
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000795.It Ic start-line Ns = Ns Ar line-number
796Start screening at the specified line number while performing DH candidate
797screening.
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000798.It Ic checkpoint Ns = Ns Ar filename
799Write the last line processed to the specified file while performing DH
800candidate screening.
801This will be used to skip lines in the input file that have already been
802processed if the job is restarted.
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000803.It Ic memory Ns = Ns Ar mbytes
804Specify the amount of memory to use (in megabytes) when generating
805candidate moduli for DH-GEX.
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000806.It Ic start Ns = Ns Ar hex-value
807Specify start point (in hex) when generating candidate moduli for DH-GEX.
djm@openbsd.org3e60d182019-12-30 03:30:09 +0000808.It Ic generator Ns = Ns Ar value
809Specify desired generator (in decimal) when testing candidate moduli for DH-GEX.
810.El
Damien Miller0a80ca12010-02-27 07:55:05 +1100811.Sh CERTIFICATES
812.Nm
813supports signing of keys to produce certificates that may be used for
814user or host authentication.
815Certificates consist of a public key, some identity information, zero or
Damien Miller1f181422010-04-18 08:08:03 +1000816more principal (user or host) names and a set of options that
Damien Miller0a80ca12010-02-27 07:55:05 +1100817are signed by a Certification Authority (CA) key.
818Clients or servers may then trust only the CA key and verify its signature
819on a certificate rather than trusting many user/host keys.
820Note that OpenSSH certificates are a different, and much simpler, format to
821the X.509 certificates used in
822.Xr ssl 8 .
823.Pp
824.Nm
825supports two types of certificates: user and host.
826User certificates authenticate users to servers, whereas host certificates
Damien Miller15f5b562010-03-03 10:25:21 +1100827authenticate server hosts to users.
828To generate a user certificate:
Damien Miller0a80ca12010-02-27 07:55:05 +1100829.Pp
830.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
831.Pp
832The resultant certificate will be placed in
Damien Miller1b61a282010-03-22 05:55:06 +1100833.Pa /path/to/user_key-cert.pub .
Damien Miller0a80ca12010-02-27 07:55:05 +1100834A host certificate requires the
835.Fl h
836option:
837.Pp
838.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
839.Pp
840The host certificate will be output to
Damien Miller1b61a282010-03-22 05:55:06 +1100841.Pa /path/to/host_key-cert.pub .
Damien Miller757f34e2010-08-05 13:05:31 +1000842.Pp
843It is possible to sign using a CA key stored in a PKCS#11 token by
844providing the token library using
845.Fl D
846and identifying the CA key by providing its public half as an argument
847to
848.Fl s :
849.Pp
naddy@openbsd.org05291e52015-08-20 19:20:06 +0000850.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
Damien Miller757f34e2010-08-05 13:05:31 +1000851.Pp
djm@openbsd.orga98339e2017-06-28 01:09:22 +0000852Similarly, it is possible for the CA key to be hosted in a
853.Xr ssh-agent 1 .
854This is indicated by the
855.Fl U
856flag and, again, the CA key must be identified by its public half.
857.Pp
858.Dl $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub
859.Pp
Damien Miller757f34e2010-08-05 13:05:31 +1000860In all cases,
Damien Miller0a80ca12010-02-27 07:55:05 +1100861.Ar key_id
862is a "key identifier" that is logged by the server when the certificate
863is used for authentication.
864.Pp
865Certificates may be limited to be valid for a set of principal (user/host)
866names.
867By default, generated certificates are valid for all users or hosts.
868To generate a certificate for a specified set of principals:
869.Pp
870.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
naddy@openbsd.org05291e52015-08-20 19:20:06 +0000871.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub"
Damien Miller0a80ca12010-02-27 07:55:05 +1100872.Pp
873Additional limitations on the validity and use of user certificates may
Damien Miller1f181422010-04-18 08:08:03 +1000874be specified through certificate options.
