Lines Matching +full:touch +full:- +full:keys
1 .\" $OpenBSD: ssh-keygen.1,v 1.230 2023/09/04 10:29:58 job Exp $
42 .Nm ssh-keygen
45 .Nm ssh-keygen
54 .Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
57 .Nm ssh-keygen
65 .Nm ssh-keygen
69 .Nm ssh-keygen
73 .Nm ssh-keygen
76 .Nm ssh-keygen
82 .Nm ssh-keygen
87 .Nm ssh-keygen
90 .Nm ssh-keygen
92 .Nm ssh-keygen
96 .Nm ssh-keygen
99 .Nm ssh-keygen
103 .Nm ssh-keygen
106 .Nm ssh-keygen
110 .Nm ssh-keygen
114 .Nm ssh-keygen
119 .Nm ssh-keygen
129 .Nm ssh-keygen
132 .Nm ssh-keygen
136 .Nm ssh-keygen
143 .Nm ssh-keygen
148 .Nm ssh-keygen
149 .Fl Y Cm find-principals
153 .Nm ssh-keygen
154 .Fl Y Cm match-principals
157 .Nm ssh-keygen
158 .Fl Y Cm check-novalidate
162 .Nm ssh-keygen
168 .Nm ssh-keygen
178 generates, manages and converts authentication keys for
181 can create keys for use by SSH protocol version 2.
191 is also used to generate groups for use in Diffie-Hellman group
192 exchange (DH-GEX).
200 given keys have been revoked by one.
215 Additionally, the system administrator may use this to generate host keys,
226 (host keys must have an empty passphrase), or it may be a string of
231 Good passphrases are 10-30 characters long, are
233 prose has only 1-2 bits of entropy per character, and provides very bad
235 numbers, and non-alphanumeric characters.
245 will by default write keys in an OpenSSH-specific format.
247 keys at rest as well as allowing storage of key comments within
258 to write the previously-used PEM format private keys using the
261 This may be used when generating new keys, and existing new-format
262 keys may be converted using this option in conjunction with the
268 will ask where the keys
272 .Bl -tag -width Ds
274 Generate host keys of all default key types (rsa, ecdsa, and
276 The host keys are generated with the default key file path,
284 to generate new host keys.
291 resistance to brute-force password cracking (should the keys be stolen).
297 For RSA keys, the minimum size is 1024 bits and the default is 3072 bits.
299 DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
300 For ECDSA keys, the
304 Attempting to use bit lengths other than these three values for ECDSA keys
306 ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length and the
313 The program will prompt for the file containing the private keys, for
316 Download the public keys provided by the PKCS#11 shared library
338 This option allows exporting OpenSSH keys for use by other programs, including
350 option to print found keys in a hashed format.
371 to use on files that mix hashed and non-hashed names.
389 This option allows importing keys from other software, including several
394 Download resident keys from a FIDO authenticator.
397 If multiple FIDO authenticators are attached, keys will be downloaded from
409 Keys/certificates to be revoked may be specified by public key file or
417 For RSA and DSA keys
425 Generate candidate Diffie-Hellman Group Exchange (DH-GEX) parameters for
427 .Sq diffie-hellman-group-exchange-*
435 Screen candidate parameters for Diffie-Hellman Group Exchange.
462 By default OpenSSH will write newly-generated private keys in its own
463 format, but when converting public keys for export the default format is
493 When generating FIDO authenticator-backed keys, the options listed in the
497 When performing signature-related options using the
500 .Bl -tag -width Ds
509 .It Cm print-pubkey
511 .It Cm verify-time Ns = Ns Ar timestamp
521 When generating SSHFP DNS records from public keys using the
524 .Bl -tag -width Ds
548 Test whether keys have been revoked in a KRL.
554 .Nm ssh-keygen .
556 Removes all keys belonging to the specified
582 .It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
587 .Dq ecdsa-sk ,
589 .Dq ed25519-sk ,
596 .Dq ssh-rsa
598 .Dq rsa-sha2-256 ,
600 .Dq rsa-sha2-512
608 .Xr ssh-agent 1 .
616 keys listed via the command line are added to the existing KRL rather than
625 .Bl -bullet -compact
647 .Bl -bullet -compact
669 .Bl -tag -width Ds
672 .It -4w:+4w
678 .It -1d:20110101
682 .It -1m:forever
697 FIDO authenticator-hosted keys, overriding the default of using
699 .It Fl Y Cm find-principals
711 .It Fl Y Cm match-principals
719 .It Fl Y Cm check-novalidate
739 accepts zero or more files to sign on the command-line - if no files
752 .Xr ssh-agent 1 .
784 A file containing revoked keys can be passed using the
787 The revocation file may be a KRL or a one-per-line list of public keys.
795 Specifies the cipher to use for encryption when writing an OpenSSH-format
798 .Qq ssh -Q cipher .
800 .Dq aes256-ctr .
809 signed on a single command-line.
818 may be used to generate groups for the Diffie-Hellman Group Exchange
819 (DH-GEX) protocol.
