Lines Matching +full:keys +full:- +full:per +full:- +full:group
1 .\" $OpenBSD: ssh-keygen.1,v 1.234 2024/11/27 13:00:23 djm Exp $
42 .Nm ssh-keygen
45 .Nm ssh-keygen
54 .Op Fl t Cm ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
57 .Nm ssh-keygen
65 .Nm ssh-keygen
69 .Nm ssh-keygen
73 .Nm ssh-keygen
76 .Nm ssh-keygen
82 .Nm ssh-keygen
87 .Nm ssh-keygen
90 .Nm ssh-keygen
92 .Nm ssh-keygen
96 .Nm ssh-keygen
99 .Nm ssh-keygen
103 .Nm ssh-keygen
106 .Nm ssh-keygen
110 .Nm ssh-keygen
114 .Nm ssh-keygen
119 .Nm ssh-keygen
129 .Nm ssh-keygen
132 .Nm ssh-keygen
136 .Nm ssh-keygen
143 .Nm ssh-keygen
148 .Nm ssh-keygen
149 .Fl Y Cm find-principals
153 .Nm ssh-keygen
154 .Fl Y Cm match-principals
157 .Nm ssh-keygen
158 .Fl Y Cm check-novalidate
162 .Nm ssh-keygen
168 .Nm ssh-keygen
178 generates, manages and converts authentication keys for
181 can create keys for use by SSH protocol version 2.
191 is also used to generate groups for use in Diffie-Hellman group
192 exchange (DH-GEX).
200 given keys have been revoked by one.
214 Additionally, the system administrator may use this to generate host keys,
225 (host keys must have an empty passphrase), or it may be a string of
230 Good passphrases are 10-30 characters long, are
232 prose has only 1-2 bits of entropy per character, and provides very bad
234 numbers, and non-alphanumeric characters.
244 will by default write keys in an OpenSSH-specific format.
246 keys at rest as well as allowing storage of key comments within
257 to write the previously-used PEM format private keys using the
260 This may be used when generating new keys, and existing new-format
261 keys may be converted using this option in conjunction with the
267 will ask where the keys
271 .Bl -tag -width Ds
273 Generate host keys of all default key types (rsa, ecdsa, and
275 The host keys are generated with the default key file path,
283 to generate new host keys.
290 resistance to brute-force password cracking (should the keys be stolen).
296 For RSA keys, the minimum size is 1024 bits and the default is 3072 bits.
298 For ECDSA keys, the
302 Attempting to use bit lengths other than these three values for ECDSA keys
304 ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length and the
311 The program will prompt for the file containing the private keys, for
314 Download the public keys provided by the PKCS#11 shared library
336 This option allows exporting OpenSSH keys for use by other programs, including
348 option to print found keys in a hashed format.
369 to use on files that mix hashed and non-hashed names.
387 This option allows importing keys from other software, including several
392 Download resident keys from a FIDO authenticator.
395 If multiple FIDO authenticators are attached, keys will be downloaded from
407 Keys/certificates to be revoked may be specified by public key file or
422 Generate candidate Diffie-Hellman Group Exchange (DH-GEX) parameters for
424 .Sq diffie-hellman-group-exchange-*
432 Screen candidate parameters for Diffie-Hellman Group Exchange.
434 safe (Sophie Germain) primes with acceptable group generators.
459 By default OpenSSH will write newly-generated private keys in its own
460 format, but when converting public keys for export the default format is
490 When generating FIDO authenticator-backed keys, the options listed in the
494 When performing signature-related options using the
497 .Bl -tag -width Ds
506 .It Cm print-pubkey
508 .It Cm verify-time Ns = Ns Ar timestamp
518 When generating SSHFP DNS records from public keys using the
521 .Bl -tag -width Ds
545 Test whether keys have been revoked in a KRL.
551 .Nm ssh-keygen .
553 Removes all keys belonging to the specified
579 .It Fl t Cm ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
583 .Dq ecdsa-sk ,
585 .Dq ed25519-sk ,
592 .Dq ssh-rsa
594 .Dq rsa-sha2-256 ,
596 .Dq rsa-sha2-512
597 (the default for RSA keys).
604 .Xr ssh-agent 1 .
612 keys listed via the command line are added to the existing KRL rather than
621 .Bl -bullet -compact
643 .Bl -bullet -compact
665 .Bl -tag -width Ds
668 .It -4w:+4w
674 .It -1d:20110101
678 .It -1m:forever
693 FIDO authenticator-hosted keys, overriding the default of using
695 .It Fl Y Cm find-principals
707 .It Fl Y Cm match-principals
715 .It Fl Y Cm check-novalidate
735 accepts zero or more files to sign on the command-line - if no files
748 .Xr ssh-agent 1 .
780 A file containing revoked keys can be passed using the
783 The revocation file may be a KRL or a one-per-line list of public keys.
791 Specifies the cipher to use for encryption when writing an OpenSSH-format
794 .Qq ssh -Q cipher .
796 .Dq aes256-ctr .
805 signed on a single command-line.
814 may be used to generate groups for the Diffie-Hellman Group Exchange
815 (DH-GEX) protocol.
