xref: /freebsd/crypto/openssh/ssh-keygen.1 (revision 6ba2210ee039f2f12878c217bcf058e9c8b26b29)
1.\"	$OpenBSD: ssh-keygen.1,v 1.216 2021/08/11 08:54:17 djm Exp $
2.\"
3.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5.\"                    All rights reserved
6.\"
7.\" As far as I am concerned, the code I have written for this software
8.\" can be used freely for any purpose.  Any derived versions of this
9.\" software must be clearly marked as such, and if the derived work is
10.\" incompatible with the protocol description in the RFC file, it must be
11.\" called by a name other than "ssh" or "Secure Shell".
12.\"
13.\"
14.\" Copyright (c) 1999,2000 Markus Friedl.  All rights reserved.
15.\" Copyright (c) 1999 Aaron Campbell.  All rights reserved.
16.\" Copyright (c) 1999 Theo de Raadt.  All rights reserved.
17.\"
18.\" Redistribution and use in source and binary forms, with or without
19.\" modification, are permitted provided that the following conditions
20.\" are met:
21.\" 1. Redistributions of source code must retain the above copyright
22.\"    notice, this list of conditions and the following disclaimer.
23.\" 2. Redistributions in binary form must reproduce the above copyright
24.\"    notice, this list of conditions and the following disclaimer in the
25.\"    documentation and/or other materials provided with the distribution.
26.\"
27.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37.\"
38.Dd $Mdocdate: August 11 2021 $
39.Dt SSH-KEYGEN 1
40.Os
41.Sh NAME
42.Nm ssh-keygen
43.Nd OpenSSH authentication key utility
44.Sh SYNOPSIS
45.Nm ssh-keygen
46.Op Fl q
47.Op Fl a Ar rounds
48.Op Fl b Ar bits
49.Op Fl C Ar comment
50.Op Fl f Ar output_keyfile
51.Op Fl m Ar format
52.Op Fl N Ar new_passphrase
53.Op Fl O Ar option
54.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
55.Op Fl w Ar provider
56.Op Fl Z Ar cipher
57.Nm ssh-keygen
58.Fl p
59.Op Fl a Ar rounds
60.Op Fl f Ar keyfile
61.Op Fl m Ar format
62.Op Fl N Ar new_passphrase
63.Op Fl P Ar old_passphrase
64.Op Fl Z Ar cipher
65.Nm ssh-keygen
66.Fl i
67.Op Fl f Ar input_keyfile
68.Op Fl m Ar key_format
69.Nm ssh-keygen
70.Fl e
71.Op Fl f Ar input_keyfile
72.Op Fl m Ar key_format
73.Nm ssh-keygen
74.Fl y
75.Op Fl f Ar input_keyfile
76.Nm ssh-keygen
77.Fl c
78.Op Fl a Ar rounds
79.Op Fl C Ar comment
80.Op Fl f Ar keyfile
81.Op Fl P Ar passphrase
82.Nm ssh-keygen
83.Fl l
84.Op Fl v
85.Op Fl E Ar fingerprint_hash
86.Op Fl f Ar input_keyfile
87.Nm ssh-keygen
88.Fl B
89.Op Fl f Ar input_keyfile
90.Nm ssh-keygen
91.Fl D Ar pkcs11
92.Nm ssh-keygen
93.Fl F Ar hostname
94.Op Fl lv
95.Op Fl f Ar known_hosts_file
96.Nm ssh-keygen
97.Fl H
98.Op Fl f Ar known_hosts_file
99.Nm ssh-keygen
100.Fl K
101.Op Fl a Ar rounds
102.Op Fl w Ar provider
103.Nm ssh-keygen
104.Fl R Ar hostname
105.Op Fl f Ar known_hosts_file
106.Nm ssh-keygen
107.Fl r Ar hostname
108.Op Fl g
109.Op Fl f Ar input_keyfile
110.Nm ssh-keygen
111.Fl M Cm generate
112.Op Fl O Ar option
113.Ar output_file
114.Nm ssh-keygen
115.Fl M Cm screen
116.Op Fl f Ar input_file
117.Op Fl O Ar option
118.Ar output_file
119.Nm ssh-keygen
120.Fl I Ar certificate_identity
121.Fl s Ar ca_key
122.Op Fl hU
123.Op Fl D Ar pkcs11_provider
124.Op Fl n Ar principals
125.Op Fl O Ar option
126.Op Fl V Ar validity_interval
127.Op Fl z Ar serial_number
128.Ar
129.Nm ssh-keygen
130.Fl L
131.Op Fl f Ar input_keyfile
132.Nm ssh-keygen
133.Fl A
134.Op Fl a Ar rounds
135.Op Fl f Ar prefix_path
136.Nm ssh-keygen
137.Fl k
138.Fl f Ar krl_file
139.Op Fl u
140.Op Fl s Ar ca_public
141.Op Fl z Ar version_number
142.Ar
143.Nm ssh-keygen
144.Fl Q
145.Op Fl l
146.Fl f Ar krl_file
147.Ar
148.Nm ssh-keygen
149.Fl Y Cm find-principals
150.Op Fl O Ar option
151.Fl s Ar signature_file
152.Fl f Ar allowed_signers_file
153.Nm ssh-keygen
154.Fl Y Cm check-novalidate
155.Op Fl O Ar option
156.Fl n Ar namespace
157.Fl s Ar signature_file
158.Nm ssh-keygen
159.Fl Y Cm sign
160.Fl f Ar key_file
161.Fl n Ar namespace
162.Ar
163.Nm ssh-keygen
164.Fl Y Cm verify
165.Op Fl O Ar option
166.Fl f Ar allowed_signers_file
167.Fl I Ar signer_identity
168.Fl n Ar namespace
169.Fl s Ar signature_file
170.Op Fl r Ar revocation_file
171.Sh DESCRIPTION
172.Nm
173generates, manages and converts authentication keys for
174.Xr ssh 1 .
