xref: /freebsd/crypto/openssh/ssh-keygen.1 (revision 02e9120893770924227138ba49df1edb3896112a)
1.\"	$OpenBSD: ssh-keygen.1,v 1.230 2023/09/04 10:29:58 job Exp $
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\"                    All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose.  Any derived versions of this
9.\" software must be clearly marked as such, and if the derived work is
10.\" incompatible with the protocol description in the RFC file, it must be
11.\" called by a name other than "ssh" or "Secure Shell".
12.\"
13.\"
14.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
15.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
16.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
17.\"
18.\" Redistribution and use in source and binary forms, with or without
19.\" modification, are permitted provided that the following conditions
20.\" are met:
21.\" 1. Redistributions of source code must retain the above copyright
22.\"    notice, this list of conditions and the following disclaimer.
23.\" 2. Redistributions in binary form must reproduce the above copyright
24.\"    notice, this list of conditions and the following disclaimer in the
25.\"    documentation and/or other materials provided with the distribution.
26.\"
27.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\"
38.Dd $Mdocdate: September 4 2023 $
39.Dt SSH-KEYGEN 1
40.Os
41.Sh NAME
42.Nm ssh-keygen
43.Nd OpenSSH authentication key utility
44.Sh SYNOPSIS
45.Nm ssh-keygen
46.Op Fl q
47.Op Fl a Ar rounds
48.Op Fl b Ar bits
49.Op Fl C Ar comment
50.Op Fl f Ar output_keyfile
51.Op Fl m Ar format
52.Op Fl N Ar new_passphrase
53.Op Fl O Ar option
54.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
55.Op Fl w Ar provider
56.Op Fl Z Ar cipher
57.Nm ssh-keygen
58.Fl p
59.Op Fl a Ar rounds
60.Op Fl f Ar keyfile
61.Op Fl m Ar format
62.Op Fl N Ar new_passphrase
63.Op Fl P Ar old_passphrase
64.Op Fl Z Ar cipher
65.Nm ssh-keygen
66.Fl i
67.Op Fl f Ar input_keyfile
68.Op Fl m Ar key_format
69.Nm ssh-keygen
70.Fl e
71.Op Fl f Ar input_keyfile
72.Op Fl m Ar key_format
73.Nm ssh-keygen
74.Fl y
75.Op Fl f Ar input_keyfile
76.Nm ssh-keygen
77.Fl c
78.Op Fl a Ar rounds
79.Op Fl C Ar comment
80.Op Fl f Ar keyfile
81.Op Fl P Ar passphrase
82.Nm ssh-keygen
83.Fl l
84.Op Fl v
85.Op Fl E Ar fingerprint_hash
86.Op Fl f Ar input_keyfile
87.Nm ssh-keygen
88.Fl B
89.Op Fl f Ar input_keyfile
90.Nm ssh-keygen
91.Fl D Ar pkcs11
92.Nm ssh-keygen
93.Fl F Ar hostname
94.Op Fl lv
95.Op Fl f Ar known_hosts_file
96.Nm ssh-keygen
97.Fl H
98.Op Fl f Ar known_hosts_file
99.Nm ssh-keygen
100.Fl K
101.Op Fl a Ar rounds
102.Op Fl w Ar provider
103.Nm ssh-keygen
104.Fl R Ar hostname
105.Op Fl f Ar known_hosts_file
106.Nm ssh-keygen
107.Fl r Ar hostname
108.Op Fl g
109.Op Fl f Ar input_keyfile
110.Nm ssh-keygen
111.Fl M Cm generate
112.Op Fl O Ar option
113.Ar output_file
114.Nm ssh-keygen
115.Fl M Cm screen
116.Op Fl f Ar input_file
117.Op Fl O Ar option
118.Ar output_file
119.Nm ssh-keygen
120.Fl I Ar certificate_identity
121.Fl s Ar ca_key
122.Op Fl hU
123.Op Fl D Ar pkcs11_provider
124.Op Fl n Ar principals
125.Op Fl O Ar option
126.Op Fl V Ar validity_interval
127.Op Fl z Ar serial_number
128.Ar
129.Nm ssh-keygen
130.Fl L
131.Op Fl f Ar input_keyfile
132.Nm ssh-keygen
133.Fl A
134.Op Fl a Ar rounds
135.Op Fl f Ar prefix_path
136.Nm ssh-keygen
137.Fl k
138.Fl f Ar krl_file
139.Op Fl u
140.Op Fl s Ar ca_public
141.Op Fl z Ar version_number
142.Ar
143.Nm ssh-keygen
144.Fl Q
145.Op Fl l
146.Fl f Ar krl_file
147.Ar
148.Nm ssh-keygen
149.Fl Y Cm find-principals
150.Op Fl O Ar option
151.Fl s Ar signature_file
152.Fl f Ar allowed_signers_file
153.Nm ssh-keygen
154.Fl Y Cm match-principals
155.Fl I Ar signer_identity
156.Fl f Ar allowed_signers_file
157.Nm ssh-keygen
158.Fl Y Cm check-novalidate
159.Op Fl O Ar option
160.Fl n Ar namespace
161.Fl s Ar signature_file
162.Nm ssh-keygen
163.Fl Y Cm sign
164.Op Fl O Ar option
165.Fl f Ar key_file
166.Fl n Ar namespace
167.Ar
168.Nm ssh-keygen
169.Fl Y Cm verify
170.Op Fl O Ar option
171.Fl f Ar allowed_signers_file
172.Fl I Ar signer_identity
173.Fl n Ar namespace
174.Fl s Ar signature_file
175.Op Fl r Ar revocation_file
176.Sh DESCRIPTION
177.Nm
178generates, manages and converts authentication keys for
179.Xr ssh 1 .