820 Generating these groups is a two-step process: first, candidate
822 These candidate primes are then tested for suitability (a CPU-intensive
833 .Dl # ssh-keygen -M generate -O bits=2048 moduli-2048.candidates
853 .Dl # ssh-keygen -M screen -f moduli-2048.candidates moduli-2048
857 .Fl O Cm prime-tests
873 .Bl -tag -width Ds
877 .It Ic start-line Ns = Ns Ar line-number
887 candidate moduli for DH-GEX.
888 .It Ic start Ns = Ns Ar hex-value
889 Specify start point (in hex) when generating candidate moduli for DH-GEX.
891 Specify desired generator (in decimal) when testing candidate moduli for DH-GEX.
895 supports signing of keys to produce certificates that may be used for
901 on a certificate rather than trusting many user/host keys.
912 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
915 .Pa /path/to/user_key-cert.pub .
920 .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
923 .Pa /path/to/host_key-cert.pub .
932 .Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
935 .Xr ssh-agent 1 .
940 .Dl $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub
952 .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
953 .Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub"
963 .Bl -tag -width Ds -compact
984 .It Ic force-command Ns = Ns Ar command
990 .It Ic no-agent-forwarding
992 .Xr ssh-agent 1
995 .It Ic no-port-forwarding
998 .It Ic no-pty
1001 .It Ic no-user-rc
1008 .It Ic no-x11-forwarding
1011 .It Ic permit-agent-forwarding
1013 .Xr ssh-agent 1
1016 .It Ic permit-port-forwarding
1019 .It Ic permit-pty
1022 .It Ic permit-user-rc
1028 .It Ic permit-X11-forwarding
1031 .It Ic no-touch-required
1033 of user presence (e.g. by having the user touch the authenticator).
1035 .Cm ecdsa-sk
1037 .Cm ed25519-sk .
1039 .It Ic source-address Ns = Ns Ar address_list
1043 is a comma-separated list of one or more address/netmask pairs in CIDR
1046 .It Ic verify-required
1050 .Cm ecdsa-sk
1052 .Cm ed25519-sk .
1057 At present, no standard options are valid for host keys.
1077 is able to generate FIDO authenticator-backed keys, after which
1079 long as the hardware authenticator is attached when the keys are used.
1082 FIDO keys consist of two parts: a key handle part stored in the
1083 private key file on disk, and a per-device private key that is unique
1089 .Cm ecdsa-sk
1091 .Cm ed25519-sk .
1093 The options that are valid for FIDO keys are:
1094 .Bl -tag -width Ds
1098 This may be useful when generating host or domain-specific resident keys.
1104 The challenge string may be used as part of an out-of-band
1111 .It Cm no-touch-required
1112 Indicate that the generated private key should not require touch
1122 Resident keys may be supported on FIDO2 authenticators and typically
1124 Resident keys may be loaded off the authenticator using
1125 .Xr ssh-add 1 .
1131 Specifying a username may be useful when generating multiple resident keys
1133 .It Cm verify-required
1139 .It Cm write-attestation Ns = Ns Ar path
1148 These binary files specify keys or certificates to be revoked using a
1157 The files may either contain a KRL specification (see below) or public keys,
1159 Plain public keys are revoked by listing their hash or contents in the KRL and
1163 Revoking keys using a KRL specification offers explicit control over the
1164 types of record used to revoke keys and may be used to directly revoke
1168 followed by a colon and some directive-specific information.
1169 .Bl -tag -width Ds
1170 .It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
1172 Serial numbers are 64-bit values, not including zero and may be expressed
1195 KRLs that revoke keys by SHA256 hash are not supported by OpenSSH versions
1212 When this option is specified, keys listed via the command line are merged into
1216 (or keys).
1223 will exit with a non-zero exit status.
1228 uses a simple list of identities and keys to determine whether a signature
1233 Each line of the file contains the following space-separated fields:
1234 principals, options, keytype, base64-encoded key.
1239 The principals field is a pattern-list (see PATTERNS in
1241 consisting of one or more comma-separated USER@DOMAIN identity patterns
1248 The options (if present) consist of comma-separated option specifications.
1251 are case-insensitive):
1252 .Bl -tag -width Ds
1253 .It Cm cert-authority
1256 .It Cm namespaces Ns = Ns "namespace-list"
1257 Specifies a pattern-list of namespaces that are accepted for this key.
1259 signature object and presented on the verification command-line must
1261 .It Cm valid-after Ns = Ns "timestamp"
1267 .It Cm valid-before Ns = Ns "timestamp"
1276 .Bd -literal -offset 3n
1278 user1@example.com,user2@example.com ssh-rsa AAAAX1...
1280 *@example.com cert-authority ssh-ed25519 AAAB4...
1282 user2@example.com namespaces="file" ssh-ed25519 AAA41...
1285 .Bl -tag -width Ds
1288 FIDO authenticator-hosted keys, overriding the default of using
1289 the built-in USB HID support.
1292 .Bl -tag -width Ds -compact
1299 Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
1300 authenticator-hosted Ed25519 or RSA authentication identity of the user.
1304 used to encrypt the private part of this file using 128-bit AES.
1317 Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
1318 authenticator-hosted Ed25519 or RSA public key for authentication.
1326 Contains Diffie-Hellman groups used for DH-GEX.
1332 .Xr ssh-add 1 ,
1333 .Xr ssh-agent 1 ,
1346 removed many bugs, re-added newer features and