175.Nm
176can create keys for use by SSH protocol version 2.
177.Pp
178The type of key to be generated is specified with the
179.Fl t
180option.
181If invoked without any arguments,
182.Nm
183will generate an RSA key.
184.Pp
185.Nm
186is also used to generate groups for use in Diffie-Hellman group
187exchange (DH-GEX).
188See the
189.Sx MODULI GENERATION
190section for details.
191.Pp
192Finally,
193.Nm
194can be used to generate and update Key Revocation Lists, and to test whether
195given keys have been revoked by one.
196See the
197.Sx KEY REVOCATION LISTS
198section for details.
199.Pp
200Normally each user wishing to use SSH
201with public key authentication runs this once to create the authentication
202key in
203.Pa ~/.ssh/id_dsa ,
204.Pa ~/.ssh/id_ecdsa ,
205.Pa ~/.ssh/id_ecdsa_sk ,
206.Pa ~/.ssh/id_ed25519 ,
207.Pa ~/.ssh/id_ed25519_sk
208or
209.Pa ~/.ssh/id_rsa .
210Additionally, the system administrator may use this to generate host keys,
211as seen in
212.Pa /etc/rc .
213.Pp
214Normally this program generates the key and asks for a file in which
215to store the private key.
216The public key is stored in a file with the same name but
217.Dq .pub
218appended.
219The program also asks for a passphrase.
220The passphrase may be empty to indicate no passphrase
221(host keys must have an empty passphrase), or it may be a string of
222arbitrary length.
223A passphrase is similar to a password, except it can be a phrase with a
224series of words, punctuation, numbers, whitespace, or any string of
225characters you want.
226Good passphrases are 10-30 characters long, are
227not simple sentences or otherwise easily guessable (English
228prose has only 1-2 bits of entropy per character, and provides very bad
229passphrases), and contain a mix of upper and lowercase letters,
230numbers, and non-alphanumeric characters.
231The passphrase can be changed later by using the
232.Fl p
233option.
234.Pp
235There is no way to recover a lost passphrase.
236If the passphrase is lost or forgotten, a new key must be generated
237and the corresponding public key copied to other machines.
238.Pp
239.Nm
240will by default write keys in an OpenSSH-specific format.
241This format is preferred as it offers better protection for
242keys at rest as well as allowing storage of key comments within
243the private key file itself.
244The key comment may be useful to help identify the key.
245The comment is initialized to
246.Dq user@host
247when the key is created, but can be changed using the
248.Fl c
249option.
250.Pp
251It is still possible for
252.Nm
253to write the previously-used PEM format private keys using the
254.Fl m
255flag.
256This may be used when generating new keys, and existing new-format
257keys may be converted using this option in conjunction with the
258.Fl p
259(change passphrase) flag.
260.Pp
261After a key is generated,
262.Nm
263will ask where the keys
264should be placed to be activated.
265.Pp
266The options are as follows:
267.Bl -tag -width Ds
268.It Fl A
269For each of the key types (rsa, dsa, ecdsa and ed25519)
270for which host keys
271do not exist, generate the host keys with the default key file path,
272an empty passphrase, default bits for the key type, and default comment.
273If
274.Fl f
275has also been specified, its argument is used as a prefix to the
276default path for the resulting host key files.
277This is used by
278.Pa /etc/rc
279to generate new host keys.
280.It Fl a Ar rounds
281When saving a private key, this option specifies the number of KDF
282(key derivation function, currently
283.Xr bcrypt_pbkdf 3 )
284rounds used.
