blob: 637dd4231ef1dae40fb0d687e0d53e38ac54ef75 [file] [log] [blame]
jmc@openbsd.org6c91d422019-09-29 16:31:57 +00001.\" $OpenBSD: ssh-keygen.1,v 1.170 2019/09/29 16:31:57 jmc Exp $
Damien Miller32aa1441999-10-29 09:15:49 +10002.\"
Damien Miller32aa1441999-10-29 09:15:49 +10003.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
Damien Miller32aa1441999-10-29 09:15:49 +10004.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\" All rights reserved
6.\"
Damien Millere4340be2000-09-16 13:29:08 +11007.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose. Any derived versions of this
9.\" software must be clearly marked as such, and if the derived work is
10.\" incompatible with the protocol description in the RFC file, it must be
11.\" called by a name other than "ssh" or "Secure Shell".
Damien Miller32aa1441999-10-29 09:15:49 +100012.\"
Damien Millere4340be2000-09-16 13:29:08 +110013.\"
Ben Lindstrom92a2e382001-03-05 06:59:27 +000014.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
15.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
16.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
Damien Millere4340be2000-09-16 13:29:08 +110017.\"
18.\" Redistribution and use in source and binary forms, with or without
19.\" modification, are permitted provided that the following conditions
20.\" are met:
21.\" 1. Redistributions of source code must retain the above copyright
22.\" notice, this list of conditions and the following disclaimer.
23.\" 2. Redistributions in binary form must reproduce the above copyright
24.\" notice, this list of conditions and the following disclaimer in the
25.\" documentation and/or other materials provided with the distribution.
26.\"
27.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Damien Miller32aa1441999-10-29 09:15:49 +100037.\"
jmc@openbsd.org6c91d422019-09-29 16:31:57 +000038.Dd $Mdocdate: September 29 2019 $
Damien Miller32aa1441999-10-29 09:15:49 +100039.Dt SSH-KEYGEN 1
40.Os
41.Sh NAME
42.Nm ssh-keygen
Ben Lindstrom5a707822001-04-22 17:15:46 +000043.Nd authentication key generation, management and conversion
Damien Miller32aa1441999-10-29 09:15:49 +100044.Sh SYNOPSIS
Damien Miller495dca32003-04-01 21:42:14 +100045.Bk -words
Damien Millerbad5e032010-07-16 13:59:59 +100046.Nm ssh-keygen
Damien Miller0bc1bd82000-11-13 22:57:25 +110047.Op Fl q
Damien Miller32aa1441999-10-29 09:15:49 +100048.Op Fl b Ar bits
jmc@openbsd.orgf10c0d32017-05-02 17:04:09 +000049.Op Fl t Cm dsa | ecdsa | ed25519 | rsa
Damien Miller32aa1441999-10-29 09:15:49 +100050.Op Fl N Ar new_passphrase
51.Op Fl C Ar comment
Damien Miller1a425f32000-09-02 10:08:09 +110052.Op Fl f Ar output_keyfile
djm@openbsd.orgecd2f332019-01-22 11:40:42 +000053.Op Fl m Ar format
Damien Miller32aa1441999-10-29 09:15:49 +100054.Nm ssh-keygen
55.Fl p
56.Op Fl P Ar old_passphrase
57.Op Fl N Ar new_passphrase
Damien Miller10f6f6b1999-11-17 17:29:08 +110058.Op Fl f Ar keyfile
djm@openbsd.orgecd2f332019-01-22 11:40:42 +000059.Op Fl m Ar format
Damien Miller32aa1441999-10-29 09:15:49 +100060.Nm ssh-keygen
Ben Lindstrom5a707822001-04-22 17:15:46 +000061.Fl i
Damien Miller44b25042010-07-02 13:35:01 +100062.Op Fl m Ar key_format
Damien Miller1a425f32000-09-02 10:08:09 +110063.Op Fl f Ar input_keyfile
Damien Millere247cc42000-05-07 12:03:14 +100064.Nm ssh-keygen
Ben Lindstrom5a707822001-04-22 17:15:46 +000065.Fl e
Damien Miller44b25042010-07-02 13:35:01 +100066.Op Fl m Ar key_format
Damien Miller1a425f32000-09-02 10:08:09 +110067.Op Fl f Ar input_keyfile
Damien Millere247cc42000-05-07 12:03:14 +100068.Nm ssh-keygen
69.Fl y
Damien Miller1a425f32000-09-02 10:08:09 +110070.Op Fl f Ar input_keyfile
Damien Millere247cc42000-05-07 12:03:14 +100071.Nm ssh-keygen
Damien Miller32aa1441999-10-29 09:15:49 +100072.Fl c
73.Op Fl P Ar passphrase
74.Op Fl C Ar comment
Damien Miller10f6f6b1999-11-17 17:29:08 +110075.Op Fl f Ar keyfile
76.Nm ssh-keygen
77.Fl l
naddy@openbsd.org6288e3a2015-02-24 15:24:05 +000078.Op Fl v
djm@openbsd.org56d1c832014-12-21 22:27:55 +000079.Op Fl E Ar fingerprint_hash
Ben Lindstrom8fd372b2001-03-12 03:02:17 +000080.Op Fl f Ar input_keyfile
81.Nm ssh-keygen
82.Fl B
Damien Miller1a425f32000-09-02 10:08:09 +110083.Op Fl f Ar input_keyfile
Ben Lindstroma1ec4a92001-08-06 21:51:34 +000084.Nm ssh-keygen
Damien Miller048dc932010-02-12 09:22:04 +110085.Fl D Ar pkcs11
Ben Lindstroma1ec4a92001-08-06 21:51:34 +000086.Nm ssh-keygen
Damien Miller4b42d7f2005-03-01 21:48:35 +110087.Fl F Ar hostname
jmc@openbsd.org6c91d422019-09-29 16:31:57 +000088.Op Fl lv
Damien Miller4b42d7f2005-03-01 21:48:35 +110089.Op Fl f Ar known_hosts_file
90.Nm ssh-keygen
91.Fl H
92.Op Fl f Ar known_hosts_file
93.Nm ssh-keygen
94.Fl R Ar hostname
95.Op Fl f Ar known_hosts_file
96.Nm ssh-keygen
Damien Miller37876e92003-05-15 10:19:46 +100097.Fl r Ar hostname
Damien Miller37876e92003-05-15 10:19:46 +100098.Op Fl g
jmc@openbsd.org6c91d422019-09-29 16:31:57 +000099.Op Fl f Ar input_keyfile
Darren Tucker019cefe2003-08-02 22:40:07 +1000100.Nm ssh-keygen
101.Fl G Ar output_file
Darren Tucker06930c72003-12-31 11:34:51 +1100102.Op Fl v
Darren Tucker019cefe2003-08-02 22:40:07 +1000103.Op Fl b Ar bits
104.Op Fl M Ar memory
105.Op Fl S Ar start_point
106.Nm ssh-keygen
107.Fl T Ar output_file
108.Fl f Ar input_file
Darren Tucker06930c72003-12-31 11:34:51 +1100109.Op Fl v
Damien Miller4f752cf2013-12-18 17:45:35 +1100110.Op Fl a Ar rounds
Damien Millerdfceafe2012-07-06 13:44:19 +1000111.Op Fl J Ar num_lines
112.Op Fl j Ar start_line
Damien Miller390d0562011-10-18 16:05:19 +1100113.Op Fl K Ar checkpt
Darren Tucker019cefe2003-08-02 22:40:07 +1000114.Op Fl W Ar generator
Damien Miller0a80ca12010-02-27 07:55:05 +1100115.Nm ssh-keygen
116.Fl s Ar ca_key
117.Fl I Ar certificate_identity
jmc@openbsd.org6c91d422019-09-29 16:31:57 +0000118.Op Fl hU