180.Nm
181can create keys for use by SSH protocol version 2.
182.Pp
183The type of key to be generated is specified with the
184.Fl t
185option.
186If invoked without any arguments,
187.Nm
188will generate an Ed25519 key.
189.Pp
190.Nm
191is also used to generate groups for use in Diffie-Hellman group
192exchange (DH-GEX).
193See the
194.Sx MODULI GENERATION
195section for details.
196.Pp
197Finally,
198.Nm
199can be used to generate and update Key Revocation Lists, and to test whether
200given keys have been revoked by one.
201See the
202.Sx KEY REVOCATION LISTS
203section for details.
204.Pp
205Normally each user wishing to use SSH
206with public key authentication runs this once to create the authentication
207key in
208.Pa ~/.ssh/id_dsa ,
209.Pa ~/.ssh/id_ecdsa ,
210.Pa ~/.ssh/id_ecdsa_sk ,
211.Pa ~/.ssh/id_ed25519 ,
212.Pa ~/.ssh/id_ed25519_sk
213or
214.Pa ~/.ssh/id_rsa .
215Additionally, the system administrator may use this to generate host keys,
216as seen in
217.Pa /etc/rc .
218.Pp
219Normally this program generates the key and asks for a file in which
220to store the private key.
221The public key is stored in a file with the same name but
222.Dq .pub
223appended.
224The program also asks for a passphrase.
225The passphrase may be empty to indicate no passphrase
226(host keys must have an empty passphrase), or it may be a string of
227arbitrary length.
228A passphrase is similar to a password, except it can be a phrase with a
229series of words, punctuation, numbers, whitespace, or any string of
230characters you want.
231Good passphrases are 10-30 characters long, are
232not simple sentences or otherwise easily guessable (English
233prose has only 1-2 bits of entropy per character, and provides very bad
234passphrases), and contain a mix of upper and lowercase letters,
235numbers, and non-alphanumeric characters.
236The passphrase can be changed later by using the
237.Fl p
238option.
239.Pp
240There is no way to recover a lost passphrase.
241If the passphrase is lost or forgotten, a new key must be generated
242and the corresponding public key copied to other machines.
243.Pp
244.Nm
245will by default write keys in an OpenSSH-specific format.
246This format is preferred as it offers better protection for
247keys at rest as well as allowing storage of key comments within
248the private key file itself.
249The key comment may be useful to help identify the key.
250The comment is initialized to
251.Dq user@host
252when the key is created, but can be changed using the
253.Fl c
254option.
255.Pp
256It is still possible for
257.Nm
258to write the previously-used PEM format private keys using the
259.Fl m
260flag.
261This may be used when generating new keys, and existing new-format
262keys may be converted using this option in conjunction with the
263.Fl p
264(change passphrase) flag.
265.Pp
266After a key is generated,
267.Nm
268will ask where the keys
269should be placed to be activated.
270.Pp
271The options are as follows:
272.Bl -tag -width Ds
273.It Fl A
274Generate host keys of all default key types (rsa, ecdsa, and
275ed25519) if they do not already exist.
276The host keys are generated with the default key file path,
277an empty passphrase, default bits for the key type, and default comment.
278If
279.Fl f
280has also been specified, its argument is used as a prefix to the
281default path for the resulting host key files.
282This is used by
283.Pa /etc/rc
284to generate new host keys.
285.It Fl a Ar rounds
286When saving a private key, this option specifies the number of KDF
287(key derivation function, currently
288.Xr bcrypt_pbkdf 3 )
289rounds used.
290Higher numbers result in slower passphrase verification and increased
291resistance to brute-force password cracking (should the keys be stolen).
292The default is 16 rounds.
293.It Fl B
294Show the bubblebabble digest of specified private or public key file.
295.It Fl b Ar bits
296Specifies the number of bits in the key to create.
297For RSA keys, the minimum size is 1024 bits and the default is 3072 bits.
298Generally, 3072 bits is considered sufficient.
299DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
300For ECDSA keys, the
301.Fl b
302flag determines the key length by selecting from one of three elliptic
303curve sizes: 256, 384 or 521 bits.
304Attempting to use bit lengths other than these three values for ECDSA keys
305will fail.
306ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length and the
307.Fl b
308flag will be ignored.
309.It Fl C Ar comment
310Provides a new comment.
311.It Fl c
312Requests changing the comment in the private and public key files.
313The program will prompt for the file containing the private keys, for
314the passphrase if the key has one, and for the new comment.
315.It Fl D Ar pkcs11
316Download the public keys provided by the PKCS#11 shared library
317.Ar pkcs11 .
318When used in combination with
319.Fl s ,
320this option indicates that a CA key resides in a PKCS#11 token (see the
321.Sx CERTIFICATES
322section for details).
323.It Fl E Ar fingerprint_hash
324Specifies the hash algorithm used when displaying key fingerprints.
325Valid options are:
326.Dq md5
327and
328.Dq sha256 .
329The default is
330.Dq sha256 .
331.It Fl e
332This option will read a private or public OpenSSH key file and
333print to stdout a public key in one of the formats specified by the
334.Fl m
335option.
336The default export format is
337.Dq RFC4716 .
338This option allows exporting OpenSSH keys for use by other programs, including
339several commercial SSH implementations.
340.It Fl F Ar hostname | [hostname]:port
341Search for the specified
342.Ar hostname
343(with optional port number)
344in a
345.Pa known_hosts
346file, listing any occurrences found.