285Higher numbers result in slower passphrase verification and increased
286resistance to brute-force password cracking (should the keys be stolen).
287The default is 16 rounds.
288.It Fl B
289Show the bubblebabble digest of specified private or public key file.
290.It Fl b Ar bits
291Specifies the number of bits in the key to create.
292For RSA keys, the minimum size is 1024 bits and the default is 3072 bits.
293Generally, 3072 bits is considered sufficient.
294DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
295For ECDSA keys, the
296.Fl b
297flag determines the key length by selecting from one of three elliptic
298curve sizes: 256, 384 or 521 bits.
299Attempting to use bit lengths other than these three values for ECDSA keys
300will fail.
301ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length and the
302.Fl b
303flag will be ignored.
304.It Fl C Ar comment
305Provides a new comment.
306.It Fl c
307Requests changing the comment in the private and public key files.
308The program will prompt for the file containing the private keys, for
309the passphrase if the key has one, and for the new comment.
310.It Fl D Ar pkcs11
311Download the public keys provided by the PKCS#11 shared library
312.Ar pkcs11 .
313When used in combination with
314.Fl s ,
315this option indicates that a CA key resides in a PKCS#11 token (see the
316.Sx CERTIFICATES
317section for details).
318.It Fl E Ar fingerprint_hash
319Specifies the hash algorithm used when displaying key fingerprints.
320Valid options are:
321.Dq md5
322and
323.Dq sha256 .
324The default is
325.Dq sha256 .
326.It Fl e
327This option will read a private or public OpenSSH key file and
328print to stdout a public key in one of the formats specified by the
329.Fl m
330option.
331The default export format is
332.Dq RFC4716 .
333This option allows exporting OpenSSH keys for use by other programs, including
334several commercial SSH implementations.
335.It Fl F Ar hostname | [hostname]:port
336Search for the specified
337.Ar hostname
338(with optional port number)
339in a
340.Pa known_hosts
341file, listing any occurrences found.
342This option is useful to find hashed host names or addresses and may also be
343used in conjunction with the
344.Fl H
345option to print found keys in a hashed format.
346.It Fl f Ar filename
347Specifies the filename of the key file.
348.It Fl g
349Use generic DNS format when printing fingerprint resource records using the
350.Fl r
351command.
352.It Fl H
353Hash a
354.Pa known_hosts
355file.
356This replaces all hostnames and addresses with hashed representations
357within the specified file; the original content is moved to a file with
358a .old suffix.
359These hashes may be used normally by
360.Nm ssh
361and
362.Nm sshd ,
363but they do not reveal identifying information should the file's contents
364be disclosed.
365This option will not modify existing hashed hostnames and is therefore safe
366to use on files that mix hashed and non-hashed names.
367.It Fl h
368When signing a key, create a host certificate instead of a user
369certificate.
370Please see the
371.Sx CERTIFICATES
372section for details.
373.It Fl I Ar certificate_identity
374Specify the key identity when signing a public key.
375Please see the
376.Sx CERTIFICATES
377section for details.
378.It Fl i
379This option will read an unencrypted private (or public) key file
380in the format specified by the
381.Fl m
382option and print an OpenSSH compatible private
383(or public) key to stdout.
384This option allows importing keys from other software, including several
385commercial SSH implementations.
386The default import format is
387.Dq RFC4716 .
388.It Fl K
389Download resident keys from a FIDO authenticator.
390Public and private key files will be written to the current directory for
391each downloaded key.
392If multiple FIDO authenticators are attached, keys will be downloaded from
393the first touched authenticator.
394.It Fl k
395Generate a KRL file.
396In this mode,
397.Nm
398will generate a KRL file at the location specified via the
399.Fl f
400flag that revokes every key or certificate presented on the command line.
401Keys/certificates to be revoked may be specified by public key file or
402using the format described in the
403.Sx KEY REVOCATION LISTS
404section.
405.It Fl L
406Prints the contents of one or more certificates.
407.It Fl l
408Show fingerprint of specified public key file.
409For RSA and DSA keys
410.Nm
411tries to find the matching public key file and prints its fingerprint.
412If combined with
413.Fl v ,
414a visual ASCII art representation of the key is supplied with the
415fingerprint.
416.It Fl M Cm generate
417Generate candidate Diffie-Hellman Group Exchange (DH-GEX) parameters for
418eventual use by the
419.Sq diffie-hellman-group-exchange-*
420key exchange methods.
421The numbers generated by this operation must be further screened before
422use.
423See the
424.Sx MODULI GENERATION
425section for more information.
426.It Fl M Cm screen
427Screen candidate parameters for Diffie-Hellman Group Exchange.
428This will accept a list of candidate numbers and test that they are
429safe (Sophie Germain) primes with acceptable group generators.