djm@openbsd.orga98339e2017-06-28 01:09:22 +0000119.Op Fl D Ar pkcs11_provider
Damien Miller0a80ca12010-02-27 07:55:05 +1100120.Op Fl n Ar principals
Damien Miller4e270b02010-04-16 15:56:21 +1000121.Op Fl O Ar option
Damien Miller0a80ca12010-02-27 07:55:05 +1100122.Op Fl V Ar validity_interval
Damien Miller4e270b02010-04-16 15:56:21 +1000123.Op Fl z Ar serial_number
Damien Miller0a80ca12010-02-27 07:55:05 +1100124.Ar
Damien Millerf2b70ca2010-03-05 07:39:35 +1100125.Nm ssh-keygen
Damien Millerf2b70ca2010-03-05 07:39:35 +1100126.Fl L
127.Op Fl f Ar input_keyfile
Damien Miller58f1baf2011-05-05 14:06:15 +1000128.Nm ssh-keygen
129.Fl A
djm@openbsd.org853edbe2017-07-07 03:53:12 +0000130.Op Fl f Ar prefix_path
Damien Millerf3747bf2013-01-18 11:44:04 +1100131.Nm ssh-keygen
132.Fl k
133.Fl f Ar krl_file
134.Op Fl u
Damien Millerac5542b2013-01-20 22:33:02 +1100135.Op Fl s Ar ca_public
136.Op Fl z Ar version_number
Damien Millerf3747bf2013-01-18 11:44:04 +1100137.Ar
138.Nm ssh-keygen
139.Fl Q
140.Fl f Ar krl_file
141.Ar
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000142.Nm ssh-keygen
143.Fl Y Cm sign
144.Fl f Ar key_file
145.Fl n Ar namespace
146.Ar
147.Nm ssh-keygen
148.Fl Y Cm verify
149.Fl I Ar signer_identity
djm@openbsd.org8aa2aa32019-09-16 03:23:02 +0000150.Fl f Ar allowed_signers_file
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000151.Fl n Ar namespace
152.Fl s Ar signature_file
153.Op Fl r Ar revocation_file
djm@openbsd.org8aa2aa32019-09-16 03:23:02 +0000154.Nm ssh-keygen
155.Fl Y Cm check-novalidate
156.Fl s Ar signature_file
157.Fl n Ar namespace
Damien Miller15f5b562010-03-03 10:25:21 +1100158.Ek
Damien Miller22c77262000-04-13 12:26:34 +1000159.Sh DESCRIPTION
Damien Miller32aa1441999-10-29 09:15:49 +1000160.Nm
Ben Lindstrom5a707822001-04-22 17:15:46 +0000161generates, manages and converts authentication keys for
Damien Miller32aa1441999-10-29 09:15:49 +1000162.Xr ssh 1 .
Damien Millere247cc42000-05-07 12:03:14 +1000163.Nm
jmc@openbsd.org2b6f7992017-05-03 06:32:02 +0000164can create keys for use by SSH protocol version 2.
jmc@openbsd.orga685ae82016-02-17 07:38:19 +0000165.Pp
Damien Millerfbf486b2003-05-23 18:44:23 +1000166The type of key to be generated is specified with the
Damien Miller0bc1bd82000-11-13 22:57:25 +1100167.Fl t
Damien Millera41c8b12002-01-22 23:05:08 +1100168option.
Damien Millerf14be5c2005-11-05 15:15:49 +1100169If invoked without any arguments,
170.Nm
naddy@openbsd.org2e9c3242017-05-05 10:41:58 +0000171will generate an RSA key.
Damien Millere247cc42000-05-07 12:03:14 +1000172.Pp
Darren Tucker019cefe2003-08-02 22:40:07 +1000173.Nm
174is also used to generate groups for use in Diffie-Hellman group
175exchange (DH-GEX).
176See the
177.Sx MODULI GENERATION
178section for details.
179.Pp
Damien Millerf3747bf2013-01-18 11:44:04 +1100180Finally,
181.Nm
182can be used to generate and update Key Revocation Lists, and to test whether
Damien Millerac5542b2013-01-20 22:33:02 +1100183given keys have been revoked by one.
184See the
Damien Millerf3747bf2013-01-18 11:44:04 +1100185.Sx KEY REVOCATION LISTS
186section for details.
187.Pp
Damien Miller32aa1441999-10-29 09:15:49 +1000188Normally each user wishing to use SSH
Damien Millereb8b60e2010-08-31 22:41:14 +1000189with public key authentication runs this once to create the authentication
Damien Miller32aa1441999-10-29 09:15:49 +1000190key in
Damien Miller8ba0ead2013-12-18 17:46:27 +1100191.Pa ~/.ssh/id_dsa ,
Damien Millereb8b60e2010-08-31 22:41:14 +1000192.Pa ~/.ssh/id_ecdsa ,
Damien Miller8ba0ead2013-12-18 17:46:27 +1100193.Pa ~/.ssh/id_ed25519
Damien Millere247cc42000-05-07 12:03:14 +1000194or
Damien Miller167ea5d2005-05-26 12:04:02 +1000195.Pa ~/.ssh/id_rsa .
Damien Millere247cc42000-05-07 12:03:14 +1000196Additionally, the system administrator may use this to generate host keys,
197as seen in
198.Pa /etc/rc .
Damien Miller32aa1441999-10-29 09:15:49 +1000199.Pp
200Normally this program generates the key and asks for a file in which
Damien Miller450a7a12000-03-26 13:04:51 +1000201to store the private key.
202The public key is stored in a file with the same name but
Damien Miller32aa1441999-10-29 09:15:49 +1000203.Dq .pub
Damien Miller450a7a12000-03-26 13:04:51 +1000204appended.
205The program also asks for a passphrase.
206The passphrase may be empty to indicate no passphrase
Ben Lindstrombf555ba2001-01-18 02:04:35 +0000207(host keys must have an empty passphrase), or it may be a string of
Damien Miller450a7a12000-03-26 13:04:51 +1000208arbitrary length.
Ben Lindstrom4e366d52001-12-06 16:43:21 +0000209A passphrase is similar to a password, except it can be a phrase with a
210series of words, punctuation, numbers, whitespace, or any string of
211characters you want.
212Good passphrases are 10-30 characters long, are
Damien Miller32aa1441999-10-29 09:15:49 +1000213not simple sentences or otherwise easily guessable (English
Ben Lindstrom2a097a42001-06-09 01:13:40 +0000214prose has only 1-2 bits of entropy per character, and provides very bad
Ben Lindstrom4e366d52001-12-06 16:43:21 +0000215passphrases), and contain a mix of upper and lowercase letters,
216numbers, and non-alphanumeric characters.
Damien Miller450a7a12000-03-26 13:04:51 +1000217The passphrase can be changed later by using the
Damien Miller32aa1441999-10-29 09:15:49 +1000218.Fl p
219option.
220.Pp
Damien Miller450a7a12000-03-26 13:04:51 +1000221There is no way to recover a lost passphrase.
Damien Miller085c90f2011-05-05 14:15:33 +1000222If the passphrase is lost or forgotten, a new key must be generated
223and the corresponding public key copied to other machines.
Damien Miller32aa1441999-10-29 09:15:49 +1000224.Pp
djm@openbsd.orgc45616a2019-01-22 11:00:15 +0000225.Nm
226will by default write keys in an OpenSSH-specific format.
