blob: 49348475694339698b69fc96ae8696d73d5d2f6b [file] [log] [blame]
Damien Miller32aa1441999-10-29 09:15:49 +10001.\" -*- nroff -*-
2.\"
3.\" ssh-keygen.1
4.\"
5.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
6.\"
7.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8.\" All rights reserved
9.\"
10.\" Created: Sat Apr 22 23:55:14 1995 ylo
11.\"
Damien Millerc0d73901999-12-27 09:23:58 +110012.\" $Id: ssh-keygen.1.in,v 1.1 1999/12/26 22:23:58 damien Exp $
Damien Miller32aa1441999-10-29 09:15:49 +100013.\"
14.Dd September 25, 1999
15.Dt SSH-KEYGEN 1
16.Os
17.Sh NAME
18.Nm ssh-keygen
19.Nd authentication key generation
20.Sh SYNOPSIS
21.Nm ssh-keygen
22.Op Fl q
23.Op Fl b Ar bits
24.Op Fl N Ar new_passphrase
25.Op Fl C Ar comment
Damien Miller10f6f6b1999-11-17 17:29:08 +110026.Op Fl f Ar keyfile
Damien Miller32aa1441999-10-29 09:15:49 +100027.Nm ssh-keygen
28.Fl p
29.Op Fl P Ar old_passphrase
30.Op Fl N Ar new_passphrase
Damien Miller10f6f6b1999-11-17 17:29:08 +110031.Op Fl f Ar keyfile
Damien Miller32aa1441999-10-29 09:15:49 +100032.Nm ssh-keygen
33.Fl c
34.Op Fl P Ar passphrase
35.Op Fl C Ar comment
Damien Miller10f6f6b1999-11-17 17:29:08 +110036.Op Fl f Ar keyfile
37.Nm ssh-keygen
38.Fl l
39.Op Fl f Ar keyfile
Damien Miller32aa1441999-10-29 09:15:49 +100040.Sh DESCRIPTION
41.Nm
42generates and manages authentication keys for
43.Xr ssh 1 .
44Normally each user wishing to use SSH
45with RSA authentication runs this once to create the authentication
46key in
47.Pa $HOME/.ssh/identity .
48Additionally, the system administrator may use this to generate host keys.
49.Pp
50Normally this program generates the key and asks for a file in which
51to store the private key. The public key is stored in a file with the
52same name but
53.Dq .pub
54appended. The program also asks for a
55passphrase. The passphrase may be empty to indicate no passphrase
56(host keys must have empty passphrase), or it may be a string of
57arbitrary length. Good passphrases are 10-30 characters long and are
58not simple sentences or otherwise easily guessable (English
59prose has only 1-2 bits of entropy per word, and provides very bad
60passphrases). The passphrase can be changed later by using the
61.Fl p
62option.
63.Pp
64There is no way to recover a lost passphrase. If the passphrase is
65lost or forgotten, you will have to generate a new key and copy the
66corresponding public key to other machines.
67.Pp
68There is also a comment field in the key file that is only for
69convenience to the user to help identify the key. The comment can
70tell what the key is for, or whatever is useful. The comment is
71initialized to
72.Dq user@host
73when the key is created, but can be changed using the
74.Fl c
75option.
76.Pp
77The options are as follows:
78.Bl -tag -width Ds
79.It Fl b Ar bits
80Specifies the number of bits in the key to create. Minimum is 512
81bits. Generally 1024 bits is considered sufficient, and key sizes
82above that no longer improve security but make things slower. The
83default is 1024 bits.
84.It Fl c
85Requests changing the comment in the private and public key files.
86The program will prompt for the file containing the private keys, for
87passphrase if the key has one, and for the new comment.
Damien Miller10f6f6b1999-11-17 17:29:08 +110088.It Fl f
89Specifies the filename of the key file.
90.It Fl l
91Show fingerprint of specified private or public key file.
Damien Miller32aa1441999-10-29 09:15:49 +100092.It Fl p
93Requests changing the passphrase of a private key file instead of
94creating a new private key. The program will prompt for the file
95containing the private key, for the old passphrase, and twice for the
96new passphrase.
97.It Fl q
98Silence
99.Nm ssh-keygen .
100Used by
101.Pa /etc/rc
102when creating a new key.
103.It Fl C Ar comment
104Provides the new comment.
105.It Fl N Ar new_passphrase
106Provides the new passphrase.
107.It Fl P Ar passphrase
108Provides the (old) passphrase.
109.El
110.Sh FILES
111.Bl -tag -width Ds
Damien Miller32aa1441999-10-29 09:15:49 +1000112.It Pa $HOME/.ssh/identity
113Contains the RSA authentication identity of the user. This file
114should not be readable by anyone but the user. It is possible to
115specify a passphrase when generating the key; that passphrase will be
116used to encrypt the private part of this file using 3DES. This file
117is not automatically accessed by
118.Nm
119but it is offered as the default file for the private key.
120.It Pa $HOME/.ssh/identity.pub
121Contains the public key for authentication. The contents of this file
122should be added to
123.Pa $HOME/.ssh/authorized_keys
124on all machines
125where you wish to log in using RSA authentication. There is no
126need to keep the contents of this file secret.
127.Sh AUTHOR
128Tatu Ylonen <ylo@cs.hut.fi>
129.Pp
130OpenSSH
131is a derivative of the original (free) ssh 1.2.12 release, but with bugs
132removed and newer features re-added. Rapidly after the 1.2.12 release,
133newer versions bore successively more restrictive licenses. This version
134of OpenSSH
135.Bl -bullet
136.It
137has all components of a restrictive nature (ie. patents, see
138.Xr ssl 8 )
139directly removed from the source code; any licensed or patented components
140are chosen from
141external libraries.
142.It
143has been updated to support ssh protocol 1.5.
144.It
145contains added support for
146.Xr kerberos 8
147authentication and ticket passing.
148.It
149supports one-time password authentication with
150.Xr skey 1 .
151.El
152.Pp
153The libraries described in
154.Xr ssl 8
155are required for proper operation.
156.Sh SEE ALSO
157.Xr ssh 1 ,
158.Xr ssh-add 1 ,
Damien Miller2e8b1c81999-11-15 23:33:56 +1100159.Xr ssh-agent 1 ,
Damien Miller32aa1441999-10-29 09:15:49 +1000160.Xr sshd 8 ,
161.Xr ssl 8