430The results of this operation may be added to the
431.Pa /etc/moduli
432file.
433See the
434.Sx MODULI GENERATION
435section for more information.
436.It Fl m Ar key_format
437Specify a key format for key generation, the
438.Fl i
439(import),
440.Fl e
441(export) conversion options, and the
442.Fl p
443change passphrase operation.
444The latter may be used to convert between OpenSSH private key and PEM
445private key formats.
446The supported key formats are:
447.Dq RFC4716
448(RFC 4716/SSH2 public or private key),
449.Dq PKCS8
450(PKCS8 public or private key)
451or
452.Dq PEM
453(PEM public key).
454By default OpenSSH will write newly-generated private keys in its own
455format, but when converting public keys for export the default format is
456.Dq RFC4716 .
457Setting a format of
458.Dq PEM
459when generating or updating a supported private key type will cause the
460key to be stored in the legacy PEM private key format.
461.It Fl N Ar new_passphrase
462Provides the new passphrase.
463.It Fl n Ar principals
464Specify one or more principals (user or host names) to be included in
465a certificate when signing a key.
466Multiple principals may be specified, separated by commas.
467Please see the
468.Sx CERTIFICATES
469section for details.
470.It Fl O Ar option
471Specify a key/value option.
472These are specific to the operation that
473.Nm
474has been requested to perform.
475.Pp
476When signing certificates, one of the options listed in the
477.Sx CERTIFICATES
478section may be specified here.
479.Pp
480When performing moduli generation or screening, one of the options
481listed in the
482.Sx MODULI GENERATION
483section may be specified.
484.Pp
485When generating a key that will be hosted on a FIDO authenticator,
486this flag may be used to specify key-specific options.
487Those supported at present are:
488.Bl -tag -width Ds
489.It Cm application
490Override the default FIDO application/origin string of
491.Dq ssh: .
492This may be useful when generating host or domain-specific resident keys.
493The specified application string must begin with
494.Dq ssh: .
495.It Cm challenge Ns = Ns Ar path
496Specifies a path to a challenge string that will be passed to the
497FIDO token during key generation.
498The challenge string may be used as part of an out-of-band
499protocol for key enrollment
500(a random challenge is used by default).
501.It Cm device
502Explicitly specify a
503.Xr fido 4
504device to use, rather than letting the token middleware select one.
505.It Cm no-touch-required
506Indicate that the generated private key should not require touch
507events (user presence) when making signatures.
508Note that
509.Xr sshd 8
510will refuse such signatures by default, unless overridden via
511an authorized_keys option.
512.It Cm resident
513Indicate that the key should be stored on the FIDO authenticator itself.
514Resident keys may be supported on FIDO2 tokens and typically require that
515a PIN be set on the token prior to generation.
516Resident keys may be loaded off the token using
517.Xr ssh-add 1 .
518.It Cm user
519A username to be associated with a resident key,
520overriding the empty default username.
521Specifying a username may be useful when generating multiple resident keys
522for the same application name.
523.It Cm verify-required
524Indicate that this private key should require user verification for
525each signature.
526Not all FIDO tokens support this option.
527Currently PIN authentication is the only supported verification method,
528but other methods may be supported in the future.
529.It Cm write-attestation Ns = Ns Ar path
530May be used at key generation time to record the attestation data
531returned from FIDO tokens during key generation.
532Please note that this information is potentially sensitive.
533By default, this information is discarded.
534.El
535.Pp
536When performing signature-related options using the
537.Fl Y
538flag, the following options are accepted:
539.Bl -tag -width Ds
540.It Cm print-pubkey
541Print the full public key to standard output after signature verification.
542.It Cm verify-time Ns = Ns Ar timestamp
543Specifies a time to use when validating signatures instead of the current
544time.
545The time may be specified as a date in YYYYMMDD format or a time
546in YYYYMMDDHHMM[SS] format.
547.El
548.Pp
549The
550.Fl O
551option may be specified multiple times.
552.It Fl P Ar passphrase
553Provides the (old) passphrase.
554.It Fl p
555Requests changing the passphrase of a private key file instead of
556creating a new private key.
557The program will prompt for the file
558containing the private key, for the old passphrase, and twice for the
559new passphrase.
560.It Fl Q
561Test whether keys have been revoked in a KRL.
562If the
563.Fl l
564option is also specified then the contents of the KRL will be printed.
565.It Fl q
566Silence
567.Nm ssh-keygen .
568.It Fl R Ar hostname | [hostname]:port
569Removes all keys belonging to the specified
570.Ar hostname
571(with optional port number)
572from a
573.Pa known_hosts
574file.
575This option is useful to delete hashed hosts (see the
576.Fl H
577option above).
578.It Fl r Ar hostname
579Print the SSHFP fingerprint resource record named
580.Ar hostname
581for the specified public key file.