227This format is preferred as it offers better protection for
228keys at rest as well as allowing storage of key comments within
229the private key file itself.
230The key comment may be useful to help identify the key.
Damien Miller450a7a12000-03-26 13:04:51 +1000231The comment is initialized to
Damien Miller32aa1441999-10-29 09:15:49 +1000232.Dq user@host
233when the key is created, but can be changed using the
234.Fl c
235option.
236.Pp
djm@openbsd.orgc45616a2019-01-22 11:00:15 +0000237It is still possible for
238.Nm
239to write the previously-used PEM format private keys using the
240.Fl m
241flag.
242This may be used when generating new keys, and existing new-format
243keys may be converted using this option in conjunction with the
244.Fl p
245(change passphrase) flag.
246.Pp
Damien Millere247cc42000-05-07 12:03:14 +1000247After a key is generated, instructions below detail where the keys
248should be placed to be activated.
249.Pp
Damien Miller32aa1441999-10-29 09:15:49 +1000250The options are as follows:
251.Bl -tag -width Ds
Damien Miller58f1baf2011-05-05 14:06:15 +1000252.It Fl A
jmc@openbsd.orgf10c0d32017-05-02 17:04:09 +0000253For each of the key types (rsa, dsa, ecdsa and ed25519)
Damien Miller8ba0ead2013-12-18 17:46:27 +1100254for which host keys
Damien Miller58f1baf2011-05-05 14:06:15 +1000255do not exist, generate the host keys with the default key file path,
256an empty passphrase, default bits for the key type, and default comment.
jmc@openbsd.orgdc44dd32017-07-08 18:32:54 +0000257If
djm@openbsd.org853edbe2017-07-07 03:53:12 +0000258.Fl f
jmc@openbsd.orgdc44dd32017-07-08 18:32:54 +0000259has also been specified, its argument is used as a prefix to the
djm@openbsd.org853edbe2017-07-07 03:53:12 +0000260default path for the resulting host key files.
Damien Miller3ca1eb32011-05-05 14:13:50 +1000261This is used by
Damien Miller58f1baf2011-05-05 14:06:15 +1000262.Pa /etc/rc
263to generate new host keys.
Damien Miller4f752cf2013-12-18 17:45:35 +1100264.It Fl a Ar rounds
jmc@openbsd.org3b44bf32019-09-27 20:03:24 +0000265When saving a private key, this option specifies the number of KDF
djm@openbsd.orged7bd5d2018-08-08 01:16:01 +0000266(key derivation function) rounds used.
Damien Miller4f752cf2013-12-18 17:45:35 +1100267Higher numbers result in slower passphrase verification and increased
268resistance to brute-force password cracking (should the keys be stolen).
269.Pp
jmc@openbsd.org2b6f7992017-05-03 06:32:02 +0000270When screening DH-GEX candidates (using the
Darren Tucker019cefe2003-08-02 22:40:07 +1000271.Fl T
jmc@openbsd.org3b44bf32019-09-27 20:03:24 +0000272command),
273this option specifies the number of primality tests to perform.
Damien Miller265d3092005-03-02 12:05:06 +1100274.It Fl B
275Show the bubblebabble digest of specified private or public key file.
Damien Miller32aa1441999-10-29 09:15:49 +1000276.It Fl b Ar bits
Damien Miller450a7a12000-03-26 13:04:51 +1000277Specifies the number of bits in the key to create.
dtucker@openbsd.orgd7c6e382019-04-19 05:47:44 +0000278For RSA keys, the minimum size is 1024 bits and the default is 3072 bits.
279Generally, 3072 bits is considered sufficient.
Darren Tucker9f647332005-11-28 16:41:46 +1100280DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
Damien Millerad210322011-05-05 14:15:54 +1000281For ECDSA keys, the
282.Fl b
Damien Miller6232a162011-09-22 21:36:00 +1000283flag determines the key length by selecting from one of three elliptic
Damien Millerad210322011-05-05 14:15:54 +1000284curve sizes: 256, 384 or 521 bits.
285Attempting to use bit lengths other than these three values for ECDSA keys
286will fail.
sobrado@openbsd.orgf70b22b2014-08-30 15:33:50 +0000287Ed25519 keys have a fixed length and the
Damien Miller8ba0ead2013-12-18 17:46:27 +1100288.Fl b
289flag will be ignored.
Damien Miller265d3092005-03-02 12:05:06 +1100290.It Fl C Ar comment
291Provides a new comment.
Damien Miller32aa1441999-10-29 09:15:49 +1000292.It Fl c
293Requests changing the comment in the private and public key files.
294The program will prompt for the file containing the private keys, for
Ben Lindstromaafff9c2001-05-06 03:01:02 +0000295the passphrase if the key has one, and for the new comment.
Damien Miller7ea845e2010-02-12 09:21:02 +1100296.It Fl D Ar pkcs11
naddy@openbsd.orgc13b7452019-03-05 16:17:12 +0000297Download the public keys provided by the PKCS#11 shared library
Damien Millera7618442010-02-12 09:26:02 +1100298.Ar pkcs11 .
Damien Miller757f34e2010-08-05 13:05:31 +1000299When used in combination with
300.Fl s ,
301this option indicates that a CA key resides in a PKCS#11 token (see the
302.Sx CERTIFICATES
303section for details).
djm@openbsd.org56d1c832014-12-21 22:27:55 +0000304.It Fl E Ar fingerprint_hash
305Specifies the hash algorithm used when displaying key fingerprints.
306Valid options are:
307.Dq md5
308and
309.Dq sha256 .
310The default is
311.Dq sha256 .
Ben Lindstrom5a707822001-04-22 17:15:46 +0000312.It Fl e
Ben Lindstrom46c264f2001-04-24 16:56:58 +0000313This option will read a private or public OpenSSH key file and
djm@openbsd.org180b5202019-01-22 11:19:42 +0000314print to stdout a public key in one of the formats specified by the
Damien Miller44b25042010-07-02 13:35:01 +1000315.Fl m
316option.
317The default export format is
318.Dq RFC4716 .
Damien Millerea727282010-07-02 13:35:34 +1000319This option allows exporting OpenSSH keys for use by other programs, including
Damien Miller44b25042010-07-02 13:35:01 +1000320several commercial SSH implementations.
djm@openbsd.org737e4ed2018-12-07 03:32:26 +0000321.It Fl F Ar hostname | [hostname]:port
Damien Miller265d3092005-03-02 12:05:06 +1100322Search for the specified
323.Ar hostname
djm@openbsd.org737e4ed2018-12-07 03:32:26 +0000324(with optional port number)
Damien Miller265d3092005-03-02 12:05:06 +1100325in a
326.Pa known_hosts
327file, listing any occurrences found.
328This option is useful to find hashed host names or addresses and may also be
329used in conjunction with the
330.Fl H
331option to print found keys in a hashed format.
332.It Fl f Ar filename
333Specifies the filename of the key file.
334.It Fl G Ar output_file
335Generate candidate primes for DH-GEX.
336These primes must be screened for
337safety (using the
338.Fl T
339option) before use.
Damien Miller37876e92003-05-15 10:19:46 +1000340.It Fl g
Darren Tucker0b42e6d2004-08-13 21:22:40 +1000341Use generic DNS format when printing fingerprint resource records using the
Darren Tucker6e370372004-08-13 21:23:25 +1000342.Fl r
Darren Tucker0b42e6d2004-08-13 21:22:40 +1000343command.
Damien Miller265d3092005-03-02 12:05:06 +1100344.It Fl H
345Hash a
346.Pa known_hosts
Darren Tuckerda1adbc2005-03-14 23:15:58 +1100347file.
