Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 1 | .\" -*- nroff -*- |
| 2 | .\" |
| 3 | .\" ssh-keygen.1 |
| 4 | .\" |
| 5 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 6 | .\" |
| 7 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 8 | .\" All rights reserved |
| 9 | .\" |
| 10 | .\" Created: Sat Apr 22 23:55:14 1995 ylo |
| 11 | .\" |
Damien Miller | c0d7390 | 1999-12-27 09:23:58 +1100 | [diff] [blame] | 12 | .\" $Id: ssh-keygen.1.in,v 1.1 1999/12/26 22:23:58 damien Exp $ |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 13 | .\" |
| 14 | .Dd September 25, 1999 |
| 15 | .Dt SSH-KEYGEN 1 |
| 16 | .Os |
| 17 | .Sh NAME |
| 18 | .Nm ssh-keygen |
| 19 | .Nd authentication key generation |
| 20 | .Sh SYNOPSIS |
| 21 | .Nm ssh-keygen |
| 22 | .Op Fl q |
| 23 | .Op Fl b Ar bits |
| 24 | .Op Fl N Ar new_passphrase |
| 25 | .Op Fl C Ar comment |
Damien Miller | 10f6f6b | 1999-11-17 17:29:08 +1100 | [diff] [blame] | 26 | .Op Fl f Ar keyfile |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 27 | .Nm ssh-keygen |
| 28 | .Fl p |
| 29 | .Op Fl P Ar old_passphrase |
| 30 | .Op Fl N Ar new_passphrase |
Damien Miller | 10f6f6b | 1999-11-17 17:29:08 +1100 | [diff] [blame] | 31 | .Op Fl f Ar keyfile |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 32 | .Nm ssh-keygen |
| 33 | .Fl c |
| 34 | .Op Fl P Ar passphrase |
| 35 | .Op Fl C Ar comment |
Damien Miller | 10f6f6b | 1999-11-17 17:29:08 +1100 | [diff] [blame] | 36 | .Op Fl f Ar keyfile |
| 37 | .Nm ssh-keygen |
| 38 | .Fl l |
| 39 | .Op Fl f Ar keyfile |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 40 | .Sh DESCRIPTION |
| 41 | .Nm |
| 42 | generates and manages authentication keys for |
| 43 | .Xr ssh 1 . |
| 44 | Normally each user wishing to use SSH |
| 45 | with RSA authentication runs this once to create the authentication |
| 46 | key in |
| 47 | .Pa $HOME/.ssh/identity . |
| 48 | Additionally, the system administrator may use this to generate host keys. |
| 49 | .Pp |
| 50 | Normally this program generates the key and asks for a file in which |
| 51 | to store the private key. The public key is stored in a file with the |
| 52 | same name but |
| 53 | .Dq .pub |
| 54 | appended. The program also asks for a |
| 55 | passphrase. The passphrase may be empty to indicate no passphrase |
| 56 | (host keys must have empty passphrase), or it may be a string of |
| 57 | arbitrary length. Good passphrases are 10-30 characters long and are |
| 58 | not simple sentences or otherwise easily guessable (English |
| 59 | prose has only 1-2 bits of entropy per word, and provides very bad |
| 60 | passphrases). The passphrase can be changed later by using the |
| 61 | .Fl p |
| 62 | option. |
| 63 | .Pp |
| 64 | There is no way to recover a lost passphrase. If the passphrase is |
| 65 | lost or forgotten, you will have to generate a new key and copy the |
| 66 | corresponding public key to other machines. |
| 67 | .Pp |
| 68 | There is also a comment field in the key file that is only for |
| 69 | convenience to the user to help identify the key. The comment can |
| 70 | tell what the key is for, or whatever is useful. The comment is |
| 71 | initialized to |
| 72 | .Dq user@host |
| 73 | when the key is created, but can be changed using the |
| 74 | .Fl c |
| 75 | option. |
| 76 | .Pp |
| 77 | The options are as follows: |
| 78 | .Bl -tag -width Ds |
| 79 | .It Fl b Ar bits |
| 80 | Specifies the number of bits in the key to create. Minimum is 512 |
| 81 | bits. Generally 1024 bits is considered sufficient, and key sizes |