582.It Fl s Ar ca_key
583Certify (sign) a public key using the specified CA key.
584Please see the
585.Sx CERTIFICATES
586section for details.
587.Pp
588When generating a KRL,
589.Fl s
590specifies a path to a CA public key file used to revoke certificates directly
591by key ID or serial number.
592See the
593.Sx KEY REVOCATION LISTS
594section for details.
595.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
596Specifies the type of key to create.
597The possible values are
598.Dq dsa ,
599.Dq ecdsa ,
600.Dq ecdsa-sk ,
601.Dq ed25519 ,
602.Dq ed25519-sk ,
603or
604.Dq rsa .
605.Pp
606This flag may also be used to specify the desired signature type when
607signing certificates using an RSA CA key.
608The available RSA signature variants are
609.Dq ssh-rsa
610(SHA1 signatures, not recommended),
611.Dq rsa-sha2-256 ,
612and
613.Dq rsa-sha2-512
614(the default).
615.It Fl U
616When used in combination with
617.Fl s ,
618this option indicates that a CA key resides in a
619.Xr ssh-agent 1 .
620See the
621.Sx CERTIFICATES
622section for more information.
623.It Fl u
624Update a KRL.
625When specified with
626.Fl k ,
627keys listed via the command line are added to the existing KRL rather than
628a new KRL being created.
629.It Fl V Ar validity_interval
630Specify a validity interval when signing a certificate.
631A validity interval may consist of a single time, indicating that the
632certificate is valid beginning now and expiring at that time, or may consist
633of two times separated by a colon to indicate an explicit time interval.
634.Pp
635The start time may be specified as the string
636.Dq always
637to indicate the certificate has no specified start time,
638a date in YYYYMMDD format, a time in YYYYMMDDHHMM[SS] format,
639a relative time (to the current time) consisting of a minus sign followed by
640an interval in the format described in the
641TIME FORMATS section of
642.Xr sshd_config 5 .
643.Pp
644The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMM[SS] time,
645a relative time starting with a plus character or the string
646.Dq forever
647to indicate that the certificate has no expiry date.
648.Pp
649For example:
650.Dq +52w1d
651(valid from now to 52 weeks and one day from now),
652.Dq -4w:+4w
653(valid from four weeks ago to four weeks from now),
654.Dq 20100101123000:20110101123000
655(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
656.Dq -1d:20110101
657(valid from yesterday to midnight, January 1st, 2011),
658.Dq -1m:forever
659(valid from one minute ago and never expiring).
660.It Fl v
661Verbose mode.
662Causes
663.Nm
664to print debugging messages about its progress.
665This is helpful for debugging moduli generation.
666Multiple
667.Fl v
668options increase the verbosity.
669The maximum is 3.
670.It Fl w Ar provider
671Specifies a path to a library that will be used when creating
672FIDO authenticator-hosted keys, overriding the default of using
673the internal USB HID support.
674.It Fl Y Cm find-principals
675Find the principal(s) associated with the public key of a signature,
676provided using the
677.Fl s
678flag in an authorized signers file provided using the
679.Fl f
680flag.
681The format of the allowed signers file is documented in the
682.Sx ALLOWED SIGNERS
683section below.
684If one or more matching principals are found, they are returned on
685standard output.
686.It Fl Y Cm check-novalidate
687Checks that a signature generated using
688.Nm
689.Fl Y Cm sign
690has a valid structure.
691This does not validate if a signature comes from an authorized signer.
692When testing a signature,
693.Nm
694accepts a message on standard input and a signature namespace using
695.Fl n .
696A file containing the corresponding signature must also be supplied using the
697.Fl s
698flag.
699Successful testing of the signature is signalled by
700.Nm
701returning a zero exit status.
702.It Fl Y Cm sign
703Cryptographically sign a file or some data using a SSH key.
704When signing,
705.Nm
706accepts zero or more files to sign on the command-line - if no files
707are specified then
708.Nm
709will sign data presented on standard input.
710Signatures are written to the path of the input file with
711.Dq .sig
712appended, or to standard output if the message to be signed was read from
713standard input.
714.Pp
715The key used for signing is specified using the
716.Fl f
717option and may refer to either a private key, or a public key with the private
718half available via
719.Xr ssh-agent 1 .
720An additional signature namespace, used to prevent signature confusion across
721different domains of use (e.g. file signing vs email signing) must be provided
722via the
723.Fl n
724flag.
725Namespaces are arbitrary strings, and may include:
726.Dq file
727for file signing,
728.Dq email
729for email signing.
730For custom uses, it is recommended to use names following a
731NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces.
732.It Fl Y Cm verify
733Request to verify a signature generated using
734.Nm
735.Fl Y Cm sign
736as described above.