348This replaces all hostnames and addresses with hashed representations
349within the specified file; the original content is moved to a file with
350a .old suffix.
Damien Miller265d3092005-03-02 12:05:06 +1100351These hashes may be used normally by
352.Nm ssh
353and
354.Nm sshd ,
355but they do not reveal identifying information should the file's contents
356be disclosed.
357This option will not modify existing hashed hostnames and is therefore safe
358to use on files that mix hashed and non-hashed names.
Damien Miller0a80ca12010-02-27 07:55:05 +1100359.It Fl h
360When signing a key, create a host certificate instead of a user
361certificate.
362Please see the
363.Sx CERTIFICATES
364section for details.
Damien Miller15f5b562010-03-03 10:25:21 +1100365.It Fl I Ar certificate_identity
Damien Miller0a80ca12010-02-27 07:55:05 +1100366Specify the key identity when signing a public key.
367Please see the
368.Sx CERTIFICATES
369section for details.
Ben Lindstrom5a707822001-04-22 17:15:46 +0000370.It Fl i
371This option will read an unencrypted private (or public) key file
Damien Miller44b25042010-07-02 13:35:01 +1000372in the format specified by the
373.Fl m
374option and print an OpenSSH compatible private
Ben Lindstrom5a707822001-04-22 17:15:46 +0000375(or public) key to stdout.
Damien Miller43b156c2014-04-20 13:23:03 +1000376This option allows importing keys from other software, including several
377commercial SSH implementations.
378The default import format is
379.Dq RFC4716 .
Damien Millerdfceafe2012-07-06 13:44:19 +1000380.It Fl J Ar num_lines
381Exit after screening the specified number of lines
382while performing DH candidate screening using the
383.Fl T
384option.
385.It Fl j Ar start_line
386Start screening at the specified line number
387while performing DH candidate screening using the
388.Fl T
389option.
Damien Miller390d0562011-10-18 16:05:19 +1100390.It Fl K Ar checkpt
391Write the last line processed to the file
392.Ar checkpt
393while performing DH candidate screening using the
394.Fl T
395option.
396This will be used to skip lines in the input file that have already been
397processed if the job is restarted.
Damien Millerf3747bf2013-01-18 11:44:04 +1100398.It Fl k
399Generate a KRL file.
400In this mode,
401.Nm
402will generate a KRL file at the location specified via the
403.Fl f
Damien Miller881a7a22013-01-20 22:34:46 +1100404flag that revokes every key or certificate presented on the command line.
Damien Millerf3747bf2013-01-18 11:44:04 +1100405Keys/certificates to be revoked may be specified by public key file or
406using the format described in the
407.Sx KEY REVOCATION LISTS
408section.
Damien Millerf2b70ca2010-03-05 07:39:35 +1100409.It Fl L
djm@openbsd.org94bc0b72015-11-13 04:34:15 +0000410Prints the contents of one or more certificates.
Damien Miller10f6f6b1999-11-17 17:29:08 +1100411.It Fl l
Darren Tucker35c45532008-06-13 04:43:15 +1000412Show fingerprint of specified public key file.
Damien Millereb5fec62001-11-12 10:52:44 +1100413For RSA and DSA keys
414.Nm
Darren Tuckerf09e8252008-06-13 05:18:03 +1000415tries to find the matching public key file and prints its fingerprint.
416If combined with
417.Fl v ,
jmc@openbsd.org92838842016-05-03 18:38:12 +0000418a visual ASCII art representation of the key is supplied with the
djm@openbsd.orgcdcd9412016-05-03 14:54:08 +0000419fingerprint.
Damien Millerea727282010-07-02 13:35:34 +1000420.It Fl M Ar memory
421Specify the amount of memory to use (in megabytes) when generating
422candidate moduli for DH-GEX.
Damien Miller44b25042010-07-02 13:35:01 +1000423.It Fl m Ar key_format
djm@openbsd.orgecd2f332019-01-22 11:40:42 +0000424Specify a key format for key generation, the
Damien Miller44b25042010-07-02 13:35:01 +1000425.Fl i
djm@openbsd.orgecd2f332019-01-22 11:40:42 +0000426(import),
Damien Miller44b25042010-07-02 13:35:01 +1000427.Fl e
djm@openbsd.orgecd2f332019-01-22 11:40:42 +0000428(export) conversion options, and the
429.Fl p
430change passphrase operation.
431The latter may be used to convert between OpenSSH private key and PEM
432private key formats.
Damien Miller44b25042010-07-02 13:35:01 +1000433The supported key formats are:
434.Dq RFC4716
Damien Millerea727282010-07-02 13:35:34 +1000435(RFC 4716/SSH2 public or private key),
Damien Miller44b25042010-07-02 13:35:01 +1000436.Dq PKCS8
djm@openbsd.orgeb0d8e72019-07-15 13:16:29 +0000437(PKCS8 public or private key)
Damien Miller44b25042010-07-02 13:35:01 +1000438or
439.Dq PEM
440(PEM public key).
djm@openbsd.orgeb0d8e72019-07-15 13:16:29 +0000441By default OpenSSH will write newly-generated private keys in its own
442format, but when converting public keys for export the default format is
Damien Miller44b25042010-07-02 13:35:01 +1000443.Dq RFC4716 .
djm@openbsd.orged7bd5d2018-08-08 01:16:01 +0000444Setting a format of
445.Dq PEM
446when generating or updating a supported private key type will cause the
447key to be stored in the legacy PEM private key format.
Damien Miller265d3092005-03-02 12:05:06 +1100448.It Fl N Ar new_passphrase
449Provides the new passphrase.
Damien Miller0a80ca12010-02-27 07:55:05 +1100450.It Fl n Ar principals
451Specify one or more principals (user or host names) to be included in
452a certificate when signing a key.
453Multiple principals may be specified, separated by commas.
454Please see the
455.Sx CERTIFICATES
456section for details.
Damien Miller4e270b02010-04-16 15:56:21 +1000457.It Fl O Ar option
458Specify a certificate option when signing a key.
Damien Miller0a80ca12010-02-27 07:55:05 +1100459This option may be specified multiple times.
jmc@openbsd.org6b848972017-05-02 07:13:31 +0000460See also the
Damien Miller0a80ca12010-02-27 07:55:05 +1100461.Sx CERTIFICATES
jmc@openbsd.org6b848972017-05-02 07:13:31 +0000462section for further details.
djm@openbsd.org130283d2018-01-25 03:34:43 +0000463.Pp
464At present, no standard options are valid for host keys.
Damien Miller4e270b02010-04-16 15:56:21 +1000465The options that are valid for user certificates are:
jmc@openbsd.org6b848972017-05-02 07:13:31 +0000466.Pp
467.Bl -tag -width Ds -compact
Damien Millerc59e2442010-03-22 05:50:31 +1100468.It Ic clear
469Clear all enabled permissions.
470This is useful for clearing the default set of permissions so permissions may
471be added individually.
jmc@openbsd.org6b848972017-05-02 07:13:31 +0000472.Pp
jmc@openbsd.orgd4084cd2017-04-29 06:06:01 +0000473.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
jmc@openbsd.org6b848972017-05-02 07:13:31 +0000474.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
475Includes an arbitrary certificate critical option or extension.