347This option is useful to find hashed host names or addresses and may also be
348used in conjunction with the
349.Fl H
350option to print found keys in a hashed format.
351.It Fl f Ar filename
352Specifies the filename of the key file.
353.It Fl g
354Use generic DNS format when printing fingerprint resource records using the
355.Fl r
356command.
357.It Fl H
358Hash a
359.Pa known_hosts
360file.
361This replaces all hostnames and addresses with hashed representations
362within the specified file; the original content is moved to a file with
363a .old suffix.
364These hashes may be used normally by
365.Nm ssh
366and
367.Nm sshd ,
368but they do not reveal identifying information should the file's contents
369be disclosed.
370This option will not modify existing hashed hostnames and is therefore safe
371to use on files that mix hashed and non-hashed names.
372.It Fl h
373When signing a key, create a host certificate instead of a user
374certificate.
375See the
376.Sx CERTIFICATES
377section for details.
378.It Fl I Ar certificate_identity
379Specify the key identity when signing a public key.
380See the
381.Sx CERTIFICATES
382section for details.
383.It Fl i
384This option will read an unencrypted private (or public) key file
385in the format specified by the
386.Fl m
387option and print an OpenSSH compatible private
388(or public) key to stdout.
389This option allows importing keys from other software, including several
390commercial SSH implementations.
391The default import format is
392.Dq RFC4716 .
393.It Fl K
394Download resident keys from a FIDO authenticator.
395Public and private key files will be written to the current directory for
396each downloaded key.
397If multiple FIDO authenticators are attached, keys will be downloaded from
398the first touched authenticator.
399See the
400.Sx FIDO AUTHENTICATOR
401section for more information.
402.It Fl k
403Generate a KRL file.
404In this mode,
405.Nm
406will generate a KRL file at the location specified via the
407.Fl f
408flag that revokes every key or certificate presented on the command line.
409Keys/certificates to be revoked may be specified by public key file or
410using the format described in the
411.Sx KEY REVOCATION LISTS
412section.
413.It Fl L
414Prints the contents of one or more certificates.
415.It Fl l
416Show fingerprint of specified public key file.
417For RSA and DSA keys
418.Nm
419tries to find the matching public key file and prints its fingerprint.
420If combined with
421.Fl v ,
422a visual ASCII art representation of the key is supplied with the
423fingerprint.
424.It Fl M Cm generate
425Generate candidate Diffie-Hellman Group Exchange (DH-GEX) parameters for
426eventual use by the
427.Sq diffie-hellman-group-exchange-*
428key exchange methods.
429The numbers generated by this operation must be further screened before
430use.
431See the
432.Sx MODULI GENERATION
433section for more information.
434.It Fl M Cm screen
435Screen candidate parameters for Diffie-Hellman Group Exchange.
436This will accept a list of candidate numbers and test that they are
437safe (Sophie Germain) primes with acceptable group generators.
438The results of this operation may be added to the
439.Pa /etc/moduli
440file.
441See the
442.Sx MODULI GENERATION
443section for more information.
444.It Fl m Ar key_format
445Specify a key format for key generation, the
446.Fl i
447(import),
448.Fl e
449(export) conversion options, and the
450.Fl p
451change passphrase operation.
452The latter may be used to convert between OpenSSH private key and PEM
453private key formats.
454The supported key formats are:
455.Dq RFC4716
456(RFC 4716/SSH2 public or private key),
457.Dq PKCS8
458(PKCS8 public or private key)
459or
460.Dq PEM
461(PEM public key).
462By default OpenSSH will write newly-generated private keys in its own
463format, but when converting public keys for export the default format is
464.Dq RFC4716 .
465Setting a format of
466.Dq PEM
467when generating or updating a supported private key type will cause the
468key to be stored in the legacy PEM private key format.
469.It Fl N Ar new_passphrase
470Provides the new passphrase.
471.It Fl n Ar principals
472Specify one or more principals (user or host names) to be included in
473a certificate when signing a key.
474Multiple principals may be specified, separated by commas.
475See the
476.Sx CERTIFICATES
477section for details.
478.It Fl O Ar option
479Specify a key/value option.
480These are specific to the operation that
481.Nm
482has been requested to perform.
483.Pp
484When signing certificates, one of the options listed in the
485.Sx CERTIFICATES
486section may be specified here.
487.Pp
488When performing moduli generation or screening, one of the options
489listed in the
490.Sx MODULI GENERATION
491section may be specified.
492.Pp
493When generating FIDO authenticator-backed keys, the options listed in the
494.Sx FIDO AUTHENTICATOR
495section may be specified.
496.Pp
497When performing signature-related options using the
498.Fl Y
499flag, the following options are accepted:
500.Bl -tag -width Ds
501.It Cm hashalg Ns = Ns Ar algorithm
502Selects the hash algorithm to use for hashing the message to be signed.
503Valid algorithms are
504.Dq sha256
505and
506.Dq sha512.
507The default is
508.Dq sha512.
509.It Cm print-pubkey
510Print the full public key to standard output after signature verification.
511.It Cm verify-time Ns = Ns Ar timestamp
512Specifies a time to use when validating signatures instead of the current
513time.
514The time may be specified as a date or time in the YYYYMMDD[Z] or
515in YYYYMMDDHHMM[SS][Z] formats.
516Dates and times will be interpreted in the current system time zone unless
517suffixed with a Z character, which causes them to be interpreted in the
518UTC time zone.
519.El
520.Pp
521When generating SSHFP DNS records from public keys using the
522.Fl r
523flag, the following options are accepted:
524.Bl -tag -width Ds
525.It Cm hashalg Ns = Ns Ar algorithm
526Selects a hash algorithm to use when printing SSHFP records using the
527.Fl D
528flag.