Damien Miller4e270b02010-04-16 15:56:21 +1000875A certificate option may disable features of the SSH session, may be
Damien Miller0a80ca12010-02-27 07:55:05 +1100876valid only when presented from particular source addresses or may
877force the use of a specific command.
djm@openbsd.org1e645fe2019-12-30 03:28:41 +0000878.Pp
879The options that are valid for user certificates are:
880.Pp
881.Bl -tag -width Ds -compact
882.It Ic clear
883Clear all enabled permissions.
884This is useful for clearing the default set of permissions so permissions may
885be added individually.
886.Pp
887.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
888.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
889Includes an arbitrary certificate critical option or extension.
890The specified
891.Ar name
892should include a domain suffix, e.g.\&
893.Dq name@example.com .
894If
895.Ar contents
896is specified then it is included as the contents of the extension/option
897encoded as a string, otherwise the extension/option is created with no
898contents (usually indicating a flag).
899Extensions may be ignored by a client or server that does not recognise them,
900whereas unknown critical options will cause the certificate to be refused.
901.Pp
902.It Ic force-command Ns = Ns Ar command
903Forces the execution of
904.Ar command
905instead of any shell or command specified by the user when
906the certificate is used for authentication.
907.Pp
908.It Ic no-agent-forwarding
909Disable
910.Xr ssh-agent 1
911forwarding (permitted by default).
912.Pp
913.It Ic no-port-forwarding
914Disable port forwarding (permitted by default).
915.Pp
916.It Ic no-pty
917Disable PTY allocation (permitted by default).
918.Pp
919.It Ic no-user-rc
920Disable execution of
921.Pa ~/.ssh/rc
922by
923.Xr sshd 8
924(permitted by default).
925.Pp
926.It Ic no-x11-forwarding
927Disable X11 forwarding (permitted by default).
928.Pp
929.It Ic permit-agent-forwarding
930Allows
931.Xr ssh-agent 1
932forwarding.
933.Pp
934.It Ic permit-port-forwarding
935Allows port forwarding.
936.Pp
937.It Ic permit-pty
938Allows PTY allocation.
939.Pp
940.It Ic permit-user-rc
941Allows execution of
942.Pa ~/.ssh/rc
943by
944.Xr sshd 8 .
945.Pp
946.It Ic permit-X11-forwarding
947Allows X11 forwarding.
948.Pp
949.It Ic no-touch-required
950Do not require signatures made using this key require demonstration
naddy@openbsd.orgb715fdc2020-01-18 21:16:43 +0000951of user presence (e.g. by having the user touch the authenticator).
naddy@openbsd.org84911da2020-01-18 15:45:41 +0000952This option only makes sense for the FIDO authenticator algorithms
djm@openbsd.org1e645fe2019-12-30 03:28:41 +0000953.Cm ecdsa-sk
954and
955.Cm ed25519-sk .
956.Pp
957.It Ic source-address Ns = Ns Ar address_list
958Restrict the source addresses from which the certificate is considered valid.
959The
960.Ar address_list
961is a comma-separated list of one or more address/netmask pairs in CIDR
962format.
963.El
964.Pp
965At present, no standard options are valid for host keys.
Damien Miller0a80ca12010-02-27 07:55:05 +1100966.Pp
967Finally, certificates may be defined with a validity lifetime.
968The
969.Fl V
970option allows specification of certificate start and end times.
971A certificate that is presented at a time outside this range will not be
972considered valid.
Darren Tucker3ee50c52012-09-06 21:18:11 +1000973By default, certificates are valid from
974.Ux
975Epoch to the distant future.
Damien Miller0a80ca12010-02-27 07:55:05 +1100976.Pp
977For certificates to be used for user or host authentication, the CA
978public key must be trusted by
979.Xr sshd 8
980or
981.Xr ssh 1 .
982Please refer to those manual pages for details.
Damien Millerf3747bf2013-01-18 11:44:04 +1100983.Sh KEY REVOCATION LISTS
984.Nm
985is able to manage OpenSSH format Key Revocation Lists (KRLs).