476The specified
djm@openbsd.org249516e2017-04-29 04:12:25 +0000477.Ar name
jmc@openbsd.orgd4084cd2017-04-29 06:06:01 +0000478should include a domain suffix, e.g.\&
djm@openbsd.org249516e2017-04-29 04:12:25 +0000479.Dq name@example.com .
jmc@openbsd.orgd4084cd2017-04-29 06:06:01 +0000480If
djm@openbsd.org249516e2017-04-29 04:12:25 +0000481.Ar contents
482is specified then it is included as the contents of the extension/option
483encoded as a string, otherwise the extension/option is created with no
484contents (usually indicating a flag).
485Extensions may be ignored by a client or server that does not recognise them,
486whereas unknown critical options will cause the certificate to be refused.
jmc@openbsd.org6b848972017-05-02 07:13:31 +0000487.Pp
488.It Ic force-command Ns = Ns Ar command
489Forces the execution of
490.Ar command
491instead of any shell or command specified by the user when
492the certificate is used for authentication.
493.Pp
494.It Ic no-agent-forwarding
495Disable
496.Xr ssh-agent 1
497forwarding (permitted by default).
498.Pp
499.It Ic no-port-forwarding
500Disable port forwarding (permitted by default).
501.Pp
502.It Ic no-pty
503Disable PTY allocation (permitted by default).
504.Pp
505.It Ic no-user-rc
506Disable execution of
507.Pa ~/.ssh/rc
508by
509.Xr sshd 8
510(permitted by default).
511.Pp
512.It Ic no-x11-forwarding
513Disable X11 forwarding (permitted by default).
514.Pp
515.It Ic permit-agent-forwarding
516Allows
517.Xr ssh-agent 1
518forwarding.
519.Pp
520.It Ic permit-port-forwarding
521Allows port forwarding.
522.Pp
523.It Ic permit-pty
524Allows PTY allocation.
525.Pp
526.It Ic permit-user-rc
527Allows execution of
528.Pa ~/.ssh/rc
529by
530.Xr sshd 8 .
531.Pp
djm@openbsd.org130283d2018-01-25 03:34:43 +0000532.It Ic permit-X11-forwarding
jmc@openbsd.org6b848972017-05-02 07:13:31 +0000533Allows X11 forwarding.
534.Pp
535.It Ic source-address Ns = Ns Ar address_list
536Restrict the source addresses from which the certificate is considered valid.
537The
538.Ar address_list
539is a comma-separated list of one or more address/netmask pairs in CIDR
540format.
541.El
Damien Miller265d3092005-03-02 12:05:06 +1100542.It Fl P Ar passphrase
543Provides the (old) passphrase.
Damien Miller32aa1441999-10-29 09:15:49 +1000544.It Fl p
545Requests changing the passphrase of a private key file instead of
Damien Miller450a7a12000-03-26 13:04:51 +1000546creating a new private key.
547The program will prompt for the file
Damien Miller32aa1441999-10-29 09:15:49 +1000548containing the private key, for the old passphrase, and twice for the
549new passphrase.
Damien Miller072fdcd2013-01-20 22:34:04 +1100550.It Fl Q
551Test whether keys have been revoked in a KRL.
Damien Miller32aa1441999-10-29 09:15:49 +1000552.It Fl q
553Silence
554.Nm ssh-keygen .
djm@openbsd.org63bba572018-12-07 03:33:18 +0000555.It Fl R Ar hostname | [hostname]:port
djm@openbsd.org737e4ed2018-12-07 03:32:26 +0000556Removes all keys belonging to the specified
Damien Miller4b42d7f2005-03-01 21:48:35 +1100557.Ar hostname
djm@openbsd.org737e4ed2018-12-07 03:32:26 +0000558(with optional port number)
Damien Miller4c9c6fd2005-03-02 12:03:43 +1100559from a
Damien Miller4b42d7f2005-03-01 21:48:35 +1100560.Pa known_hosts
561file.
Damien Miller4c9c6fd2005-03-02 12:03:43 +1100562This option is useful to delete hashed hosts (see the
Damien Miller4b42d7f2005-03-01 21:48:35 +1100563.Fl H
564option above).
Damien Miller265d3092005-03-02 12:05:06 +1100565.It Fl r Ar hostname
566Print the SSHFP fingerprint resource record named
567.Ar hostname
568for the specified public key file.
Darren Tucker019cefe2003-08-02 22:40:07 +1000569.It Fl S Ar start
570Specify start point (in hex) when generating candidate moduli for DH-GEX.
Damien Miller0a80ca12010-02-27 07:55:05 +1100571.It Fl s Ar ca_key
572Certify (sign) a public key using the specified CA key.
573Please see the
574.Sx CERTIFICATES
575section for details.
Damien Millerf3747bf2013-01-18 11:44:04 +1100576.Pp
577When generating a KRL,
578.Fl s
Damien Millerac5542b2013-01-20 22:33:02 +1100579specifies a path to a CA public key file used to revoke certificates directly
Damien Millerf3747bf2013-01-18 11:44:04 +1100580by key ID or serial number.
581See the
582.Sx KEY REVOCATION LISTS
583section for details.
Darren Tucker019cefe2003-08-02 22:40:07 +1000584.It Fl T Ar output_file
585Test DH group exchange candidate primes (generated using the
586.Fl G
587option) for safety.
jmc@openbsd.orgf10c0d32017-05-02 17:04:09 +0000588.It Fl t Cm dsa | ecdsa | ed25519 | rsa
Damien Miller265d3092005-03-02 12:05:06 +1100589Specifies the type of key to create.
590The possible values are
Damien Miller6186bbc2010-09-24 22:00:54 +1000591.Dq dsa ,
Damien Miller8ba0ead2013-12-18 17:46:27 +1100592.Dq ecdsa ,
593.Dq ed25519 ,
Damien Miller265d3092005-03-02 12:05:06 +1100594or
jmc@openbsd.orgf10c0d32017-05-02 17:04:09 +0000595.Dq rsa .
djm@openbsd.org476e3552019-05-20 00:20:35 +0000596.Pp
597This flag may also be used to specify the desired signature type when
jmc@openbsd.org85ceb0e2019-05-20 06:01:59 +0000598signing certificates using an RSA CA key.
djm@openbsd.org476e3552019-05-20 00:20:35 +0000599The available RSA signature variants are
600.Dq ssh-rsa
601(SHA1 signatures, not recommended),
jmc@openbsd.org85ceb0e2019-05-20 06:01:59 +0000602.Dq rsa-sha2-256 ,
603and
djm@openbsd.org476e3552019-05-20 00:20:35 +0000604.Dq rsa-sha2-512
605(the default).
djm@openbsd.orga98339e2017-06-28 01:09:22 +0000606.It Fl U
607When used in combination with
608.Fl s ,
609this option indicates that a CA key resides in a
610.Xr ssh-agent 1 .
611See the
612.Sx CERTIFICATES
613section for more information.
Damien Millerac5542b2013-01-20 22:33:02 +1100614.It Fl u
615Update a KRL.
616When specified with
617.Fl k ,
Damien Miller881a7a22013-01-20 22:34:46 +1100618keys listed via the command line are added to the existing KRL rather than
Damien Millerac5542b2013-01-20 22:33:02 +1100619a new KRL being created.
Damien Miller0a80ca12010-02-27 07:55:05 +1100620.It Fl V Ar validity_interval
621Specify a validity interval when signing a certificate.