529Valid algorithms are
530.Dq sha1
531and
532.Dq sha256 .
533The default is to print both.
534.El
535.Pp
536The
537.Fl O
538option may be specified multiple times.
539.It Fl P Ar passphrase
540Provides the (old) passphrase.
541.It Fl p
542Requests changing the passphrase of a private key file instead of
543creating a new private key.
544The program will prompt for the file
545containing the private key, for the old passphrase, and twice for the
546new passphrase.
547.It Fl Q
548Test whether keys have been revoked in a KRL.
549If the
550.Fl l
551option is also specified then the contents of the KRL will be printed.
552.It Fl q
553Silence
554.Nm ssh-keygen .
555.It Fl R Ar hostname | [hostname]:port
556Removes all keys belonging to the specified
557.Ar hostname
558(with optional port number)
559from a
560.Pa known_hosts
561file.
562This option is useful to delete hashed hosts (see the
563.Fl H
564option above).
565.It Fl r Ar hostname
566Print the SSHFP fingerprint resource record named
567.Ar hostname
568for the specified public key file.
569.It Fl s Ar ca_key
570Certify (sign) a public key using the specified CA key.
571See the
572.Sx CERTIFICATES
573section for details.
574.Pp
575When generating a KRL,
576.Fl s
577specifies a path to a CA public key file used to revoke certificates directly
578by key ID or serial number.
579See the
580.Sx KEY REVOCATION LISTS
581section for details.
582.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
583Specifies the type of key to create.
584The possible values are
585.Dq dsa ,
586.Dq ecdsa ,
587.Dq ecdsa-sk ,
588.Dq ed25519 ,
589.Dq ed25519-sk ,
590or
591.Dq rsa .
592.Pp
593This flag may also be used to specify the desired signature type when
594signing certificates using an RSA CA key.
595The available RSA signature variants are
596.Dq ssh-rsa
597(SHA1 signatures, not recommended),
598.Dq rsa-sha2-256 ,
599and
600.Dq rsa-sha2-512
601(the default).
602.It Fl U
603When used in combination with
604.Fl s
605or
606.Fl Y Cm sign ,
607this option indicates that a CA key resides in a
608.Xr ssh-agent 1 .
609See the
610.Sx CERTIFICATES
611section for more information.
612.It Fl u
613Update a KRL.
614When specified with
615.Fl k ,
616keys listed via the command line are added to the existing KRL rather than
617a new KRL being created.
618.It Fl V Ar validity_interval
619Specify a validity interval when signing a certificate.
620A validity interval may consist of a single time, indicating that the
621certificate is valid beginning now and expiring at that time, or may consist
622of two times separated by a colon to indicate an explicit time interval.
623.Pp
624The start time may be specified as:
625.Bl -bullet -compact
626.It
627The string
628.Dq always
629to indicate the certificate has no specified start time.
630.It
631A date or time in the system time zone formatted as YYYYMMDD or
632YYYYMMDDHHMM[SS].
633.It
634A date or time in the UTC time zone as YYYYMMDDZ or YYYYMMDDHHMM[SS]Z.
635.It
636A relative time before the current system time consisting of a minus sign
637followed by an interval in the format described in the
638TIME FORMATS section of
639.Xr sshd_config 5 .
640.It
641A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a hexadecimal
642number beginning with
643.Dq 0x .
644.El
645.Pp
646The end time may be specified similarly to the start time:
647.Bl -bullet -compact
648.It
649The string
650.Dq forever
651to indicate the certificate has no specified end time.
652.It
653A date or time in the system time zone formatted as YYYYMMDD or
654YYYYMMDDHHMM[SS].
655.It
656A date or time in the UTC time zone as YYYYMMDDZ or YYYYMMDDHHMM[SS]Z.
657.It
658A relative time after the current system time consisting of a plus sign
659followed by an interval in the format described in the
660TIME FORMATS section of
661.Xr sshd_config 5 .
662.It
663A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a hexadecimal
664number beginning with
665.Dq 0x .
666.El
667.Pp
668For example:
669.Bl -tag -width Ds
670.It +52w1d
671Valid from now to 52 weeks and one day from now.
672.It -4w:+4w
673Valid from four weeks ago to four weeks from now.
674.It 20100101123000:20110101123000
675Valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011.
676.It 20100101123000Z:20110101123000Z
677Similar, but interpreted in the UTC time zone rather than the system time zone.
678.It -1d:20110101
679Valid from yesterday to midnight, January 1st, 2011.
680.It 0x1:0x2000000000
681Valid from roughly early 1970 to May 2033.
682.It -1m:forever
683Valid from one minute ago and never expiring.
684.El
685.It Fl v
686Verbose mode.
687Causes
688.Nm
689to print debugging messages about its progress.
690This is helpful for debugging moduli generation.
691Multiple
692.Fl v
693options increase the verbosity.
694The maximum is 3.
695.It Fl w Ar provider
696Specifies a path to a library that will be used when creating
697FIDO authenticator-hosted keys, overriding the default of using
698the internal USB HID support.
699.It Fl Y Cm find-principals
700Find the principal(s) associated with the public key of a signature,
701provided using the
702.Fl s
703flag in an authorized signers file provided using the
704.Fl f
705flag.
706The format of the allowed signers file is documented in the
707.Sx ALLOWED SIGNERS
708section below.
709If one or more matching principals are found, they are returned on
710standard output.
711.It Fl Y Cm match-principals
712Find principal matching the principal name provided using the
713.Fl I
714flag in the authorized signers file specified using the
715.Fl f
716flag.