737When verifying a signature,
738.Nm
739accepts a message on standard input and a signature namespace using
740.Fl n .
741A file containing the corresponding signature must also be supplied using the
742.Fl s
743flag, along with the identity of the signer using
744.Fl I
745and a list of allowed signers via the
746.Fl f
747flag.
748The format of the allowed signers file is documented in the
749.Sx ALLOWED SIGNERS
750section below.
751A file containing revoked keys can be passed using the
752.Fl r
753flag.
754The revocation file may be a KRL or a one-per-line list of public keys.
755Successful verification by an authorized signer is signalled by
756.Nm
757returning a zero exit status.
758.It Fl y
759This option will read a private
760OpenSSH format file and print an OpenSSH public key to stdout.
761.It Fl Z Ar cipher
762Specifies the cipher to use for encryption when writing an OpenSSH-format
763private key file.
764The list of available ciphers may be obtained using
765.Qq ssh -Q cipher .
766The default is
767.Dq aes256-ctr .
768.It Fl z Ar serial_number
769Specifies a serial number to be embedded in the certificate to distinguish
770this certificate from others from the same CA.
771If the
772.Ar serial_number
773is prefixed with a
774.Sq +
775character, then the serial number will be incremented for each certificate
776signed on a single command-line.
777The default serial number is zero.
778.Pp
779When generating a KRL, the
780.Fl z
781flag is used to specify a KRL version number.
782.El
783.Sh MODULI GENERATION
784.Nm
785may be used to generate groups for the Diffie-Hellman Group Exchange
786(DH-GEX) protocol.
787Generating these groups is a two-step process: first, candidate
788primes are generated using a fast, but memory intensive process.
789These candidate primes are then tested for suitability (a CPU-intensive
790process).
791.Pp
792Generation of primes is performed using the
793.Fl M Cm generate
794option.
795The desired length of the primes may be specified by the
796.Fl O Cm bits
797option.
798For example:
799.Pp
800.Dl # ssh-keygen -M generate -O bits=2048 moduli-2048.candidates
801.Pp
802By default, the search for primes begins at a random point in the
803desired length range.
804This may be overridden using the
805.Fl O Cm start
806option, which specifies a different start point (in hex).
807.Pp
808Once a set of candidates have been generated, they must be screened for
809suitability.
810This may be performed using the
811.Fl M Cm screen
812option.
813In this mode
814.Nm
815will read candidates from standard input (or a file specified using the
816.Fl f
817option).
818For example:
819.Pp
820.Dl # ssh-keygen -M screen -f moduli-2048.candidates moduli-2048
821.Pp
822By default, each candidate will be subjected to 100 primality tests.
823This may be overridden using the
824.Fl O Cm prime-tests
825option.
826The DH generator value will be chosen automatically for the
827prime under consideration.
828If a specific generator is desired, it may be requested using the
829.Fl O Cm generator
830option.
831Valid generator values are 2, 3, and 5.
832.Pp
833Screened DH groups may be installed in
834.Pa /etc/moduli .
835It is important that this file contains moduli of a range of bit lengths.
836.Pp
837A number of options are available for moduli generation and screening via the
838.Fl O
839flag:
840.Bl -tag -width Ds
841.It Ic lines Ns = Ns Ar number
842Exit after screening the specified number of lines while performing DH
843candidate screening.
844.It Ic start-line Ns = Ns Ar line-number
845Start screening at the specified line number while performing DH candidate
846screening.
847.It Ic checkpoint Ns = Ns Ar filename
848Write the last line processed to the specified file while performing DH
849candidate screening.
850This will be used to skip lines in the input file that have already been
851processed if the job is restarted.
852.It Ic memory Ns = Ns Ar mbytes
853Specify the amount of memory to use (in megabytes) when generating
854candidate moduli for DH-GEX.
855.It Ic start Ns = Ns Ar hex-value
856Specify start point (in hex) when generating candidate moduli for DH-GEX.
857.It Ic generator Ns = Ns Ar value
858Specify desired generator (in decimal) when testing candidate moduli for DH-GEX.
859.El
860.Sh CERTIFICATES
861.Nm
862supports signing of keys to produce certificates that may be used for
863user or host authentication.
864Certificates consist of a public key, some identity information, zero or
865more principal (user or host) names and a set of options that
866are signed by a Certification Authority (CA) key.
867Clients or servers may then trust only the CA key and verify its signature
868on a certificate rather than trusting many user/host keys.
869Note that OpenSSH certificates are a different, and much simpler, format to
870the X.509 certificates used in
871.Xr ssl 8 .
872.Pp
873.Nm
874supports two types of certificates: user and host.
875User certificates authenticate users to servers, whereas host certificates
876authenticate server hosts to users.