622A validity interval may consist of a single time, indicating that the
623certificate is valid beginning now and expiring at that time, or may consist
624of two times separated by a colon to indicate an explicit time interval.
djm@openbsd.org@openbsd.orgd52131a2017-11-03 05:14:04 +0000625.Pp
626The start time may be specified as the string
627.Dq always
628to indicate the certificate has no specified start time,
djm@openbsd.orgbf0fbf22018-03-12 00:52:01 +0000629a date in YYYYMMDD format, a time in YYYYMMDDHHMM[SS] format,
djm@openbsd.org@openbsd.orgd52131a2017-11-03 05:14:04 +0000630a relative time (to the current time) consisting of a minus sign followed by
631an interval in the format described in the
Damien Millerfecfd112013-07-18 16:11:50 +1000632TIME FORMATS section of
Damien Miller77497e12010-03-22 05:50:51 +1100633.Xr sshd_config 5 .
djm@openbsd.org@openbsd.orgd52131a2017-11-03 05:14:04 +0000634.Pp
djm@openbsd.orgbf0fbf22018-03-12 00:52:01 +0000635The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMM[SS] time,
djm@openbsd.org@openbsd.orgd52131a2017-11-03 05:14:04 +0000636a relative time starting with a plus character or the string
637.Dq forever
638to indicate that the certificate has no expirty date.
Damien Miller0a80ca12010-02-27 07:55:05 +1100639.Pp
640For example:
641.Dq +52w1d
642(valid from now to 52 weeks and one day from now),
643.Dq -4w:+4w
644(valid from four weeks ago to four weeks from now),
645.Dq 20100101123000:20110101123000
646(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
647.Dq -1d:20110101
648(valid from yesterday to midnight, January 1st, 2011).
djm@openbsd.org@openbsd.orgd52131a2017-11-03 05:14:04 +0000649.Dq -1m:forever
650(valid from one minute ago and never expiring).
Darren Tucker06930c72003-12-31 11:34:51 +1100651.It Fl v
652Verbose mode.
653Causes
654.Nm
655to print debugging messages about its progress.
656This is helpful for debugging moduli generation.
657Multiple
658.Fl v
659options increase the verbosity.
660The maximum is 3.
Damien Miller265d3092005-03-02 12:05:06 +1100661.It Fl W Ar generator
662Specify desired generator when testing candidate moduli for DH-GEX.
663.It Fl y
664This option will read a private
665OpenSSH format file and print an OpenSSH public key to stdout.
jmc@openbsd.orgf23d91f2019-09-05 05:47:23 +0000666.It Fl Y Cm sign
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000667Cryptographically sign a file or some data using a SSH key.
668When signing,
669.Nm
670accepts zero or more files to sign on the command-line - if no files
671are specified then
672.Nm
673will sign data presented on standard input.
674Signatures are written to the path of the input file with
675.Dq .sig
676appended, or to standard output if the message to be signed was read from
677standard input.
678.Pp
679The key used for signing is specified using the
680.Fl f
681option and may refer to either a private key, or a public key with the private
682half available via
683.Xr ssh-agent 1 .
684An additional signature namespace, used to prevent signature confusion across
685different domains of use (e.g. file signing vs email signing) must be provided
686via the
687.Fl n
688flag.
689Namespaces are arbitrary strings, and may include:
690.Dq file
691for file signing,
692.Dq email
693for email signing.
694For custom uses, it is recommended to use names following a
695NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces.
jmc@openbsd.orgf23d91f2019-09-05 05:47:23 +0000696.It Fl Y Cm verify
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000697Request to verify a signature generated using
698.Nm
jmc@openbsd.orgf23d91f2019-09-05 05:47:23 +0000699.Fl Y Cm sign
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000700as described above.
701When verifying a signature,
702.Nm
703accepts a message on standard input and a signature namespace using
704.Fl n .
705A file containing the corresponding signature must also be supplied using the
706.Fl s
707flag, along with the identity of the signer using
708.Fl I
709and a list of allowed signers via the
710.Fl f
711flag.
712The format of the allowed signers file is documented in the
713.Sx ALLOWED SIGNERS
714section below.
715A file containing revoked keys can be passed using the
716.Fl r
jmc@openbsd.orgdb1e6f62019-09-04 05:56:54 +0000717flag.
718The revocation file may be a KRL or a one-per-line list of public keys.
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000719Successful verification by an authorized signer is signalled by
720.Nm
djm@openbsd.org8aa2aa32019-09-16 03:23:02 +0000721.It Fl Y Cm check-novalidate
722Checks that a signature generated using
723.Nm
724.Fl Y Cm sign
725has a valid structure.
726This does not validate if a signature comes from an authorized signer.
727When testing a signature,
728.Nm
729accepts a message on standard input and a signature namespace using
730.Fl n .
731A file containing the corresponding signature must also be supplied using the
732.Fl s
jmc@openbsd.org90d4b252019-09-20 18:50:58 +0000733flag.
734Successful testing of the signature is signalled by
djm@openbsd.org8aa2aa32019-09-16 03:23:02 +0000735.Nm
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000736returning a zero exit status.
Damien Miller4e270b02010-04-16 15:56:21 +1000737.It Fl z Ar serial_number
738Specifies a serial number to be embedded in the certificate to distinguish
739this certificate from others from the same CA.
djm@openbsd.orgbe063942019-01-23 04:51:02 +0000740If the
741.Ar serial_number
742is prefixed with a
743.Sq +
744character, then the serial number will be incremented for each certificate
745signed on a single command-line.
Damien Miller4e270b02010-04-16 15:56:21 +1000746The default serial number is zero.
Damien Millerf3747bf2013-01-18 11:44:04 +1100747.Pp
748When generating a KRL, the
749.Fl z
750flag is used to specify a KRL version number.
Damien Miller32aa1441999-10-29 09:15:49 +1000751.El
Darren Tucker019cefe2003-08-02 22:40:07 +1000752.Sh MODULI GENERATION
753.Nm
754may be used to generate groups for the Diffie-Hellman Group Exchange
755(DH-GEX) protocol.
756Generating these groups is a two-step process: first, candidate
757primes are generated using a fast, but memory intensive process.
758These candidate primes are then tested for suitability (a CPU-intensive
759process).
760.Pp
761Generation of primes is performed using the
762.Fl G
763option.
764The desired length of the primes may be specified by the
765.Fl b
766option.
767For example:
768.Pp
Damien Miller265d3092005-03-02 12:05:06 +1100769.Dl # ssh-keygen -G moduli-2048.candidates -b 2048
Darren Tucker019cefe2003-08-02 22:40:07 +1000770.Pp
771By default, the search for primes begins at a random point in the
772desired length range.
773This may be overridden using the
774.Fl S
775option, which specifies a different start point (in hex).
776.Pp
Damien Millerdfceafe2012-07-06 13:44:19 +1000777Once a set of candidates have been generated, they must be screened for
Darren Tucker019cefe2003-08-02 22:40:07 +1000778suitability.
779This may be performed using the
780.Fl T
781option.
782In this mode
783.Nm
784will read candidates from standard input (or a file specified using the
785.Fl f
786option).
787For example:
788.Pp
Damien Miller265d3092005-03-02 12:05:06 +1100789.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates
Darren Tucker019cefe2003-08-02 22:40:07 +1000790.Pp
791By default, each candidate will be subjected to 100 primality tests.
792This may be overridden using the
793.Fl a
794option.
795The DH generator value will be chosen automatically for the
796prime under consideration.
797If a specific generator is desired, it may be requested using the
798.Fl W
799option.
Damien Miller265d3092005-03-02 12:05:06 +1100800Valid generator values are 2, 3, and 5.
Darren Tucker019cefe2003-08-02 22:40:07 +1000801.Pp
802Screened DH groups may be installed in
803.Pa /etc/moduli .
804It is important that this file contains moduli of a range of bit lengths and
805that both ends of a connection share common moduli.
Damien Miller0a80ca12010-02-27 07:55:05 +1100806.Sh CERTIFICATES
807.Nm
808supports signing of keys to produce certificates that may be used for
809user or host authentication.
