blob: 03f927edfcbfbabbe21ca677762019bbe37d48f3 [file] [log] [blame]
Damien Millerdfceafe2012-07-06 13:44:19 +10001.\" $OpenBSD: ssh-keygen.1,v 1.109 2012/07/06 00:41:59 dtucker Exp $
Damien Miller32aa1441999-10-29 09:15:49 +10002.\"
Damien Miller32aa1441999-10-29 09:15:49 +10003.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
Damien Miller32aa1441999-10-29 09:15:49 +10004.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\" All rights reserved
6.\"
Damien Millere4340be2000-09-16 13:29:08 +11007.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose. Any derived versions of this
9.\" software must be clearly marked as such, and if the derived work is
10.\" incompatible with the protocol description in the RFC file, it must be
11.\" called by a name other than "ssh" or "Secure Shell".
Damien Miller32aa1441999-10-29 09:15:49 +100012.\"
Damien Millere4340be2000-09-16 13:29:08 +110013.\"
Ben Lindstrom92a2e382001-03-05 06:59:27 +000014.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
15.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
16.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
Damien Millere4340be2000-09-16 13:29:08 +110017.\"
18.\" Redistribution and use in source and binary forms, with or without
19.\" modification, are permitted provided that the following conditions
20.\" are met:
21.\" 1. Redistributions of source code must retain the above copyright
22.\" notice, this list of conditions and the following disclaimer.
23.\" 2. Redistributions in binary form must reproduce the above copyright
24.\" notice, this list of conditions and the following disclaimer in the
25.\" documentation and/or other materials provided with the distribution.
26.\"
27.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Damien Miller32aa1441999-10-29 09:15:49 +100037.\"
Damien Millerdfceafe2012-07-06 13:44:19 +100038.Dd $Mdocdate: July 6 2012 $
Damien Miller32aa1441999-10-29 09:15:49 +100039.Dt SSH-KEYGEN 1
40.Os
41.Sh NAME
42.Nm ssh-keygen
Ben Lindstrom5a707822001-04-22 17:15:46 +000043.Nd authentication key generation, management and conversion
Damien Miller32aa1441999-10-29 09:15:49 +100044.Sh SYNOPSIS
Damien Miller495dca32003-04-01 21:42:14 +100045.Bk -words
Damien Millerbad5e032010-07-16 13:59:59 +100046.Nm ssh-keygen
Damien Miller0bc1bd82000-11-13 22:57:25 +110047.Op Fl q
Damien Miller32aa1441999-10-29 09:15:49 +100048.Op Fl b Ar bits
Damien Miller55fafa02002-02-19 15:22:07 +110049.Fl t Ar type
Damien Miller32aa1441999-10-29 09:15:49 +100050.Op Fl N Ar new_passphrase
51.Op Fl C Ar comment
Damien Miller1a425f32000-09-02 10:08:09 +110052.Op Fl f Ar output_keyfile
Damien Miller32aa1441999-10-29 09:15:49 +100053.Nm ssh-keygen
54.Fl p
55.Op Fl P Ar old_passphrase
56.Op Fl N Ar new_passphrase
Damien Miller10f6f6b1999-11-17 17:29:08 +110057.Op Fl f Ar keyfile
Damien Miller32aa1441999-10-29 09:15:49 +100058.Nm ssh-keygen
Ben Lindstrom5a707822001-04-22 17:15:46 +000059.Fl i
Damien Miller44b25042010-07-02 13:35:01 +100060.Op Fl m Ar key_format
Damien Miller1a425f32000-09-02 10:08:09 +110061.Op Fl f Ar input_keyfile
Damien Millere247cc42000-05-07 12:03:14 +100062.Nm ssh-keygen
Ben Lindstrom5a707822001-04-22 17:15:46 +000063.Fl e
Damien Miller44b25042010-07-02 13:35:01 +100064.Op Fl m Ar key_format
Damien Miller1a425f32000-09-02 10:08:09 +110065.Op Fl f Ar input_keyfile
Damien Millere247cc42000-05-07 12:03:14 +100066.Nm ssh-keygen
67.Fl y
Damien Miller1a425f32000-09-02 10:08:09 +110068.Op Fl f Ar input_keyfile
Damien Millere247cc42000-05-07 12:03:14 +100069.Nm ssh-keygen
Damien Miller32aa1441999-10-29 09:15:49 +100070.Fl c
71.Op Fl P Ar passphrase
72.Op Fl C Ar comment
Damien Miller10f6f6b1999-11-17 17:29:08 +110073.Op Fl f Ar keyfile
74.Nm ssh-keygen
75.Fl l
Ben Lindstrom8fd372b2001-03-12 03:02:17 +000076.Op Fl f Ar input_keyfile
77.Nm ssh-keygen
78.Fl B
