1.\" -*- nroff -*- 2.\" 3.\" ssh-keygen.1 4.\" 5.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 6.\" 7.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8.\" All rights reserved 9.\" 10.\" Created: Sat Apr 22 23:55:14 1995 ylo 11.\" 12.\" $Id: ssh-keygen.1,v 1.12 2000/03/23 21:10:10 aaron Exp $ 13.\" 14.Dd September 25, 1999 15.Dt SSH-KEYGEN 1 16.Os 17.Sh NAME 18.Nm ssh-keygen 19.Nd authentication key generation 20.Sh SYNOPSIS 21.Nm ssh-keygen 22.Op Fl q 23.Op Fl b Ar bits 24.Op Fl N Ar new_passphrase 25.Op Fl C Ar comment 26.Op Fl f Ar keyfile 27.Nm ssh-keygen 28.Fl p 29.Op Fl P Ar old_passphrase 30.Op Fl N Ar new_passphrase 31.Op Fl f Ar keyfile 32.Nm ssh-keygen 33.Fl c 34.Op Fl P Ar passphrase 35.Op Fl C Ar comment 36.Op Fl f Ar keyfile 37.Nm ssh-keygen 38.Fl l 39.Op Fl f Ar keyfile 40.Sh DESCRIPTION 41.Nm 42generates and manages authentication keys for 43.Xr ssh 1 . 44Normally each user wishing to use SSH 45with RSA authentication runs this once to create the authentication 46key in 47.Pa $HOME/.ssh/identity . 48Additionally, the system administrator may use this to generate host keys. 49.Pp 50Normally this program generates the key and asks for a file in which 51to store the private key. 52The public key is stored in a file with the same name but 53.Dq .pub 54appended. 55The program also asks for a passphrase. 56The passphrase may be empty to indicate no passphrase 57(host keys must have empty passphrase), or it may be a string of 58arbitrary length. 59Good passphrases are 10-30 characters long and are 60not simple sentences or otherwise easily guessable (English 61prose has only 1-2 bits of entropy per word, and provides very bad 62passphrases). 63The passphrase can be changed later by using the 64.Fl p 65option. 66.Pp 67There is no way to recover a lost passphrase. 68If the passphrase is 69lost or forgotten, you will have to generate a new key and copy the 70corresponding public key to other machines. 71.Pp 72There is also a comment field in the key file that is only for 73convenience to the user to help identify the key. 74The comment can tell what the key is for, or whatever is useful. 75The comment is initialized to 76.Dq user@host 77when the key is created, but can be changed using the 78.Fl c 79option. 80.Pp 81The options are as follows: 82.Bl -tag -width Ds 83.It Fl b Ar bits 84Specifies the number of bits in the key to create. 85Minimum is 512 bits. 86Generally 1024 bits is considered sufficient, and key sizes 87above that no longer improve security but make things slower. 88The default is 1024 bits. 89.It Fl c 90Requests changing the comment in the private and public key files. 91The program will prompt for the file containing the private keys, for 92passphrase if the key has one, and for the new comment. 93.It Fl f 94Specifies the filename of the key file. 95.It Fl l 96Show fingerprint of specified private or public key file. 97.It Fl p 98Requests changing the passphrase of a private key file instead of 99creating a new private key. 100The program will prompt for the file 101containing the private key, for the old passphrase, and twice for the 102new passphrase. 103.It Fl q 104Silence 105.Nm ssh-keygen . 106Used by 107.Pa /etc/rc 108when creating a new key. 109.It Fl C Ar comment 110Provides the new comment. 111.It Fl N Ar new_passphrase 112Provides the new passphrase. 113.It Fl P Ar passphrase 114Provides the (old) passphrase. 115.El 116.Sh FILES 117.Bl -tag -width Ds 118.It Pa $HOME/.ssh/identity 119Contains the RSA authentication identity of the user. 120This file should not be readable by anyone but the user. 121It is possible to 122specify a passphrase when generating the key; that passphrase will be 123used to encrypt the private part of this file using 3DES. 124This file is not automatically accessed by 125.Nm 126but it is offered as the default file for the private key. 127.It Pa $HOME/.ssh/identity.pub 128Contains the public key for authentication. 129The contents of this file should be added to 130.Pa $HOME/.ssh/authorized_keys 131on all machines 132where you wish to log in using RSA authentication. 133There is no need to keep the contents of this file secret. 134.Sh AUTHOR 135Tatu Ylonen <ylo@cs.hut.fi> 136.Pp 137OpenSSH 138is a derivative of the original (free) ssh 1.2.12 release, but with bugs 139removed and newer features re-added. 140Rapidly after the 1.2.12 release, 141newer versions bore successively more restrictive licenses. 142This version of OpenSSH 143.Bl -bullet 144.It 145has all components of a restrictive nature (i.e., patents, see 146.Xr ssl 8 ) 147directly removed from the source code; any licensed or patented components 148are chosen from 149external libraries. 150.It 151has been updated to support ssh protocol 1.5. 152.It 153contains added support for 154.Xr kerberos 8 155authentication and ticket passing. 156.It 157supports one-time password authentication with 158.Xr skey 1 . 159.El 160.Pp 161The libraries described in 162.Xr ssl 8 163are required for proper operation. 164.Sh SEE ALSO 165.Xr ssh 1 , 166.Xr ssh-add 1 , 167.Xr ssh-agent 1 , 168.Xr sshd 8 , 169.Xr ssl 8 170