810Certificates consist of a public key, some identity information, zero or
Damien Miller1f181422010-04-18 08:08:03 +1000811more principal (user or host) names and a set of options that
Damien Miller0a80ca12010-02-27 07:55:05 +1100812are signed by a Certification Authority (CA) key.
813Clients or servers may then trust only the CA key and verify its signature
814on a certificate rather than trusting many user/host keys.
815Note that OpenSSH certificates are a different, and much simpler, format to
816the X.509 certificates used in
817.Xr ssl 8 .
818.Pp
819.Nm
820supports two types of certificates: user and host.
821User certificates authenticate users to servers, whereas host certificates
Damien Miller15f5b562010-03-03 10:25:21 +1100822authenticate server hosts to users.
823To generate a user certificate:
Damien Miller0a80ca12010-02-27 07:55:05 +1100824.Pp
825.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
826.Pp
827The resultant certificate will be placed in
Damien Miller1b61a282010-03-22 05:55:06 +1100828.Pa /path/to/user_key-cert.pub .
Damien Miller0a80ca12010-02-27 07:55:05 +1100829A host certificate requires the
830.Fl h
831option:
832.Pp
833.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
834.Pp
835The host certificate will be output to
Damien Miller1b61a282010-03-22 05:55:06 +1100836.Pa /path/to/host_key-cert.pub .
Damien Miller757f34e2010-08-05 13:05:31 +1000837.Pp
838It is possible to sign using a CA key stored in a PKCS#11 token by
839providing the token library using
840.Fl D
841and identifying the CA key by providing its public half as an argument
842to
843.Fl s :
844.Pp
naddy@openbsd.org05291e52015-08-20 19:20:06 +0000845.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
Damien Miller757f34e2010-08-05 13:05:31 +1000846.Pp
djm@openbsd.orga98339e2017-06-28 01:09:22 +0000847Similarly, it is possible for the CA key to be hosted in a
848.Xr ssh-agent 1 .
849This is indicated by the
850.Fl U
851flag and, again, the CA key must be identified by its public half.
852.Pp
853.Dl $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub
854.Pp
Damien Miller757f34e2010-08-05 13:05:31 +1000855In all cases,
Damien Miller0a80ca12010-02-27 07:55:05 +1100856.Ar key_id
857is a "key identifier" that is logged by the server when the certificate
858is used for authentication.
859.Pp
860Certificates may be limited to be valid for a set of principal (user/host)
861names.
862By default, generated certificates are valid for all users or hosts.
863To generate a certificate for a specified set of principals:
864.Pp
865.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
naddy@openbsd.org05291e52015-08-20 19:20:06 +0000866.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub"
Damien Miller0a80ca12010-02-27 07:55:05 +1100867.Pp
868Additional limitations on the validity and use of user certificates may
Damien Miller1f181422010-04-18 08:08:03 +1000869be specified through certificate options.
Damien Miller4e270b02010-04-16 15:56:21 +1000870A certificate option may disable features of the SSH session, may be
Damien Miller0a80ca12010-02-27 07:55:05 +1100871valid only when presented from particular source addresses or may
872force the use of a specific command.
Damien Miller4e270b02010-04-16 15:56:21 +1000873For a list of valid certificate options, see the documentation for the
Damien Miller0a80ca12010-02-27 07:55:05 +1100874.Fl O
875option above.
876.Pp
877Finally, certificates may be defined with a validity lifetime.
878The
879.Fl V
880option allows specification of certificate start and end times.
881A certificate that is presented at a time outside this range will not be
882considered valid.
Darren Tucker3ee50c52012-09-06 21:18:11 +1000883By default, certificates are valid from
884.Ux
885Epoch to the distant future.
Damien Miller0a80ca12010-02-27 07:55:05 +1100886.Pp
887For certificates to be used for user or host authentication, the CA
888public key must be trusted by
889.Xr sshd 8
890or
891.Xr ssh 1 .
892Please refer to those manual pages for details.
Damien Millerf3747bf2013-01-18 11:44:04 +1100893.Sh KEY REVOCATION LISTS
894.Nm
895is able to manage OpenSSH format Key Revocation Lists (KRLs).
896These binary files specify keys or certificates to be revoked using a
Damien Miller13797712013-12-29 17:47:14 +1100897compact format, taking as little as one bit per certificate if they are being
Damien Millerf3747bf2013-01-18 11:44:04 +1100898revoked by serial number.
899.Pp
900KRLs may be generated using the
901.Fl k
902flag.
Damien Miller881a7a22013-01-20 22:34:46 +1100903This option reads one or more files from the command line and generates a new
Damien Millerf3747bf2013-01-18 11:44:04 +1100904KRL.
905The files may either contain a KRL specification (see below) or public keys,
906listed one per line.
907Plain public keys are revoked by listing their hash or contents in the KRL and
908certificates revoked by serial number or key ID (if the serial is zero or
909not available).
910.Pp
911Revoking keys using a KRL specification offers explicit control over the
912types of record used to revoke keys and may be used to directly revoke
913certificates by serial number or key ID without having the complete original
914certificate on hand.
915A KRL specification consists of lines containing one of the following directives
916followed by a colon and some directive-specific information.
917.Bl -tag -width Ds
Damien Millera0a7ee82013-01-20 22:35:06 +1100918.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
Damien Millerf3747bf2013-01-18 11:44:04 +1100919Revokes a certificate with the specified serial number.
Damien Millerac5542b2013-01-20 22:33:02 +1100920Serial numbers are 64-bit values, not including zero and may be expressed
Damien Millerf3747bf2013-01-18 11:44:04 +1100921in decimal, hex or octal.
922If two serial numbers are specified separated by a hyphen, then the range
923of serial numbers including and between each is revoked.
924The CA key must have been specified on the
925.Nm
Damien Miller881a7a22013-01-20 22:34:46 +1100926command line using the
Damien Millerf3747bf2013-01-18 11:44:04 +1100927.Fl s
928option.
929.It Cm id : Ar key_id
930Revokes a certificate with the specified key ID string.
931The CA key must have been specified on the
932.Nm
Damien Miller881a7a22013-01-20 22:34:46 +1100933command line using the
Damien Millerf3747bf2013-01-18 11:44:04 +1100934.Fl s
935option.
936.It Cm key : Ar public_key
937Revokes the specified key.
Damien Millerac5542b2013-01-20 22:33:02 +1100938If a certificate is listed, then it is revoked as a plain public key.
Damien Millerf3747bf2013-01-18 11:44:04 +1100939.It Cm sha1 : Ar public_key
djm@openbsd.org9405c622018-09-12 01:21:34 +0000940Revokes the specified key by including its SHA1 hash in the KRL.
941.It Cm sha256 : Ar public_key
942Revokes the specified key by including its SHA256 hash in the KRL.
943KRLs that revoke keys by SHA256 hash are not supported by OpenSSH versions
944prior to 7.9.
945.It Cm hash : Ar fingerprint
djm@openbsd.orgf0fcd7e2018-09-12 06:18:59 +0000946Revokes a key using a fingerprint hash, as obtained from a
djm@openbsd.org9405c622018-09-12 01:21:34 +0000947.Xr sshd 8
948authentication log message or the
949.Nm
950.Fl l
951flag.
952Only SHA256 fingerprints are supported here and resultant KRLs are
953not supported by OpenSSH versions prior to 7.9.
Damien Millerf3747bf2013-01-18 11:44:04 +1100954.El
955.Pp
956KRLs may be updated using the
957.Fl u
958flag in addition to
959.Fl k .