Damien Miller1a425f32000-09-02 10:08:09 +110079.Op Fl f Ar input_keyfile
Ben Lindstroma1ec4a92001-08-06 21:51:34 +000080.Nm ssh-keygen
Damien Miller048dc932010-02-12 09:22:04 +110081.Fl D Ar pkcs11
Ben Lindstroma1ec4a92001-08-06 21:51:34 +000082.Nm ssh-keygen
Damien Miller4b42d7f2005-03-01 21:48:35 +110083.Fl F Ar hostname
84.Op Fl f Ar known_hosts_file
Damien Miller718ed502008-11-03 19:15:20 +110085.Op Fl l
Damien Miller4b42d7f2005-03-01 21:48:35 +110086.Nm ssh-keygen
87.Fl H
88.Op Fl f Ar known_hosts_file
89.Nm ssh-keygen
90.Fl R Ar hostname
91.Op Fl f Ar known_hosts_file
92.Nm ssh-keygen
Damien Miller37876e92003-05-15 10:19:46 +100093.Fl r Ar hostname
94.Op Fl f Ar input_keyfile
95.Op Fl g
Darren Tucker019cefe2003-08-02 22:40:07 +100096.Nm ssh-keygen
97.Fl G Ar output_file
Darren Tucker06930c72003-12-31 11:34:51 +110098.Op Fl v
Darren Tucker019cefe2003-08-02 22:40:07 +100099.Op Fl b Ar bits
100.Op Fl M Ar memory
101.Op Fl S Ar start_point
102.Nm ssh-keygen
103.Fl T Ar output_file
104.Fl f Ar input_file
Darren Tucker06930c72003-12-31 11:34:51 +1100105.Op Fl v
Darren Tucker019cefe2003-08-02 22:40:07 +1000106.Op Fl a Ar num_trials
Damien Millerdfceafe2012-07-06 13:44:19 +1000107.Op Fl J Ar num_lines
108.Op Fl j Ar start_line
Damien Miller390d0562011-10-18 16:05:19 +1100109.Op Fl K Ar checkpt
Darren Tucker019cefe2003-08-02 22:40:07 +1000110.Op Fl W Ar generator
Damien Miller0a80ca12010-02-27 07:55:05 +1100111.Nm ssh-keygen
112.Fl s Ar ca_key
113.Fl I Ar certificate_identity
114.Op Fl h
115.Op Fl n Ar principals
Damien Miller4e270b02010-04-16 15:56:21 +1000116.Op Fl O Ar option
Damien Miller0a80ca12010-02-27 07:55:05 +1100117.Op Fl V Ar validity_interval
Damien Miller4e270b02010-04-16 15:56:21 +1000118.Op Fl z Ar serial_number
Damien Miller0a80ca12010-02-27 07:55:05 +1100119.Ar
Damien Millerf2b70ca2010-03-05 07:39:35 +1100120.Nm ssh-keygen
Damien Millerf2b70ca2010-03-05 07:39:35 +1100121.Fl L
122.Op Fl f Ar input_keyfile
Damien Miller58f1baf2011-05-05 14:06:15 +1000123.Nm ssh-keygen
124.Fl A
Damien Miller15f5b562010-03-03 10:25:21 +1100125.Ek
Damien Miller22c77262000-04-13 12:26:34 +1000126.Sh DESCRIPTION
Damien Miller32aa1441999-10-29 09:15:49 +1000127.Nm
Ben Lindstrom5a707822001-04-22 17:15:46 +0000128generates, manages and converts authentication keys for
Damien Miller32aa1441999-10-29 09:15:49 +1000129.Xr ssh 1 .
Damien Millere247cc42000-05-07 12:03:14 +1000130.Nm
Damien Miller6186bbc2010-09-24 22:00:54 +1000131can create RSA keys for use by SSH protocol version 1 and DSA, ECDSA or RSA
Damien Millerfbf486b2003-05-23 18:44:23 +1000132keys for use by SSH protocol version 2.
133The type of key to be generated is specified with the
Damien Miller0bc1bd82000-11-13 22:57:25 +1100134.Fl t
Damien Millera41c8b12002-01-22 23:05:08 +1100135option.
Damien Millerf14be5c2005-11-05 15:15:49 +1100136If invoked without any arguments,
137.Nm
Damien Miller83d0d392005-11-05 15:16:27 +1100138will generate an RSA key for use in SSH protocol 2 connections.
Damien Millere247cc42000-05-07 12:03:14 +1000139.Pp
Darren Tucker019cefe2003-08-02 22:40:07 +1000140.Nm
141is also used to generate groups for use in Diffie-Hellman group
142exchange (DH-GEX).
143See the
144.Sx MODULI GENERATION
145section for details.
146.Pp
Damien Miller32aa1441999-10-29 09:15:49 +1000147Normally each user wishing to use SSH
Damien Millereb8b60e2010-08-31 22:41:14 +1000148with public key authentication runs this once to create the authentication
Damien Miller32aa1441999-10-29 09:15:49 +1000149key in
Damien Miller167ea5d2005-05-26 12:04:02 +1000150.Pa ~/.ssh/identity ,
Damien Millereb8b60e2010-08-31 22:41:14 +1000151.Pa ~/.ssh/id_ecdsa ,
Damien Miller167ea5d2005-05-26 12:04:02 +1000152.Pa ~/.ssh/id_dsa
Damien Millere247cc42000-05-07 12:03:14 +1000153or
Damien Miller167ea5d2005-05-26 12:04:02 +1000154.Pa ~/.ssh/id_rsa .