986These binary files specify keys or certificates to be revoked using a
Damien Miller13797712013-12-29 17:47:14 +1100987compact format, taking as little as one bit per certificate if they are being
Damien Millerf3747bf2013-01-18 11:44:04 +1100988revoked by serial number.
989.Pp
990KRLs may be generated using the
991.Fl k
992flag.
Damien Miller881a7a22013-01-20 22:34:46 +1100993This option reads one or more files from the command line and generates a new
Damien Millerf3747bf2013-01-18 11:44:04 +1100994KRL.
995The files may either contain a KRL specification (see below) or public keys,
996listed one per line.
997Plain public keys are revoked by listing their hash or contents in the KRL and
998certificates revoked by serial number or key ID (if the serial is zero or
999not available).
1000.Pp
1001Revoking keys using a KRL specification offers explicit control over the
1002types of record used to revoke keys and may be used to directly revoke
1003certificates by serial number or key ID without having the complete original
1004certificate on hand.
1005A KRL specification consists of lines containing one of the following directives
1006followed by a colon and some directive-specific information.
1007.Bl -tag -width Ds
Damien Millera0a7ee82013-01-20 22:35:06 +11001008.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
Damien Millerf3747bf2013-01-18 11:44:04 +11001009Revokes a certificate with the specified serial number.
Damien Millerac5542b2013-01-20 22:33:02 +11001010Serial numbers are 64-bit values, not including zero and may be expressed
Damien Millerf3747bf2013-01-18 11:44:04 +11001011in decimal, hex or octal.
1012If two serial numbers are specified separated by a hyphen, then the range
1013of serial numbers including and between each is revoked.
1014The CA key must have been specified on the
1015.Nm
Damien Miller881a7a22013-01-20 22:34:46 +11001016command line using the
Damien Millerf3747bf2013-01-18 11:44:04 +11001017.Fl s
1018option.
1019.It Cm id : Ar key_id
1020Revokes a certificate with the specified key ID string.
1021The CA key must have been specified on the
1022.Nm
Damien Miller881a7a22013-01-20 22:34:46 +11001023command line using the
Damien Millerf3747bf2013-01-18 11:44:04 +11001024.Fl s
1025option.
1026.It Cm key : Ar public_key
1027Revokes the specified key.
Damien Millerac5542b2013-01-20 22:33:02 +11001028If a certificate is listed, then it is revoked as a plain public key.
Damien Millerf3747bf2013-01-18 11:44:04 +11001029.It Cm sha1 : Ar public_key
djm@openbsd.org9405c622018-09-12 01:21:34 +00001030Revokes the specified key by including its SHA1 hash in the KRL.
1031.It Cm sha256 : Ar public_key
1032Revokes the specified key by including its SHA256 hash in the KRL.
1033KRLs that revoke keys by SHA256 hash are not supported by OpenSSH versions
1034prior to 7.9.
1035.It Cm hash : Ar fingerprint
djm@openbsd.orgf0fcd7e2018-09-12 06:18:59 +00001036Revokes a key using a fingerprint hash, as obtained from a
djm@openbsd.org9405c622018-09-12 01:21:34 +00001037.Xr sshd 8
1038authentication log message or the
1039.Nm
1040.Fl l
1041flag.
1042Only SHA256 fingerprints are supported here and resultant KRLs are
1043not supported by OpenSSH versions prior to 7.9.
Damien Millerf3747bf2013-01-18 11:44:04 +11001044.El
1045.Pp
1046KRLs may be updated using the
1047.Fl u
1048flag in addition to
1049.Fl k .
Damien Miller881a7a22013-01-20 22:34:46 +11001050When this option is specified, keys listed via the command line are merged into
Damien Millerf3747bf2013-01-18 11:44:04 +11001051the KRL, adding to those already there.
1052.Pp
1053It is also possible, given a KRL, to test whether it revokes a particular key
1054(or keys).
1055The
1056.Fl Q
jmc@openbsd.org8b290082015-11-05 09:48:05 +00001057flag will query an existing KRL, testing each key specified on the command line.