877To generate a user certificate:
878.Pp
879.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
880.Pp
881The resultant certificate will be placed in
882.Pa /path/to/user_key-cert.pub .
883A host certificate requires the
884.Fl h
885option:
886.Pp
887.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
888.Pp
889The host certificate will be output to
890.Pa /path/to/host_key-cert.pub .
891.Pp
892It is possible to sign using a CA key stored in a PKCS#11 token by
893providing the token library using
894.Fl D
895and identifying the CA key by providing its public half as an argument
896to
897.Fl s :
898.Pp
899.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
900.Pp
901Similarly, it is possible for the CA key to be hosted in a
902.Xr ssh-agent 1 .
903This is indicated by the
904.Fl U
905flag and, again, the CA key must be identified by its public half.
906.Pp
907.Dl $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub
908.Pp
909In all cases,
910.Ar key_id
911is a "key identifier" that is logged by the server when the certificate
912is used for authentication.
913.Pp
914Certificates may be limited to be valid for a set of principal (user/host)
915names.
916By default, generated certificates are valid for all users or hosts.
917To generate a certificate for a specified set of principals:
918.Pp
919.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
920.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub"
921.Pp
922Additional limitations on the validity and use of user certificates may
923be specified through certificate options.
924A certificate option may disable features of the SSH session, may be
925valid only when presented from particular source addresses or may
926force the use of a specific command.
927.Pp
928The options that are valid for user certificates are:
929.Pp
930.Bl -tag -width Ds -compact
931.It Ic clear
932Clear all enabled permissions.
933This is useful for clearing the default set of permissions so permissions may
934be added individually.
935.Pp
936.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents
937.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents
938Includes an arbitrary certificate critical option or extension.
939The specified
940.Ar name
941should include a domain suffix, e.g.\&
942.Dq name@example.com .
943If
944.Ar contents
945is specified then it is included as the contents of the extension/option
946encoded as a string, otherwise the extension/option is created with no
947contents (usually indicating a flag).
948Extensions may be ignored by a client or server that does not recognise them,
949whereas unknown critical options will cause the certificate to be refused.
950.Pp
951.It Ic force-command Ns = Ns Ar command
952Forces the execution of
953.Ar command
954instead of any shell or command specified by the user when
955the certificate is used for authentication.
956.Pp
957.It Ic no-agent-forwarding
958Disable
959.Xr ssh-agent 1
960forwarding (permitted by default).
961.Pp
962.It Ic no-port-forwarding
963Disable port forwarding (permitted by default).
964.Pp
965.It Ic no-pty
966Disable PTY allocation (permitted by default).
967.Pp
968.It Ic no-user-rc
969Disable execution of
970.Pa ~/.ssh/rc
971by
972.Xr sshd 8
973(permitted by default).
974.Pp
975.It Ic no-x11-forwarding
976Disable X11 forwarding (permitted by default).
977.Pp
978.It Ic permit-agent-forwarding
979Allows
980.Xr ssh-agent 1
981forwarding.
982.Pp
983.It Ic permit-port-forwarding
984Allows port forwarding.
985.Pp
986.It Ic permit-pty
987Allows PTY allocation.
988.Pp
989.It Ic permit-user-rc
990Allows execution of
991.Pa ~/.ssh/rc
992by
993.Xr sshd 8 .
994.Pp
995.It Ic permit-X11-forwarding
996Allows X11 forwarding.
997.Pp
998.It Ic no-touch-required
999Do not require signatures made using this key include demonstration
1000of user presence (e.g. by having the user touch the authenticator).
1001This option only makes sense for the FIDO authenticator algorithms
1002.Cm ecdsa-sk
1003and
1004.Cm ed25519-sk .
1005.Pp
1006.It Ic source-address Ns = Ns Ar address_list
1007Restrict the source addresses from which the certificate is considered valid.
1008The
1009.Ar address_list
1010is a comma-separated list of one or more address/netmask pairs in CIDR
1011format.
1012.Pp
1013.It Ic verify-required
1014Require signatures made using this key indicate that the user was first
1015verified.
1016This option only makes sense for the FIDO authenticator algorithms
1017.Cm ecdsa-sk
1018and
1019.Cm ed25519-sk .
1020Currently PIN authentication is the only supported verification method,
1021but other methods may be supported in the future.
1022.El
1023.Pp
1024At present, no standard options are valid for host keys.
1025.Pp
1026Finally, certificates may be defined with a validity lifetime.
1027The
1028.Fl V
1029option allows specification of certificate start and end times.
1030A certificate that is presented at a time outside this range will not be
1031considered valid.
1032By default, certificates are valid from the
1033.Ux
1034Epoch to the distant future.
1035.Pp
1036For certificates to be used for user or host authentication, the CA
1037public key must be trusted by
1038.Xr sshd 8
1039or
1040.Xr ssh 1 .