Damien Millere247cc42000-05-07 12:03:14 +1000155Additionally, the system administrator may use this to generate host keys,
156as seen in
157.Pa /etc/rc .
Damien Miller32aa1441999-10-29 09:15:49 +1000158.Pp
159Normally this program generates the key and asks for a file in which
Damien Miller450a7a12000-03-26 13:04:51 +1000160to store the private key.
161The public key is stored in a file with the same name but
Damien Miller32aa1441999-10-29 09:15:49 +1000162.Dq .pub
Damien Miller450a7a12000-03-26 13:04:51 +1000163appended.
164The program also asks for a passphrase.
165The passphrase may be empty to indicate no passphrase
Ben Lindstrombf555ba2001-01-18 02:04:35 +0000166(host keys must have an empty passphrase), or it may be a string of
Damien Miller450a7a12000-03-26 13:04:51 +1000167arbitrary length.
Ben Lindstrom4e366d52001-12-06 16:43:21 +0000168A passphrase is similar to a password, except it can be a phrase with a
169series of words, punctuation, numbers, whitespace, or any string of
170characters you want.
171Good passphrases are 10-30 characters long, are
Damien Miller32aa1441999-10-29 09:15:49 +1000172not simple sentences or otherwise easily guessable (English
Ben Lindstrom2a097a42001-06-09 01:13:40 +0000173prose has only 1-2 bits of entropy per character, and provides very bad
Ben Lindstrom4e366d52001-12-06 16:43:21 +0000174passphrases), and contain a mix of upper and lowercase letters,
175numbers, and non-alphanumeric characters.
Damien Miller450a7a12000-03-26 13:04:51 +1000176The passphrase can be changed later by using the
Damien Miller32aa1441999-10-29 09:15:49 +1000177.Fl p
178option.
179.Pp
Damien Miller450a7a12000-03-26 13:04:51 +1000180There is no way to recover a lost passphrase.
Damien Miller085c90f2011-05-05 14:15:33 +1000181If the passphrase is lost or forgotten, a new key must be generated
182and the corresponding public key copied to other machines.
Damien Miller32aa1441999-10-29 09:15:49 +1000183.Pp
Ben Lindstrom5a707822001-04-22 17:15:46 +0000184For RSA1 keys,
185there is also a comment field in the key file that is only for
Damien Miller450a7a12000-03-26 13:04:51 +1000186convenience to the user to help identify the key.
187The comment can tell what the key is for, or whatever is useful.
188The comment is initialized to
Damien Miller32aa1441999-10-29 09:15:49 +1000189.Dq user@host
190when the key is created, but can be changed using the
191.Fl c
192option.
193.Pp
Damien Millere247cc42000-05-07 12:03:14 +1000194After a key is generated, instructions below detail where the keys
195should be placed to be activated.
196.Pp
Damien Miller32aa1441999-10-29 09:15:49 +1000197The options are as follows:
198.Bl -tag -width Ds
Damien Miller58f1baf2011-05-05 14:06:15 +1000199.It Fl A
200For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys
201do not exist, generate the host keys with the default key file path,
202an empty passphrase, default bits for the key type, and default comment.
Damien Miller3ca1eb32011-05-05 14:13:50 +1000203This is used by
Damien Miller58f1baf2011-05-05 14:06:15 +1000204.Pa /etc/rc
205to generate new host keys.
Darren Tucker019cefe2003-08-02 22:40:07 +1000206.It Fl a Ar trials
207Specifies the number of primality tests to perform when screening DH-GEX
208candidates using the
209.Fl T
210command.
Damien Miller265d3092005-03-02 12:05:06 +1100211.It Fl B
212Show the bubblebabble digest of specified private or public key file.
Damien Miller32aa1441999-10-29 09:15:49 +1000213.It Fl b Ar bits
Damien Miller450a7a12000-03-26 13:04:51 +1000214Specifies the number of bits in the key to create.
Darren Tucker9f647332005-11-28 16:41:46 +1100215For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
Damien Millerac7ef6a2005-06-16 13:19:06 +1000216Generally, 2048 bits is considered sufficient.
Darren Tucker9f647332005-11-28 16:41:46 +1100217DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
Damien Millerad210322011-05-05 14:15:54 +1000218For ECDSA keys, the
219.Fl b
Damien Miller6232a162011-09-22 21:36:00 +1000220flag determines the key length by selecting from one of three elliptic
Damien Millerad210322011-05-05 14:15:54 +1000221curve sizes: 256, 384 or 521 bits.
222Attempting to use bit lengths other than these three values for ECDSA keys
223will fail.
Damien Miller265d3092005-03-02 12:05:06 +1100224.It Fl C Ar comment
225Provides a new comment.
Damien Miller32aa1441999-10-29 09:15:49 +1000226.It Fl c
227Requests changing the comment in the private and public key files.
Damien Millereb5fec62001-11-12 10:52:44 +1100228This operation is only supported for RSA1 keys.