Damien Miller881a7a22013-01-20 22:34:46 +11001058If any key listed on the command line has been revoked (or an error encountered)
Damien Millerf3747bf2013-01-18 11:44:04 +11001059then
1060.Nm
1061will exit with a non-zero exit status.
1062A zero exit status will only be returned if no key was revoked.
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +00001063.Sh ALLOWED SIGNERS
1064When verifying signatures,
1065.Nm
1066uses a simple list of identities and keys to determine whether a signature
1067comes from an authorized source.
1068This "allowed signers" file uses a format patterned after the
1069AUTHORIZED_KEYS FILE FORMAT described in
jmc@openbsd.orgdb1e6f62019-09-04 05:56:54 +00001070.Xr sshd 8 .
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +00001071Each line of the file contains the following space-separated fields:
1072principals, options, keytype, base64-encoded key.
1073Empty lines and lines starting with a
1074.Ql #
1075are ignored as comments.
1076.Pp
1077The principals field is a pattern-list (See PATTERNS in
1078.Xr ssh_config 5 )
1079consisting of one or more comma-separated USER@DOMAIN identity patterns
1080that are accepted for signing.
1081When verifying, the identity presented via the
jmc@openbsd.org70fc9a62019-10-22 08:50:35 +00001082.Fl I
1083option must match a principals pattern in order for the corresponding key to be
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +00001084considered acceptable for verification.
1085.Pp
1086The options (if present) consist of comma-separated option specifications.
1087No spaces are permitted, except within double quotes.
1088The following option specifications are supported (note that option keywords
1089are case-insensitive):
1090.Bl -tag -width Ds
1091.It Cm cert-authority
1092Indicates that this key is accepted as a certificate authority (CA) and
1093that certificates signed by this CA may be accepted for verification.
1094.It Cm namespaces="namespace-list"
1095Specifies a pattern-list of namespaces that are accepted for this key.
djm@openbsd.orgd637c4a2019-09-03 08:35:27 +00001096If this option is present, the signature namespace embedded in the
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +00001097signature object and presented on the verification command-line must
1098match the specified list before the key will be considered acceptable.
1099.El
1100.Pp
1101When verifying signatures made by certificates, the expected principal
1102name must match both the principals pattern in the allowed signers file and
1103the principals embedded in the certificate itself.
1104.Pp
1105An example allowed signers file:
1106.Bd -literal -offset 3n
1107# Comments allowed at start of line
1108user1@example.com,user2@example.com ssh-rsa AAAAX1...
1109# A certificate authority, trusted for all principals in a domain.
1110*@example.com cert-authority ssh-ed25519 AAAB4...
1111# A key that is accepted only for file signing.
1112user2@example.com namespaces="file" ssh-ed25519 AAA41...
1113.Ed
naddy@openbsd.orgaa4c6402019-11-07 08:38:38 +00001114.Sh ENVIRONMENT
1115.Bl -tag -width Ds
1116.It Ev SSH_SK_PROVIDER
naddy@openbsd.org141df482019-12-21 20:22:34 +00001117Specifies the path to a library used to interact with FIDO authenticators.
naddy@openbsd.orgaa4c6402019-11-07 08:38:38 +00001118.El
Damien Miller32aa1441999-10-29 09:15:49 +10001119.Sh FILES
Damien Miller6186bbc2010-09-24 22:00:54 +10001120.Bl -tag -width Ds -compact
Damien Miller167ea5d2005-05-26 12:04:02 +10001121.It Pa ~/.ssh/id_dsa
Damien Miller6186bbc2010-09-24 22:00:54 +10001122.It Pa ~/.ssh/id_ecdsa
naddy@openbsd.orgaa4c6402019-11-07 08:38:38 +00001123.It Pa ~/.ssh/id_ecdsa_sk
Damien Miller8ba0ead2013-12-18 17:46:27 +11001124.It Pa ~/.ssh/id_ed25519
naddy@openbsd.orgf0edda82019-11-18 23:16:49 +00001125.It Pa ~/.ssh/id_ed25519_sk
Damien Miller167ea5d2005-05-26 12:04:02 +10001126.It Pa ~/.ssh/id_rsa
naddy@openbsd.org141df482019-12-21 20:22:34 +00001127Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
1128authenticator-hosted Ed25519 or RSA authentication identity of the user.