717If one or more matching principals are found, they are returned on
718standard output.
719.It Fl Y Cm check-novalidate
720Checks that a signature generated using
721.Nm
722.Fl Y Cm sign
723has a valid structure.
724This does not validate if a signature comes from an authorized signer.
725When testing a signature,
726.Nm
727accepts a message on standard input and a signature namespace using
728.Fl n .
729A file containing the corresponding signature must also be supplied using the
730.Fl s
731flag.
732Successful testing of the signature is signalled by
733.Nm
734returning a zero exit status.
735.It Fl Y Cm sign
736Cryptographically sign a file or some data using an SSH key.
737When signing,
738.Nm
739accepts zero or more files to sign on the command-line - if no files
740are specified then
741.Nm
742will sign data presented on standard input.
743Signatures are written to the path of the input file with
744.Dq .sig
745appended, or to standard output if the message to be signed was read from
746standard input.
747.Pp
748The key used for signing is specified using the
749.Fl f
750option and may refer to either a private key, or a public key with the private
751half available via
752.Xr ssh-agent 1 .
753An additional signature namespace, used to prevent signature confusion across
754different domains of use (e.g. file signing vs email signing) must be provided
755via the
756.Fl n
757flag.
758Namespaces are arbitrary strings, and may include:
759.Dq file
760for file signing,
761.Dq email
762for email signing.
763For custom uses, it is recommended to use names following a
764NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces.
765.It Fl Y Cm verify
766Request to verify a signature generated using
767.Nm
768.Fl Y Cm sign
769as described above.
770When verifying a signature,
771.Nm
772accepts a message on standard input and a signature namespace using
773.Fl n .
774A file containing the corresponding signature must also be supplied using the
775.Fl s
776flag, along with the identity of the signer using
777.Fl I
778and a list of allowed signers via the
779.Fl f
780flag.
781The format of the allowed signers file is documented in the
782.Sx ALLOWED SIGNERS
783section below.
784A file containing revoked keys can be passed using the
785.Fl r
786flag.
787The revocation file may be a KRL or a one-per-line list of public keys.
788Successful verification by an authorized signer is signalled by
789.Nm
790returning a zero exit status.
791.It Fl y
792This option will read a private
793OpenSSH format file and print an OpenSSH public key to stdout.
794.It Fl Z Ar cipher
795Specifies the cipher to use for encryption when writing an OpenSSH-format
796private key file.
797The list of available ciphers may be obtained using
798.Qq ssh -Q cipher .
799The default is
800.Dq aes256-ctr .
801.It Fl z Ar serial_number
802Specifies a serial number to be embedded in the certificate to distinguish
803this certificate from others from the same CA.
804If the
805.Ar serial_number
806is prefixed with a
807.Sq +
808character, then the serial number will be incremented for each certificate
809signed on a single command-line.
810The default serial number is zero.
811.Pp
812When generating a KRL, the
813.Fl z
814flag is used to specify a KRL version number.
815.El
816.Sh MODULI GENERATION
817.Nm
818may be used to generate groups for the Diffie-Hellman Group Exchange
819(DH-GEX) protocol.
820Generating these groups is a two-step process: first, candidate
821primes are generated using a fast, but memory intensive process.
822These candidate primes are then tested for suitability (a CPU-intensive
823process).
824.Pp
825Generation of primes is performed using the
826.Fl M Cm generate
827option.
828The desired length of the primes may be specified by the
829.Fl O Cm bits
830option.
831For example:
832.Pp
833.Dl # ssh-keygen -M generate -O bits=2048 moduli-2048.candidates
834.Pp
835By default, the search for primes begins at a random point in the
836desired length range.
837This may be overridden using the
838.Fl O Cm start
839option, which specifies a different start point (in hex).
840.Pp
841Once a set of candidates have been generated, they must be screened for
842suitability.
843This may be performed using the
844.Fl M Cm screen
845option.
846In this mode
847.Nm
848will read candidates from standard input (or a file specified using the
849.Fl f
850option).
851For example:
852.Pp
853.Dl # ssh-keygen -M screen -f moduli-2048.candidates moduli-2048
854.Pp
855By default, each candidate will be subjected to 100 primality tests.
856This may be overridden using the
857.Fl O Cm prime-tests
858option.
859The DH generator value will be chosen automatically for the
860prime under consideration.
861If a specific generator is desired, it may be requested using the
862.Fl O Cm generator
863option.
864Valid generator values are 2, 3, and 5.
865.Pp
866Screened DH groups may be installed in
867.Pa /etc/moduli .
868It is important that this file contains moduli of a range of bit lengths.
869.Pp
870A number of options are available for moduli generation and screening via the
871.Fl O
872flag:
873.Bl -tag -width Ds
874.It Ic lines Ns = Ns Ar number
875Exit after screening the specified number of lines while performing DH
876candidate screening.
877.It Ic start-line Ns = Ns Ar line-number
878Start screening at the specified line number while performing DH candidate
879screening.
880.It Ic checkpoint Ns = Ns Ar filename
881Write the last line processed to the specified file while performing DH
882candidate screening.
883This will be used to skip lines in the input file that have already been
884processed if the job is restarted.
885.It Ic memory Ns = Ns Ar mbytes
886Specify the amount of memory to use (in megabytes) when generating
887candidate moduli for DH-GEX.
888.It Ic start Ns = Ns Ar hex-value
889Specify start point (in hex) when generating candidate moduli for DH-GEX.
890.It Ic generator Ns = Ns Ar value
891Specify desired generator (in decimal) when testing candidate moduli for DH-GEX.
892.El
893.Sh CERTIFICATES
894.Nm
895supports signing of keys to produce certificates that may be used for
896user or host authentication.