Damien Miller32aa1441999-10-29 09:15:49 +1000229The program will prompt for the file containing the private keys, for
Ben Lindstromaafff9c2001-05-06 03:01:02 +0000230the passphrase if the key has one, and for the new comment.
Damien Miller7ea845e2010-02-12 09:21:02 +1100231.It Fl D Ar pkcs11
Damien Millera7618442010-02-12 09:26:02 +1100232Download the RSA public keys provided by the PKCS#11 shared library
233.Ar pkcs11 .
Damien Miller757f34e2010-08-05 13:05:31 +1000234When used in combination with
235.Fl s ,
236this option indicates that a CA key resides in a PKCS#11 token (see the
237.Sx CERTIFICATES
238section for details).
Ben Lindstrom5a707822001-04-22 17:15:46 +0000239.It Fl e
Ben Lindstrom46c264f2001-04-24 16:56:58 +0000240This option will read a private or public OpenSSH key file and
Damien Miller44b25042010-07-02 13:35:01 +1000241print to stdout the key in one of the formats specified by the
242.Fl m
243option.
244The default export format is
245.Dq RFC4716 .
Damien Millerea727282010-07-02 13:35:34 +1000246This option allows exporting OpenSSH keys for use by other programs, including
Damien Miller44b25042010-07-02 13:35:01 +1000247several commercial SSH implementations.
Damien Miller265d3092005-03-02 12:05:06 +1100248.It Fl F Ar hostname
249Search for the specified
250.Ar hostname
251in a
252.Pa known_hosts
253file, listing any occurrences found.
254This option is useful to find hashed host names or addresses and may also be
255used in conjunction with the
256.Fl H
257option to print found keys in a hashed format.
258.It Fl f Ar filename
259Specifies the filename of the key file.
260.It Fl G Ar output_file
261Generate candidate primes for DH-GEX.
262These primes must be screened for
263safety (using the
264.Fl T
265option) before use.
Damien Miller37876e92003-05-15 10:19:46 +1000266.It Fl g
Darren Tucker0b42e6d2004-08-13 21:22:40 +1000267Use generic DNS format when printing fingerprint resource records using the
Darren Tucker6e370372004-08-13 21:23:25 +1000268.Fl r
Darren Tucker0b42e6d2004-08-13 21:22:40 +1000269command.
Damien Miller265d3092005-03-02 12:05:06 +1100270.It Fl H
271Hash a
272.Pa known_hosts
Darren Tuckerda1adbc2005-03-14 23:15:58 +1100273file.
274This replaces all hostnames and addresses with hashed representations
275within the specified file; the original content is moved to a file with
276a .old suffix.
Damien Miller265d3092005-03-02 12:05:06 +1100277These hashes may be used normally by
278.Nm ssh
279and
280.Nm sshd ,
281but they do not reveal identifying information should the file's contents
282be disclosed.
283This option will not modify existing hashed hostnames and is therefore safe
284to use on files that mix hashed and non-hashed names.
Damien Miller0a80ca12010-02-27 07:55:05 +1100285.It Fl h
286When signing a key, create a host certificate instead of a user
287certificate.
288Please see the
289.Sx CERTIFICATES
290section for details.
Damien Miller15f5b562010-03-03 10:25:21 +1100291.It Fl I Ar certificate_identity
Damien Miller0a80ca12010-02-27 07:55:05 +1100292Specify the key identity when signing a public key.
293Please see the
294.Sx CERTIFICATES
295section for details.
Ben Lindstrom5a707822001-04-22 17:15:46 +0000296.It Fl i
297This option will read an unencrypted private (or public) key file
Damien Miller44b25042010-07-02 13:35:01 +1000298in the format specified by the
299.Fl m
300option and print an OpenSSH compatible private
Ben Lindstrom5a707822001-04-22 17:15:46 +0000301(or public) key to stdout.
Damien Millerdfceafe2012-07-06 13:44:19 +1000302.It Fl J Ar num_lines
303Exit after screening the specified number of lines
304while performing DH candidate screening using the
305.Fl T
306option.
307.It Fl j Ar start_line
308Start screening at the specified line number
309while performing DH candidate screening using the
310.Fl T
311option.
Damien Miller390d0562011-10-18 16:05:19 +1100312.It Fl K Ar checkpt
313Write the last line processed to the file
314.Ar checkpt
315while performing DH candidate screening using the
316.Fl T
317option.
318This will be used to skip lines in the input file that have already been
319processed if the job is restarted.
Damien Miller44b25042010-07-02 13:35:01 +1000320This option allows importing keys from other software, including several
321commercial SSH implementations.
322The default import format is
323.Dq RFC4716 .
Damien Millerf2b70ca2010-03-05 07:39:35 +1100324.It Fl L
325Prints the contents of a certificate.
Damien Miller10f6f6b1999-11-17 17:29:08 +1100326.It Fl l
Darren Tucker35c45532008-06-13 04:43:15 +1000327Show fingerprint of specified public key file.
Damien Millereb5fec62001-11-12 10:52:44 +1100328Private RSA1 keys are also supported.
329For RSA and DSA keys
330.Nm
Darren Tuckerf09e8252008-06-13 05:18:03 +1000331tries to find the matching public key file and prints its fingerprint.