Damien Miller881a7a22013-01-20 22:34:46 +1100960When this option is specified, keys listed via the command line are merged into
Damien Millerf3747bf2013-01-18 11:44:04 +1100961the KRL, adding to those already there.
962.Pp
963It is also possible, given a KRL, to test whether it revokes a particular key
964(or keys).
965The
966.Fl Q
jmc@openbsd.org8b290082015-11-05 09:48:05 +0000967flag will query an existing KRL, testing each key specified on the command line.
Damien Miller881a7a22013-01-20 22:34:46 +1100968If any key listed on the command line has been revoked (or an error encountered)
Damien Millerf3747bf2013-01-18 11:44:04 +1100969then
970.Nm
971will exit with a non-zero exit status.
972A zero exit status will only be returned if no key was revoked.
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000973.Sh ALLOWED SIGNERS
974When verifying signatures,
975.Nm
976uses a simple list of identities and keys to determine whether a signature
977comes from an authorized source.
978This "allowed signers" file uses a format patterned after the
979AUTHORIZED_KEYS FILE FORMAT described in
jmc@openbsd.orgdb1e6f62019-09-04 05:56:54 +0000980.Xr sshd 8 .
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +0000981Each line of the file contains the following space-separated fields:
982principals, options, keytype, base64-encoded key.
983Empty lines and lines starting with a
984.Ql #
985are ignored as comments.
986.Pp
987The principals field is a pattern-list (See PATTERNS in
988.Xr ssh_config 5 )
989consisting of one or more comma-separated USER@DOMAIN identity patterns
990that are accepted for signing.
991When verifying, the identity presented via the
992.Fl I option
993must match a principals pattern in order for the corresponding key to be
994considered acceptable for verification.
995.Pp
996The options (if present) consist of comma-separated option specifications.
997No spaces are permitted, except within double quotes.
998The following option specifications are supported (note that option keywords
999are case-insensitive):
1000.Bl -tag -width Ds
1001.It Cm cert-authority
1002Indicates that this key is accepted as a certificate authority (CA) and
1003that certificates signed by this CA may be accepted for verification.
1004.It Cm namespaces="namespace-list"
1005Specifies a pattern-list of namespaces that are accepted for this key.
djm@openbsd.orgd637c4a2019-09-03 08:35:27 +00001006If this option is present, the signature namespace embedded in the
djm@openbsd.org2a9c9f72019-09-03 08:34:19 +00001007signature object and presented on the verification command-line must
1008match the specified list before the key will be considered acceptable.
1009.El
1010.Pp
1011When verifying signatures made by certificates, the expected principal
1012name must match both the principals pattern in the allowed signers file and
1013the principals embedded in the certificate itself.
1014.Pp
1015An example allowed signers file:
1016.Bd -literal -offset 3n
1017# Comments allowed at start of line
1018user1@example.com,user2@example.com ssh-rsa AAAAX1...
1019# A certificate authority, trusted for all principals in a domain.
1020*@example.com cert-authority ssh-ed25519 AAAB4...
1021# A key that is accepted only for file signing.
1022user2@example.com namespaces="file" ssh-ed25519 AAA41...
1023.Ed
Damien Miller32aa1441999-10-29 09:15:49 +10001024.Sh FILES
Damien Miller6186bbc2010-09-24 22:00:54 +10001025.Bl -tag -width Ds -compact
Damien Miller167ea5d2005-05-26 12:04:02 +10001026.It Pa ~/.ssh/id_dsa
Damien Miller6186bbc2010-09-24 22:00:54 +10001027.It Pa ~/.ssh/id_ecdsa
Damien Miller8ba0ead2013-12-18 17:46:27 +11001028.It Pa ~/.ssh/id_ed25519
Damien Miller167ea5d2005-05-26 12:04:02 +10001029.It Pa ~/.ssh/id_rsa
naddy@openbsd.org2e9c3242017-05-05 10:41:58 +00001030Contains the DSA, ECDSA, Ed25519 or RSA
Damien Miller8ba0ead2013-12-18 17:46:27 +11001031authentication identity of the user.
Ben Lindstrom18a82ac2001-04-11 15:59:35 +00001032This file should not be readable by anyone but the user.
1033It is possible to
1034specify a passphrase when generating the key; that passphrase will be
Darren Tucker199ee6f2009-10-24 11:50:17 +11001035used to encrypt the private part of this file using 128-bit AES.
Ben Lindstrom18a82ac2001-04-11 15:59:35 +00001036This file is not automatically accessed by
1037.Nm
1038but it is offered as the default file for the private key.
Ben Lindstrombda98b02001-07-04 03:35:24 +00001039.Xr ssh 1
Ben Lindstrom18a82ac2001-04-11 15:59:35 +00001040will read this file when a login attempt is made.
Damien Miller6186bbc2010-09-24 22:00:54 +10001041.Pp
1042.It Pa ~/.ssh/id_dsa.pub
1043.It Pa ~/.ssh/id_ecdsa.pub
Damien Miller8ba0ead2013-12-18 17:46:27 +11001044.It Pa ~/.ssh/id_ed25519.pub
Damien Miller167ea5d2005-05-26 12:04:02 +10001045.It Pa ~/.ssh/id_rsa.pub
naddy@openbsd.org2e9c3242017-05-05 10:41:58 +00001046Contains the DSA, ECDSA, Ed25519 or RSA
Damien Miller8ba0ead2013-12-18 17:46:27 +11001047public key for authentication.
Damien Millere247cc42000-05-07 12:03:14 +10001048The contents of this file should be added to
Damien Miller167ea5d2005-05-26 12:04:02 +10001049.Pa ~/.ssh/authorized_keys
Damien Millere247cc42000-05-07 12:03:14 +10001050on all machines
Ben Lindstrom594e2032001-09-12 18:35:30 +00001051where the user wishes to log in using public key authentication.
Damien Millere247cc42000-05-07 12:03:14 +10001052There is no need to keep the contents of this file secret.
Damien Miller6186bbc2010-09-24 22:00:54 +10001053.Pp
Darren Tucker019cefe2003-08-02 22:40:07 +10001054.It Pa /etc/moduli
1055Contains Diffie-Hellman groups used for DH-GEX.
1056The file format is described in
1057.Xr moduli 5 .
Damien Miller37023962000-07-11 17:31:38 +10001058.El
Damien Miller32aa1441999-10-29 09:15:49 +10001059.Sh SEE ALSO
1060.Xr ssh 1 ,
1061.Xr ssh-add 1 ,
Damien Miller2e8b1c81999-11-15 23:33:56 +11001062.Xr ssh-agent 1 ,
Darren Tucker019cefe2003-08-02 22:40:07 +10001063.Xr moduli 5 ,
Ben Lindstrom77788dc2001-02-10 23:10:33 +00001064.Xr sshd 8
Ben Lindstrom5a707822001-04-22 17:15:46 +00001065.Rs
Damien Millerc0367fb2007-01-05 16:25:46 +11001066.%R RFC 4716
1067.%T "The Secure Shell (SSH) Public Key File Format"
1068.%D 2006
Ben Lindstrom5a707822001-04-22 17:15:46 +00001069.Re
Damien Millerf1ce5052003-06-11 22:04:39 +10001070.Sh AUTHORS
1071OpenSSH is a derivative of the original and free
1072ssh 1.2.12 release by Tatu Ylonen.
1073Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1074Theo de Raadt and Dug Song
1075removed many bugs, re-added newer features and
1076created OpenSSH.
1077Markus Friedl contributed the support for SSH
1078protocol versions 1.5 and 2.0.