897Certificates consist of a public key, some identity information, zero or
898more principal (user or host) names and a set of options that
899are signed by a Certification Authority (CA) key.
900Clients or servers may then trust only the CA key and verify its signature
901on a certificate rather than trusting many user/host keys.
902Note that OpenSSH certificates are a different, and much simpler, format to
903the X.509 certificates used in
904.Xr ssl 8 .
905.Pp
906.Nm
907supports two types of certificates: user and host.
908User certificates authenticate users to servers, whereas host certificates
909authenticate server hosts to users.
910To generate a user certificate:
911.Pp
912.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
913.Pp
914The resultant certificate will be placed in
915.Pa /path/to/user_key-cert.pub .
916A host certificate requires the
917.Fl h
918option:
919.Pp
920.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
921.Pp
922The host certificate will be output to
923.Pa /path/to/host_key-cert.pub .
924.Pp
925It is possible to sign using a CA key stored in a PKCS#11 token by
926providing the token library using
927.Fl D
928and identifying the CA key by providing its public half as an argument
929to
930.Fl s :
931.Pp
932.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
933.Pp
934Similarly, it is possible for the CA key to be hosted in a
935.Xr ssh-agent 1 .
936This is indicated by the
937.Fl U
938flag and, again, the CA key must be identified by its public half.
939.Pp
940.Dl $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub
941.Pp
942In all cases,
943.Ar key_id
944is a "key identifier" that is logged by the server when the certificate
945is used for authentication.
946.Pp
947Certificates may be limited to be valid for a set of principal (user/host)
948names.
949By default, generated certificates are valid for all users or hosts.
950To generate a certificate for a specified set of principals:
951.Pp
952.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
953.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub"
954.Pp
955Additional limitations on the validity and use of user certificates may
956be specified through certificate options.
957A certificate option may disable features of the SSH session, may be
958valid only when presented from particular source addresses or may
959force the use of a specific command.
960.Pp
961The options that are valid for user certificates are:
962.Pp
963.Bl -tag -width Ds -compact
964.It Ic clear
965Clear all enabled permissions.
966This is useful for clearing the default set of permissions so permissions may
967be added individually.
968.Pp
969.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
970.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
971Includes an arbitrary certificate critical option or extension.
972The specified
973.Ar name
974should include a domain suffix, e.g.\&
975.Dq name@example.com .
976If
977.Ar contents
978is specified then it is included as the contents of the extension/option
979encoded as a string, otherwise the extension/option is created with no
980contents (usually indicating a flag).
981Extensions may be ignored by a client or server that does not recognise them,
982whereas unknown critical options will cause the certificate to be refused.
983.Pp
984.It Ic force-command Ns = Ns Ar command
985Forces the execution of
986.Ar command
987instead of any shell or command specified by the user when
988the certificate is used for authentication.
989.Pp
990.It Ic no-agent-forwarding
991Disable
992.Xr ssh-agent 1
993forwarding (permitted by default).
994.Pp
995.It Ic no-port-forwarding
996Disable port forwarding (permitted by default).
997.Pp
998.It Ic no-pty
999Disable PTY allocation (permitted by default).
1000.Pp
1001.It Ic no-user-rc
1002Disable execution of
1003.Pa ~/.ssh/rc
1004by
1005.Xr sshd 8
1006(permitted by default).
1007.Pp
1008.It Ic no-x11-forwarding
1009Disable X11 forwarding (permitted by default).
1010.Pp
1011.It Ic permit-agent-forwarding
1012Allows
1013.Xr ssh-agent 1
1014forwarding.
1015.Pp
1016.It Ic permit-port-forwarding
1017Allows port forwarding.
1018.Pp
1019.It Ic permit-pty
1020Allows PTY allocation.
1021.Pp
1022.It Ic permit-user-rc
1023Allows execution of
1024.Pa ~/.ssh/rc
1025by
1026.Xr sshd 8 .
1027.Pp
1028.It Ic permit-X11-forwarding
1029Allows X11 forwarding.
1030.Pp
1031.It Ic no-touch-required
1032Do not require signatures made using this key include demonstration
1033of user presence (e.g. by having the user touch the authenticator).
1034This option only makes sense for the FIDO authenticator algorithms
1035.Cm ecdsa-sk
1036and
1037.Cm ed25519-sk .
1038.Pp
1039.It Ic source-address Ns = Ns Ar address_list
1040Restrict the source addresses from which the certificate is considered valid.
1041The
1042.Ar address_list
1043is a comma-separated list of one or more address/netmask pairs in CIDR
1044format.
1045.Pp
1046.It Ic verify-required
1047Require signatures made using this key indicate that the user was first
1048verified.
1049This option only makes sense for the FIDO authenticator algorithms
1050.Cm ecdsa-sk
1051and
1052.Cm ed25519-sk .
1053Currently PIN authentication is the only supported verification method,
1054but other methods may be supported in the future.
1055.El
1056.Pp
1057At present, no standard options are valid for host keys.
1058.Pp
1059Finally, certificates may be defined with a validity lifetime.
1060The
1061.Fl V
1062option allows specification of certificate start and end times.
1063A certificate that is presented at a time outside this range will not be
1064considered valid.
1065By default, certificates are valid from the
1066.Ux
1067Epoch to the distant future.
1068.Pp
1069For certificates to be used for user or host authentication, the CA
1070public key must be trusted by
1071.Xr sshd 8
1072or
1073.Xr ssh 1 .
1074Refer to those manual pages for details.