332If combined with
333.Fl v ,
334an ASCII art representation of the key is supplied with the fingerprint.
Damien Millerea727282010-07-02 13:35:34 +1000335.It Fl M Ar memory
336Specify the amount of memory to use (in megabytes) when generating
337candidate moduli for DH-GEX.
Damien Miller44b25042010-07-02 13:35:01 +1000338.It Fl m Ar key_format
339Specify a key format for the
340.Fl i
341(import) or
342.Fl e
Damien Millerea727282010-07-02 13:35:34 +1000343(export) conversion options.
Damien Miller44b25042010-07-02 13:35:01 +1000344The supported key formats are:
345.Dq RFC4716
Damien Millerea727282010-07-02 13:35:34 +1000346(RFC 4716/SSH2 public or private key),
Damien Miller44b25042010-07-02 13:35:01 +1000347.Dq PKCS8
348(PEM PKCS8 public key)
349or
350.Dq PEM
351(PEM public key).
352The default conversion format is
353.Dq RFC4716 .
Damien Miller265d3092005-03-02 12:05:06 +1100354.It Fl N Ar new_passphrase
355Provides the new passphrase.
Damien Miller0a80ca12010-02-27 07:55:05 +1100356.It Fl n Ar principals
357Specify one or more principals (user or host names) to be included in
358a certificate when signing a key.
359Multiple principals may be specified, separated by commas.
360Please see the
361.Sx CERTIFICATES
362section for details.
Damien Miller4e270b02010-04-16 15:56:21 +1000363.It Fl O Ar option
364Specify a certificate option when signing a key.
Damien Miller0a80ca12010-02-27 07:55:05 +1100365This option may be specified multiple times.
366Please see the
367.Sx CERTIFICATES
368section for details.
Damien Miller4e270b02010-04-16 15:56:21 +1000369The options that are valid for user certificates are:
Damien Miller0a80ca12010-02-27 07:55:05 +1100370.Bl -tag -width Ds
Damien Millerc59e2442010-03-22 05:50:31 +1100371.It Ic clear
372Clear all enabled permissions.
373This is useful for clearing the default set of permissions so permissions may
374be added individually.
375.It Ic force-command Ns = Ns Ar command
376Forces the execution of
377.Ar command
378instead of any shell or command specified by the user when
379the certificate is used for authentication.
Damien Miller0a80ca12010-02-27 07:55:05 +1100380.It Ic no-agent-forwarding
381Disable
382.Xr ssh-agent 1
Damien Miller15f5b562010-03-03 10:25:21 +1100383forwarding (permitted by default).
Damien Miller0a80ca12010-02-27 07:55:05 +1100384.It Ic no-port-forwarding
Damien Miller15f5b562010-03-03 10:25:21 +1100385Disable port forwarding (permitted by default).
Damien Miller0a80ca12010-02-27 07:55:05 +1100386.It Ic no-pty
Damien Miller15f5b562010-03-03 10:25:21 +1100387Disable PTY allocation (permitted by default).
Damien Miller0a80ca12010-02-27 07:55:05 +1100388.It Ic no-user-rc
389Disable execution of
390.Pa ~/.ssh/rc
391by
Damien Miller15f5b562010-03-03 10:25:21 +1100392.Xr sshd 8
393(permitted by default).
Damien Millerc59e2442010-03-22 05:50:31 +1100394.It Ic no-x11-forwarding
395Disable X11 forwarding (permitted by default).
Damien Miller081c9762010-03-08 11:30:00 +1100396.It Ic permit-agent-forwarding
397Allows
398.Xr ssh-agent 1
399forwarding.
Damien Miller0a80ca12010-02-27 07:55:05 +1100400.It Ic permit-port-forwarding
401Allows port forwarding.
402.It Ic permit-pty
403Allows PTY allocation.
404.It Ic permit-user-rc
405Allows execution of
406.Pa ~/.ssh/rc
407by
408.Xr sshd 8 .
Damien Millerc59e2442010-03-22 05:50:31 +1100409.It Ic permit-x11-forwarding
410Allows X11 forwarding.
411.It Ic source-address Ns = Ns Ar address_list
Damien Miller77497e12010-03-22 05:50:51 +1100412Restrict the source addresses from which the certificate is considered valid.
Damien Miller0a80ca12010-02-27 07:55:05 +1100413The
414.Ar address_list
415is a comma-separated list of one or more address/netmask pairs in CIDR
416format.
417.El
418.Pp
Damien Miller4e270b02010-04-16 15:56:21 +1000419At present, no options are valid for host keys.
Damien Miller265d3092005-03-02 12:05:06 +1100420.It Fl P Ar passphrase
421Provides the (old) passphrase.
Damien Miller32aa1441999-10-29 09:15:49 +1000422.It Fl p
423Requests changing the passphrase of a private key file instead of
Damien Miller450a7a12000-03-26 13:04:51 +1000424creating a new private key.
425The program will prompt for the file
Damien Miller32aa1441999-10-29 09:15:49 +1000426containing the private key, for the old passphrase, and twice for the
427new passphrase.
428.It Fl q
429Silence
430.Nm ssh-keygen .