816 Generating these groups is a two-step process: first, candidate
818 These candidate primes are then tested for suitability (a CPU-intensive
829 .Dl # ssh-keygen -M generate -O bits=2048 moduli-2048.candidates
849 .Dl # ssh-keygen -M screen -f moduli-2048.candidates moduli-2048
853 .Fl O Cm prime-tests
869 .Bl -tag -width Ds
873 .It Ic start-line Ns = Ns Ar line-number
883 candidate moduli for DH-GEX.
884 .It Ic start Ns = Ns Ar hex-value
885 Specify start point (in hex) when generating candidate moduli for DH-GEX.
887 Specify desired generator (in decimal) when testing candidate moduli for DH-GEX.
891 supports signing of keys to produce certificates that may be used for
897 on a certificate rather than trusting many user/host keys.
908 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
911 .Pa /path/to/user_key-cert.pub .
916 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
919 .Pa /path/to/host_key-cert.pub .
928 .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
931 .Xr ssh-agent 1 .
936 .Dl $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub
948 .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
949 .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub"
959 .Bl -tag -width Ds -compact
980 .It Ic force-command Ns = Ns Ar command
986 .It Ic no-agent-forwarding
988 .Xr ssh-agent 1
991 .It Ic no-port-forwarding
994 .It Ic no-pty
997 .It Ic no-user-rc
1004 .It Ic no-x11-forwarding
1007 .It Ic permit-agent-forwarding
1009 .Xr ssh-agent 1
1012 .It Ic permit-port-forwarding
1015 .It Ic permit-pty
1018 .It Ic permit-user-rc
1024 .It Ic permit-X11-forwarding
1027 .It Ic no-touch-required
1031 .Cm ecdsa-sk
1033 .Cm ed25519-sk .
1035 .It Ic source-address Ns = Ns Ar address_list
1039 is a comma-separated list of one or more address/netmask pairs in CIDR
1042 .It Ic verify-required
1044 verified, e.g. by PIN or on-token biometrics.
1046 .Cm ecdsa-sk
1048 .Cm ed25519-sk .
1051 At present, no standard options are valid for host keys.
1071 is able to generate FIDO authenticator-backed keys, after which
1073 long as the hardware authenticator is attached when the keys are used.
1076 FIDO keys consist of two parts: a key handle part stored in the
1077 private key file on disk, and a per-device private key that is unique
1083 .Cm ecdsa-sk
1085 .Cm ed25519-sk .
1087 The options that are valid for FIDO keys are:
1088 .Bl -tag -width Ds
1092 This may be useful when generating host or domain-specific resident keys.
1098 The challenge string may be used as part of an out-of-band
1105 .It Cm no-touch-required
1116 Resident keys may be supported on FIDO2 authenticators and typically
1118 Resident keys may be loaded off the authenticator using
1119 .Xr ssh-add 1 .
1125 Specifying a username may be useful when generating multiple resident keys
1127 .It Cm verify-required
1133 .It Cm write-attestation Ns = Ns Ar path
1142 These binary files specify keys or certificates to be revoked using a
1143 compact format, taking as little as one bit per certificate if they are being
1151 The files may either contain a KRL specification (see below) or public keys,
1152 listed one per line.
1153 Plain public keys are revoked by listing their hash or contents in the KRL and
1157 Revoking keys using a KRL specification offers explicit control over the
1158 types of record used to revoke keys and may be used to directly revoke
1162 followed by a colon and some directive-specific information.
1163 .Bl -tag -width Ds
1164 .It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
1166 Serial numbers are 64-bit values, not including zero and may be expressed
1189 KRLs that revoke keys by SHA256 hash are not supported by OpenSSH versions
1206 When this option is specified, keys listed via the command line are merged into
1210 (or keys).
1217 will exit with a non-zero exit status.
1222 uses a simple list of identities and keys to determine whether a signature
1227 Each line of the file contains the following space-separated fields:
1228 principals, options, keytype, base64-encoded key.
1233 The principals field is a pattern-list (see PATTERNS in
1235 consisting of one or more comma-separated USER@DOMAIN identity patterns
1242 The options (if present) consist of comma-separated option specifications.
1245 are case-insensitive):
1246 .Bl -tag -width Ds
1247 .It Cm cert-authority
1250 .It Cm namespaces Ns = Ns "namespace-list"
1251 Specifies a pattern-list of namespaces that are accepted for this key.
1253 signature object and presented on the verification command-line must
1255 .It Cm valid-after Ns = Ns "timestamp"
1261 .It Cm valid-before Ns = Ns "timestamp"
1270 .Bd -literal -offset 3n
1272 user1@example.com,user2@example.com ssh-rsa AAAAX1...
1274 *@example.com cert-authority ssh-ed25519 AAAB4...
1276 user2@example.com namespaces="file" ssh-ed25519 AAA41...
1279 .Bl -tag -width Ds
1282 FIDO authenticator-hosted keys, overriding the default of using
1283 the built-in USB HID support.
1286 .Bl -tag -width Ds -compact
1292 Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
1293 authenticator-hosted Ed25519 or RSA authentication identity of the user.
1297 used to encrypt the private part of this file using 128-bit AES.
1309 Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
1310 authenticator-hosted Ed25519 or RSA public key for authentication.
1318 Contains Diffie-Hellman groups used for DH-GEX.
1324 .Xr ssh-add 1 ,
1325 .Xr ssh-agent 1 ,
1338 removed many bugs, re-added newer features and