1075.Sh FIDO AUTHENTICATOR
1076.Nm
1077is able to generate FIDO authenticator-backed keys, after which
1078they may be used much like any other key type supported by OpenSSH, so
1079long as the hardware authenticator is attached when the keys are used.
1080FIDO authenticators generally require the user to explicitly authorise
1081operations by touching or tapping them.
1082FIDO keys consist of two parts: a key handle part stored in the
1083private key file on disk, and a per-device private key that is unique
1084to each FIDO authenticator and that cannot be exported from the
1085authenticator hardware.
1086These are combined by the hardware at authentication time to derive
1087the real key that is used to sign authentication challenges.
1088Supported key types are
1089.Cm ecdsa-sk
1090and
1091.Cm ed25519-sk .
1092.Pp
1093The options that are valid for FIDO keys are:
1094.Bl -tag -width Ds
1095.It Cm application
1096Override the default FIDO application/origin string of
1097.Dq ssh: .
1098This may be useful when generating host or domain-specific resident keys.
1099The specified application string must begin with
1100.Dq ssh: .
1101.It Cm challenge Ns = Ns Ar path
1102Specifies a path to a challenge string that will be passed to the
1103FIDO authenticator during key generation.
1104The challenge string may be used as part of an out-of-band
1105protocol for key enrollment
1106(a random challenge is used by default).
1107.It Cm device
1108Explicitly specify a
1109.Xr fido 4
1110device to use, rather than letting the authenticator middleware select one.
1111.It Cm no-touch-required
1112Indicate that the generated private key should not require touch
1113events (user presence) when making signatures.
1114Note that
1115.Xr sshd 8
1116will refuse such signatures by default, unless overridden via
1117an authorized_keys option.
1118.It Cm resident
1119Indicate that the key handle should be stored on the FIDO
1120authenticator itself.
1121This makes it easier to use the authenticator on multiple computers.
1122Resident keys may be supported on FIDO2 authenticators and typically
1123require that a PIN be set on the authenticator prior to generation.
1124Resident keys may be loaded off the authenticator using
1125.Xr ssh-add 1 .
1126Storing both parts of a key on a FIDO authenticator increases the likelihood
1127of an attacker being able to use a stolen authenticator device.
1128.It Cm user
1129A username to be associated with a resident key,
1130overriding the empty default username.
1131Specifying a username may be useful when generating multiple resident keys
1132for the same application name.
1133.It Cm verify-required
1134Indicate that this private key should require user verification for
1135each signature.
1136Not all FIDO authenticators support this option.
1137Currently PIN authentication is the only supported verification method,
1138but other methods may be supported in the future.
1139.It Cm write-attestation Ns = Ns Ar path
1140May be used at key generation time to record the attestation data
1141returned from FIDO authenticators during key generation.
1142This information is potentially sensitive.
1143By default, this information is discarded.
1144.El
1145.Sh KEY REVOCATION LISTS
1146.Nm
1147is able to manage OpenSSH format Key Revocation Lists (KRLs).
1148These binary files specify keys or certificates to be revoked using a
1149compact format, taking as little as one bit per certificate if they are being
1150revoked by serial number.
1151.Pp
1152KRLs may be generated using the
1153.Fl k
1154flag.
1155This option reads one or more files from the command line and generates a new
1156KRL.
1157The files may either contain a KRL specification (see below) or public keys,
1158listed one per line.
1159Plain public keys are revoked by listing their hash or contents in the KRL and
1160certificates revoked by serial number or key ID (if the serial is zero or
1161not available).
1162.Pp
1163Revoking keys using a KRL specification offers explicit control over the
1164types of record used to revoke keys and may be used to directly revoke
1165certificates by serial number or key ID without having the complete original
1166certificate on hand.
1167A KRL specification consists of lines containing one of the following directives
1168followed by a colon and some directive-specific information.
1169.Bl -tag -width Ds
1170.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
1171Revokes a certificate with the specified serial number.
1172Serial numbers are 64-bit values, not including zero and may be expressed
1173in decimal, hex or octal.
1174If two serial numbers are specified separated by a hyphen, then the range
1175of serial numbers including and between each is revoked.
1176The CA key must have been specified on the
1177.Nm
1178command line using the
1179.Fl s
1180option.
1181.It Cm id : Ar key_id
1182Revokes a certificate with the specified key ID string.
1183The CA key must have been specified on the
1184.Nm
1185command line using the
1186.Fl s
1187option.
1188.It Cm key : Ar public_key
1189Revokes the specified key.
1190If a certificate is listed, then it is revoked as a plain public key.
1191.It Cm sha1 : Ar public_key
1192Revokes the specified key by including its SHA1 hash in the KRL.
1193.It Cm sha256 : Ar public_key
1194Revokes the specified key by including its SHA256 hash in the KRL.
1195KRLs that revoke keys by SHA256 hash are not supported by OpenSSH versions
1196prior to 7.9.
1197.It Cm hash : Ar fingerprint
1198Revokes a key using a fingerprint hash, as obtained from a
1199.Xr sshd 8
1200authentication log message or the
1201.Nm
1202.Fl l
1203flag.
1204Only SHA256 fingerprints are supported here and resultant KRLs are
1205not supported by OpenSSH versions prior to 7.9.
1206.El
1207.Pp
1208KRLs may be updated using the
1209.Fl u
1210flag in addition to
1211.Fl k .
1212When this option is specified, keys listed via the command line are merged into
1213the KRL, adding to those already there.
1214.Pp
1215It is also possible, given a KRL, to test whether it revokes a particular key
1216(or keys).
1217The
1218.Fl Q
1219flag will query an existing KRL, testing each key specified on the command line.