Damien Miller4b42d7f2005-03-01 21:48:35 +1100431.It Fl R Ar hostname
432Removes all keys belonging to
433.Ar hostname
Damien Miller4c9c6fd2005-03-02 12:03:43 +1100434from a
Damien Miller4b42d7f2005-03-01 21:48:35 +1100435.Pa known_hosts
436file.
Damien Miller4c9c6fd2005-03-02 12:03:43 +1100437This option is useful to delete hashed hosts (see the
Damien Miller4b42d7f2005-03-01 21:48:35 +1100438.Fl H
439option above).
Damien Miller265d3092005-03-02 12:05:06 +1100440.It Fl r Ar hostname
441Print the SSHFP fingerprint resource record named
442.Ar hostname
443for the specified public key file.
Darren Tucker019cefe2003-08-02 22:40:07 +1000444.It Fl S Ar start
445Specify start point (in hex) when generating candidate moduli for DH-GEX.
Damien Miller0a80ca12010-02-27 07:55:05 +1100446.It Fl s Ar ca_key
447Certify (sign) a public key using the specified CA key.
448Please see the
449.Sx CERTIFICATES
450section for details.
Darren Tucker019cefe2003-08-02 22:40:07 +1000451.It Fl T Ar output_file
452Test DH group exchange candidate primes (generated using the
453.Fl G
454option) for safety.
Damien Miller265d3092005-03-02 12:05:06 +1100455.It Fl t Ar type
456Specifies the type of key to create.
457The possible values are
458.Dq rsa1
459for protocol version 1 and
Damien Miller6186bbc2010-09-24 22:00:54 +1000460.Dq dsa ,
461.Dq ecdsa
Damien Miller265d3092005-03-02 12:05:06 +1100462or
Damien Miller6186bbc2010-09-24 22:00:54 +1000463.Dq rsa
Damien Miller265d3092005-03-02 12:05:06 +1100464for protocol version 2.
Damien Miller0a80ca12010-02-27 07:55:05 +1100465.It Fl V Ar validity_interval
466Specify a validity interval when signing a certificate.
467A validity interval may consist of a single time, indicating that the
468certificate is valid beginning now and expiring at that time, or may consist
469of two times separated by a colon to indicate an explicit time interval.
470The start time may be specified as a date in YYYYMMDD format, a time
471in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
472of a minus sign followed by a relative time in the format described in the
473.Sx TIME FORMATS
474section of
Damien Miller77497e12010-03-22 05:50:51 +1100475.Xr sshd_config 5 .
Damien Miller0a80ca12010-02-27 07:55:05 +1100476The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
477a relative time starting with a plus character.
478.Pp
479For example:
480.Dq +52w1d
481(valid from now to 52 weeks and one day from now),
482.Dq -4w:+4w
483(valid from four weeks ago to four weeks from now),
484.Dq 20100101123000:20110101123000
485(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
486.Dq -1d:20110101
487(valid from yesterday to midnight, January 1st, 2011).
Darren Tucker06930c72003-12-31 11:34:51 +1100488.It Fl v
489Verbose mode.
490Causes
491.Nm
492to print debugging messages about its progress.
493This is helpful for debugging moduli generation.
494Multiple
495.Fl v
496options increase the verbosity.
497The maximum is 3.
Damien Miller265d3092005-03-02 12:05:06 +1100498.It Fl W Ar generator
499Specify desired generator when testing candidate moduli for DH-GEX.
500.It Fl y
501This option will read a private
502OpenSSH format file and print an OpenSSH public key to stdout.
Damien Miller4e270b02010-04-16 15:56:21 +1000503.It Fl z Ar serial_number
504Specifies a serial number to be embedded in the certificate to distinguish
505this certificate from others from the same CA.
506The default serial number is zero.
Damien Miller32aa1441999-10-29 09:15:49 +1000507.El
Darren Tucker019cefe2003-08-02 22:40:07 +1000508.Sh MODULI GENERATION
509.Nm
510may be used to generate groups for the Diffie-Hellman Group Exchange
511(DH-GEX) protocol.
512Generating these groups is a two-step process: first, candidate
513primes are generated using a fast, but memory intensive process.
514These candidate primes are then tested for suitability (a CPU-intensive
515process).
516.Pp
517Generation of primes is performed using the
518.Fl G
519option.
520The desired length of the primes may be specified by the
521.Fl b
522option.
523For example:
524.Pp
Damien Miller265d3092005-03-02 12:05:06 +1100525.Dl # ssh-keygen -G moduli-2048.candidates -b 2048
Darren Tucker019cefe2003-08-02 22:40:07 +1000526.Pp
527By default, the search for primes begins at a random point in the
528desired length range.
529This may be overridden using the
530.Fl S
531option, which specifies a different start point (in hex).
532.Pp
Damien Millerdfceafe2012-07-06 13:44:19 +1000533Once a set of candidates have been generated, they must be screened for
Darren Tucker019cefe2003-08-02 22:40:07 +1000534suitability.
535This may be performed using the
536.Fl T
537option.
538In this mode
539.Nm
540will read candidates from standard input (or a file specified using the
541.Fl f
542option).