Ben Lindstrom18a82ac2001-04-11 15:59:35 +00001129This file should not be readable by anyone but the user.
1130It is possible to
1131specify a passphrase when generating the key; that passphrase will be
Darren Tucker199ee6f2009-10-24 11:50:17 +11001132used to encrypt the private part of this file using 128-bit AES.
Ben Lindstrom18a82ac2001-04-11 15:59:35 +00001133This file is not automatically accessed by
1134.Nm
1135but it is offered as the default file for the private key.
Ben Lindstrombda98b02001-07-04 03:35:24 +00001136.Xr ssh 1
Ben Lindstrom18a82ac2001-04-11 15:59:35 +00001137will read this file when a login attempt is made.
Damien Miller6186bbc2010-09-24 22:00:54 +10001138.Pp
1139.It Pa ~/.ssh/id_dsa.pub
1140.It Pa ~/.ssh/id_ecdsa.pub
naddy@openbsd.orgaa4c6402019-11-07 08:38:38 +00001141.It Pa ~/.ssh/id_ecdsa_sk.pub
Damien Miller8ba0ead2013-12-18 17:46:27 +11001142.It Pa ~/.ssh/id_ed25519.pub
naddy@openbsd.orgf0edda82019-11-18 23:16:49 +00001143.It Pa ~/.ssh/id_ed25519_sk.pub
Damien Miller167ea5d2005-05-26 12:04:02 +10001144.It Pa ~/.ssh/id_rsa.pub
naddy@openbsd.org141df482019-12-21 20:22:34 +00001145Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
1146authenticator-hosted Ed25519 or RSA public key for authentication.
Damien Millere247cc42000-05-07 12:03:14 +10001147The contents of this file should be added to
Damien Miller167ea5d2005-05-26 12:04:02 +10001148.Pa ~/.ssh/authorized_keys
Damien Millere247cc42000-05-07 12:03:14 +10001149on all machines
Ben Lindstrom594e2032001-09-12 18:35:30 +00001150where the user wishes to log in using public key authentication.
Damien Millere247cc42000-05-07 12:03:14 +10001151There is no need to keep the contents of this file secret.
Damien Miller6186bbc2010-09-24 22:00:54 +10001152.Pp
Darren Tucker019cefe2003-08-02 22:40:07 +10001153.It Pa /etc/moduli
1154Contains Diffie-Hellman groups used for DH-GEX.
1155The file format is described in
1156.Xr moduli 5 .
Damien Miller37023962000-07-11 17:31:38 +10001157.El
Damien Miller32aa1441999-10-29 09:15:49 +10001158.Sh SEE ALSO
1159.Xr ssh 1 ,
1160.Xr ssh-add 1 ,
Damien Miller2e8b1c81999-11-15 23:33:56 +11001161.Xr ssh-agent 1 ,
Darren Tucker019cefe2003-08-02 22:40:07 +10001162.Xr moduli 5 ,
Ben Lindstrom77788dc2001-02-10 23:10:33 +00001163.Xr sshd 8
Ben Lindstrom5a707822001-04-22 17:15:46 +00001164.Rs
Damien Millerc0367fb2007-01-05 16:25:46 +11001165.%R RFC 4716
1166.%T "The Secure Shell (SSH) Public Key File Format"
1167.%D 2006
Ben Lindstrom5a707822001-04-22 17:15:46 +00001168.Re
Damien Millerf1ce5052003-06-11 22:04:39 +10001169.Sh AUTHORS
1170OpenSSH is a derivative of the original and free
1171ssh 1.2.12 release by Tatu Ylonen.
1172Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1173Theo de Raadt and Dug Song
1174removed many bugs, re-added newer features and
1175created OpenSSH.
1176Markus Friedl contributed the support for SSH
1177protocol versions 1.5 and 2.0.