1220If any key listed on the command line has been revoked (or an error encountered)
1221then
1222.Nm
1223will exit with a non-zero exit status.
1224A zero exit status will only be returned if no key was revoked.
1225.Sh ALLOWED SIGNERS
1226When verifying signatures,
1227.Nm
1228uses a simple list of identities and keys to determine whether a signature
1229comes from an authorized source.
1230This "allowed signers" file uses a format patterned after the
1231AUTHORIZED_KEYS FILE FORMAT described in
1232.Xr sshd 8 .
1233Each line of the file contains the following space-separated fields:
1234principals, options, keytype, base64-encoded key.
1235Empty lines and lines starting with a
1236.Ql #
1237are ignored as comments.
1238.Pp
1239The principals field is a pattern-list (see PATTERNS in
1240.Xr ssh_config 5 )
1241consisting of one or more comma-separated USER@DOMAIN identity patterns
1242that are accepted for signing.
1243When verifying, the identity presented via the
1244.Fl I
1245option must match a principals pattern in order for the corresponding key to be
1246considered acceptable for verification.
1247.Pp
1248The options (if present) consist of comma-separated option specifications.
1249No spaces are permitted, except within double quotes.
1250The following option specifications are supported (note that option keywords
1251are case-insensitive):
1252.Bl -tag -width Ds
1253.It Cm cert-authority
1254Indicates that this key is accepted as a certificate authority (CA) and
1255that certificates signed by this CA may be accepted for verification.
1256.It Cm namespaces Ns = Ns "namespace-list"
1257Specifies a pattern-list of namespaces that are accepted for this key.
1258If this option is present, the signature namespace embedded in the
1259signature object and presented on the verification command-line must
1260match the specified list before the key will be considered acceptable.
1261.It Cm valid-after Ns = Ns "timestamp"
1262Indicates that the key is valid for use at or after the specified timestamp,
1263which may be a date or time in the YYYYMMDD[Z] or YYYYMMDDHHMM[SS][Z] formats.
1264Dates and times will be interpreted in the current system time zone unless
1265suffixed with a Z character, which causes them to be interpreted in the UTC
1266time zone.
1267.It Cm valid-before Ns = Ns "timestamp"
1268Indicates that the key is valid for use at or before the specified timestamp.
1269.El
1270.Pp
1271When verifying signatures made by certificates, the expected principal
1272name must match both the principals pattern in the allowed signers file and
1273the principals embedded in the certificate itself.
1274.Pp
1275An example allowed signers file:
1276.Bd -literal -offset 3n
1277# Comments allowed at start of line
1278user1@example.com,user2@example.com ssh-rsa AAAAX1...
1279# A certificate authority, trusted for all principals in a domain.
1280*@example.com cert-authority ssh-ed25519 AAAB4...
1281# A key that is accepted only for file signing.
1282user2@example.com namespaces="file" ssh-ed25519 AAA41...
1283.Ed
1284.Sh ENVIRONMENT
1285.Bl -tag -width Ds
1286.It Ev SSH_SK_PROVIDER
1287Specifies a path to a library that will be used when loading any
1288FIDO authenticator-hosted keys, overriding the default of using
1289the built-in USB HID support.
1290.El
1291.Sh FILES
1292.Bl -tag -width Ds -compact
1293.It Pa ~/.ssh/id_dsa
1294.It Pa ~/.ssh/id_ecdsa
1295.It Pa ~/.ssh/id_ecdsa_sk
1296.It Pa ~/.ssh/id_ed25519
1297.It Pa ~/.ssh/id_ed25519_sk
1298.It Pa ~/.ssh/id_rsa
1299Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
1300authenticator-hosted Ed25519 or RSA authentication identity of the user.
1301This file should not be readable by anyone but the user.
1302It is possible to
1303specify a passphrase when generating the key; that passphrase will be
1304used to encrypt the private part of this file using 128-bit AES.
1305This file is not automatically accessed by
1306.Nm
1307but it is offered as the default file for the private key.
1308.Xr ssh 1
1309will read this file when a login attempt is made.
1310.Pp
1311.It Pa ~/.ssh/id_dsa.pub
1312.It Pa ~/.ssh/id_ecdsa.pub
1313.It Pa ~/.ssh/id_ecdsa_sk.pub
1314.It Pa ~/.ssh/id_ed25519.pub
1315.It Pa ~/.ssh/id_ed25519_sk.pub
1316.It Pa ~/.ssh/id_rsa.pub
1317Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
1318authenticator-hosted Ed25519 or RSA public key for authentication.
1319The contents of this file should be added to
1320.Pa ~/.ssh/authorized_keys
1321on all machines
1322where the user wishes to log in using public key authentication.
1323There is no need to keep the contents of this file secret.
1324.Pp
1325.It Pa /etc/moduli
1326Contains Diffie-Hellman groups used for DH-GEX.
1327The file format is described in
1328.Xr moduli 5 .
1329.El
1330.Sh SEE ALSO
1331.Xr ssh 1 ,
1332.Xr ssh-add 1 ,
1333.Xr ssh-agent 1 ,
1334.Xr moduli 5 ,
1335.Xr sshd 8
1336.Rs
1337.%R RFC 4716
1338.%T "The Secure Shell (SSH) Public Key File Format"
1339.%D 2006
1340.Re
1341.Sh AUTHORS
1342OpenSSH is a derivative of the original and free
1343ssh 1.2.12 release by Tatu Ylonen.
1344Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1345Theo de Raadt and Dug Song
1346removed many bugs, re-added newer features and
1347created OpenSSH.
1348Markus Friedl contributed the support for SSH
1349protocol versions 1.5 and 2.0.
1350