543For example:
544.Pp
Damien Miller265d3092005-03-02 12:05:06 +1100545.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates
Darren Tucker019cefe2003-08-02 22:40:07 +1000546.Pp
547By default, each candidate will be subjected to 100 primality tests.
548This may be overridden using the
549.Fl a
550option.
551The DH generator value will be chosen automatically for the
552prime under consideration.
553If a specific generator is desired, it may be requested using the
554.Fl W
555option.
Damien Miller265d3092005-03-02 12:05:06 +1100556Valid generator values are 2, 3, and 5.
Darren Tucker019cefe2003-08-02 22:40:07 +1000557.Pp
558Screened DH groups may be installed in
559.Pa /etc/moduli .
560It is important that this file contains moduli of a range of bit lengths and
561that both ends of a connection share common moduli.
Damien Miller0a80ca12010-02-27 07:55:05 +1100562.Sh CERTIFICATES
563.Nm
564supports signing of keys to produce certificates that may be used for
565user or host authentication.
566Certificates consist of a public key, some identity information, zero or
Damien Miller1f181422010-04-18 08:08:03 +1000567more principal (user or host) names and a set of options that
Damien Miller0a80ca12010-02-27 07:55:05 +1100568are signed by a Certification Authority (CA) key.
569Clients or servers may then trust only the CA key and verify its signature
570on a certificate rather than trusting many user/host keys.
571Note that OpenSSH certificates are a different, and much simpler, format to
572the X.509 certificates used in
573.Xr ssl 8 .
574.Pp
575.Nm
576supports two types of certificates: user and host.
577User certificates authenticate users to servers, whereas host certificates
Damien Miller15f5b562010-03-03 10:25:21 +1100578authenticate server hosts to users.
579To generate a user certificate:
Damien Miller0a80ca12010-02-27 07:55:05 +1100580.Pp
581.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
582.Pp
583The resultant certificate will be placed in
Damien Miller1b61a282010-03-22 05:55:06 +1100584.Pa /path/to/user_key-cert.pub .
Damien Miller0a80ca12010-02-27 07:55:05 +1100585A host certificate requires the
586.Fl h
587option:
588.Pp
589.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
590.Pp
591The host certificate will be output to
Damien Miller1b61a282010-03-22 05:55:06 +1100592.Pa /path/to/host_key-cert.pub .
Damien Miller757f34e2010-08-05 13:05:31 +1000593.Pp
594It is possible to sign using a CA key stored in a PKCS#11 token by
595providing the token library using
596.Fl D
597and identifying the CA key by providing its public half as an argument
598to
599.Fl s :
600.Pp
601.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub
602.Pp
603In all cases,
Damien Miller0a80ca12010-02-27 07:55:05 +1100604.Ar key_id
605is a "key identifier" that is logged by the server when the certificate
606is used for authentication.
607.Pp
608Certificates may be limited to be valid for a set of principal (user/host)
609names.
610By default, generated certificates are valid for all users or hosts.
611To generate a certificate for a specified set of principals:
612.Pp
613.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
Damien Miller5a5d94b2010-03-22 05:57:49 +1100614.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
Damien Miller0a80ca12010-02-27 07:55:05 +1100615.Pp
616Additional limitations on the validity and use of user certificates may
Damien Miller1f181422010-04-18 08:08:03 +1000617be specified through certificate options.
Damien Miller4e270b02010-04-16 15:56:21 +1000618A certificate option may disable features of the SSH session, may be
Damien Miller0a80ca12010-02-27 07:55:05 +1100619valid only when presented from particular source addresses or may
620force the use of a specific command.
Damien Miller4e270b02010-04-16 15:56:21 +1000621For a list of valid certificate options, see the documentation for the
Damien Miller0a80ca12010-02-27 07:55:05 +1100622.Fl O
623option above.
624.Pp
625Finally, certificates may be defined with a validity lifetime.
626The
627.Fl V
628option allows specification of certificate start and end times.
629A certificate that is presented at a time outside this range will not be
630considered valid.
631By default, certificates have a maximum validity interval.
632.Pp
633For certificates to be used for user or host authentication, the CA
634public key must be trusted by
635.Xr sshd 8
636or
637.Xr ssh 1 .
638Please refer to those manual pages for details.
Damien Miller32aa1441999-10-29 09:15:49 +1000639.Sh FILES
Damien Miller6186bbc2010-09-24 22:00:54 +1000640.Bl -tag -width Ds -compact
Damien Miller167ea5d2005-05-26 12:04:02 +1000641.It Pa ~/.ssh/identity
Ben Lindstrom18a82ac2001-04-11 15:59:35 +0000642Contains the protocol version 1 RSA authentication identity of the user.
Damien Miller450a7a12000-03-26 13:04:51 +1000643This file should not be readable by anyone but the user.
644It is possible to
Damien Miller32aa1441999-10-29 09:15:49 +1000645specify a passphrase when generating the key; that passphrase will be
Damien Miller6186bbc2010-09-24 22:00:54 +1000646used to encrypt the private part of this file using 3DES.