| 82 | above that no longer improve security but make things slower. The |
| 83 | default is 1024 bits. |
| 84 | .It Fl c |
| 85 | Requests changing the comment in the private and public key files. |
| 86 | The program will prompt for the file containing the private keys, for |
| 87 | passphrase if the key has one, and for the new comment. |
Damien Miller | 10f6f6b | 1999-11-17 17:29:08 +1100 | [diff] [blame] | 88 | .It Fl f |
| 89 | Specifies the filename of the key file. |
| 90 | .It Fl l |
| 91 | Show fingerprint of specified private or public key file. |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 92 | .It Fl p |
| 93 | Requests changing the passphrase of a private key file instead of |
| 94 | creating a new private key. The program will prompt for the file |
| 95 | containing the private key, for the old passphrase, and twice for the |
| 96 | new passphrase. |
| 97 | .It Fl q |
| 98 | Silence |
| 99 | .Nm ssh-keygen . |
| 100 | Used by |
| 101 | .Pa /etc/rc |
| 102 | when creating a new key. |
| 103 | .It Fl C Ar comment |
| 104 | Provides the new comment. |
| 105 | .It Fl N Ar new_passphrase |
| 106 | Provides the new passphrase. |
| 107 | .It Fl P Ar passphrase |
| 108 | Provides the (old) passphrase. |
| 109 | .El |
| 110 | .Sh FILES |
| 111 | .Bl -tag -width Ds |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 112 | .It Pa $HOME/.ssh/identity |
| 113 | Contains the RSA authentication identity of the user. This file |
| 114 | should not be readable by anyone but the user. It is possible to |
| 115 | specify a passphrase when generating the key; that passphrase will be |
| 116 | used to encrypt the private part of this file using 3DES. This file |
| 117 | is not automatically accessed by |
| 118 | .Nm |
| 119 | but it is offered as the default file for the private key. |
| 120 | .It Pa $HOME/.ssh/identity.pub |
| 121 | Contains the public key for authentication. The contents of this file |
| 122 | should be added to |
| 123 | .Pa $HOME/.ssh/authorized_keys |
| 124 | on all machines |
| 125 | where you wish to log in using RSA authentication. There is no |
| 126 | need to keep the contents of this file secret. |
| 127 | .Sh AUTHOR |
| 128 | Tatu Ylonen <ylo@cs.hut.fi> |
| 129 | .Pp |
| 130 | OpenSSH |
| 131 | is a derivative of the original (free) ssh 1.2.12 release, but with bugs |
| 132 | removed and newer features re-added. Rapidly after the 1.2.12 release, |
| 133 | newer versions bore successively more restrictive licenses. This version |
| 134 | of OpenSSH |
| 135 | .Bl -bullet |
| 136 | .It |
| 137 | has all components of a restrictive nature (ie. patents, see |
| 138 | .Xr ssl 8 ) |
| 139 | directly removed from the source code; any licensed or patented components |
| 140 | are chosen from |
| 141 | external libraries. |
| 142 | .It |
| 143 | has been updated to support ssh protocol 1.5. |
| 144 | .It |
| 145 | contains added support for |
| 146 | .Xr kerberos 8 |
| 147 | authentication and ticket passing. |
| 148 | .It |
| 149 | supports one-time password authentication with |
| 150 | .Xr skey 1 . |
| 151 | .El |
| 152 | .Pp |
| 153 | The libraries described in |
| 154 | .Xr ssl 8 |
| 155 | are required for proper operation. |
| 156 | .Sh SEE ALSO |
| 157 | .Xr ssh 1 , |
| 158 | .Xr ssh-add 1 , |
Damien Miller | 2e8b1c8 | 1999-11-15 23:33:56 +1100 | [diff] [blame] | 159 | .Xr ssh-agent 1 , |
Damien Miller | 32aa144 | 1999-10-29 09:15:49 +1000 | [diff] [blame] | 160 | .Xr sshd 8 , |
| 161 | .Xr ssl 8 |