Damien Miller450a7a12000-03-26 13:04:51 +1000647This file is not automatically accessed by
Damien Miller32aa1441999-10-29 09:15:49 +1000648.Nm
649but it is offered as the default file for the private key.
Ben Lindstrombda98b02001-07-04 03:35:24 +0000650.Xr ssh 1
Damien Millere247cc42000-05-07 12:03:14 +1000651will read this file when a login attempt is made.
Damien Miller6186bbc2010-09-24 22:00:54 +1000652.Pp
Damien Miller167ea5d2005-05-26 12:04:02 +1000653.It Pa ~/.ssh/identity.pub
Ben Lindstrom18a82ac2001-04-11 15:59:35 +0000654Contains the protocol version 1 RSA public key for authentication.
Damien Miller450a7a12000-03-26 13:04:51 +1000655The contents of this file should be added to
Damien Miller167ea5d2005-05-26 12:04:02 +1000656.Pa ~/.ssh/authorized_keys
Damien Miller32aa1441999-10-29 09:15:49 +1000657on all machines
Ben Lindstrom594e2032001-09-12 18:35:30 +0000658where the user wishes to log in using RSA authentication.
Damien Miller450a7a12000-03-26 13:04:51 +1000659There is no need to keep the contents of this file secret.
Damien Miller6186bbc2010-09-24 22:00:54 +1000660.Pp
Damien Miller167ea5d2005-05-26 12:04:02 +1000661.It Pa ~/.ssh/id_dsa
Damien Miller6186bbc2010-09-24 22:00:54 +1000662.It Pa ~/.ssh/id_ecdsa
Damien Miller167ea5d2005-05-26 12:04:02 +1000663.It Pa ~/.ssh/id_rsa
Damien Miller6186bbc2010-09-24 22:00:54 +1000664Contains the protocol version 2 DSA, ECDSA or RSA authentication identity of the user.
Ben Lindstrom18a82ac2001-04-11 15:59:35 +0000665This file should not be readable by anyone but the user.
666It is possible to
667specify a passphrase when generating the key; that passphrase will be
Darren Tucker199ee6f2009-10-24 11:50:17 +1100668used to encrypt the private part of this file using 128-bit AES.
Ben Lindstrom18a82ac2001-04-11 15:59:35 +0000669This file is not automatically accessed by
670.Nm
671but it is offered as the default file for the private key.
Ben Lindstrombda98b02001-07-04 03:35:24 +0000672.Xr ssh 1
Ben Lindstrom18a82ac2001-04-11 15:59:35 +0000673will read this file when a login attempt is made.
Damien Miller6186bbc2010-09-24 22:00:54 +1000674.Pp
675.It Pa ~/.ssh/id_dsa.pub
676.It Pa ~/.ssh/id_ecdsa.pub
Damien Miller167ea5d2005-05-26 12:04:02 +1000677.It Pa ~/.ssh/id_rsa.pub
Damien Miller6186bbc2010-09-24 22:00:54 +1000678Contains the protocol version 2 DSA, ECDSA or RSA public key for authentication.
Damien Millere247cc42000-05-07 12:03:14 +1000679The contents of this file should be added to
Damien Miller167ea5d2005-05-26 12:04:02 +1000680.Pa ~/.ssh/authorized_keys
Damien Millere247cc42000-05-07 12:03:14 +1000681on all machines
Ben Lindstrom594e2032001-09-12 18:35:30 +0000682where the user wishes to log in using public key authentication.
Damien Millere247cc42000-05-07 12:03:14 +1000683There is no need to keep the contents of this file secret.
Damien Miller6186bbc2010-09-24 22:00:54 +1000684.Pp
Darren Tucker019cefe2003-08-02 22:40:07 +1000685.It Pa /etc/moduli
686Contains Diffie-Hellman groups used for DH-GEX.
687The file format is described in
688.Xr moduli 5 .
Damien Miller37023962000-07-11 17:31:38 +1000689.El
Damien Miller32aa1441999-10-29 09:15:49 +1000690.Sh SEE ALSO
691.Xr ssh 1 ,
692.Xr ssh-add 1 ,
Damien Miller2e8b1c81999-11-15 23:33:56 +1100693.Xr ssh-agent 1 ,
Darren Tucker019cefe2003-08-02 22:40:07 +1000694.Xr moduli 5 ,
Ben Lindstrom77788dc2001-02-10 23:10:33 +0000695.Xr sshd 8
Ben Lindstrom5a707822001-04-22 17:15:46 +0000696.Rs
Damien Millerc0367fb2007-01-05 16:25:46 +1100697.%R RFC 4716
698.%T "The Secure Shell (SSH) Public Key File Format"
699.%D 2006
Ben Lindstrom5a707822001-04-22 17:15:46 +0000700.Re
Damien Millerf1ce5052003-06-11 22:04:39 +1000701.Sh AUTHORS
702OpenSSH is a derivative of the original and free
703ssh 1.2.12 release by Tatu Ylonen.
704Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
705Theo de Raadt and Dug Song
706removed many bugs, re-added newer features and
707created OpenSSH.
708Markus Friedl contributed the support for SSH
709protocol versions 1.5 and 2.0.