1041Please refer to those manual pages for details.
1042.Sh KEY REVOCATION LISTS
1043.Nm
1044is able to manage OpenSSH format Key Revocation Lists (KRLs).
1045These binary files specify keys or certificates to be revoked using a
1046compact format, taking as little as one bit per certificate if they are being
1047revoked by serial number.
1048.Pp
1049KRLs may be generated using the
1050.Fl k
1051flag.
1052This option reads one or more files from the command line and generates a new
1053KRL.
1054The files may either contain a KRL specification (see below) or public keys,
1055listed one per line.
1056Plain public keys are revoked by listing their hash or contents in the KRL and
1057certificates revoked by serial number or key ID (if the serial is zero or
1058not available).
1059.Pp
1060Revoking keys using a KRL specification offers explicit control over the
1061types of record used to revoke keys and may be used to directly revoke
1062certificates by serial number or key ID without having the complete original
1063certificate on hand.
1064A KRL specification consists of lines containing one of the following directives
1065followed by a colon and some directive-specific information.
1066.Bl -tag -width Ds
1067.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number
1068Revokes a certificate with the specified serial number.
1069Serial numbers are 64-bit values, not including zero and may be expressed
1070in decimal, hex or octal.
1071If two serial numbers are specified separated by a hyphen, then the range
1072of serial numbers including and between each is revoked.
1073The CA key must have been specified on the
1074.Nm
1075command line using the
1076.Fl s
1077option.
1078.It Cm id : Ar key_id
1079Revokes a certificate with the specified key ID string.
1080The CA key must have been specified on the
1081.Nm
1082command line using the
1083.Fl s
1084option.
1085.It Cm key : Ar public_key
1086Revokes the specified key.
1087If a certificate is listed, then it is revoked as a plain public key.
1088.It Cm sha1 : Ar public_key
1089Revokes the specified key by including its SHA1 hash in the KRL.
1090.It Cm sha256 : Ar public_key
1091Revokes the specified key by including its SHA256 hash in the KRL.
1092KRLs that revoke keys by SHA256 hash are not supported by OpenSSH versions
1093prior to 7.9.
1094.It Cm hash : Ar fingerprint
1095Revokes a key using a fingerprint hash, as obtained from a
1096.Xr sshd 8
1097authentication log message or the
1098.Nm
1099.Fl l
1100flag.
1101Only SHA256 fingerprints are supported here and resultant KRLs are
1102not supported by OpenSSH versions prior to 7.9.
1103.El
1104.Pp
1105KRLs may be updated using the
1106.Fl u
1107flag in addition to
1108.Fl k .
1109When this option is specified, keys listed via the command line are merged into
1110the KRL, adding to those already there.
1111.Pp
1112It is also possible, given a KRL, to test whether it revokes a particular key
1113(or keys).
1114The
1115.Fl Q
1116flag will query an existing KRL, testing each key specified on the command line.
1117If any key listed on the command line has been revoked (or an error encountered)
1118then
1119.Nm
1120will exit with a non-zero exit status.
1121A zero exit status will only be returned if no key was revoked.
1122.Sh ALLOWED SIGNERS
1123When verifying signatures,
1124.Nm
1125uses a simple list of identities and keys to determine whether a signature
1126comes from an authorized source.
1127This "allowed signers" file uses a format patterned after the
1128AUTHORIZED_KEYS FILE FORMAT described in
1129.Xr sshd 8 .
1130Each line of the file contains the following space-separated fields:
1131principals, options, keytype, base64-encoded key.
1132Empty lines and lines starting with a
1133.Ql #
1134are ignored as comments.
1135.Pp
1136The principals field is a pattern-list (see PATTERNS in
1137.Xr ssh_config 5 )
1138consisting of one or more comma-separated USER@DOMAIN identity patterns
1139that are accepted for signing.
1140When verifying, the identity presented via the
1141.Fl I
1142option must match a principals pattern in order for the corresponding key to be
1143considered acceptable for verification.
1144.Pp
1145The options (if present) consist of comma-separated option specifications.
1146No spaces are permitted, except within double quotes.
1147The following option specifications are supported (note that option keywords
1148are case-insensitive):
1149.Bl -tag -width Ds
1150.It Cm cert-authority
1151Indicates that this key is accepted as a certificate authority (CA) and
1152that certificates signed by this CA may be accepted for verification.
1153.It Cm namespaces Ns = Ns "namespace-list"
1154Specifies a pattern-list of namespaces that are accepted for this key.
1155If this option is present, the signature namespace embedded in the
1156signature object and presented on the verification command-line must
1157match the specified list before the key will be considered acceptable.
1158.It Cm valid-after Ns = Ns "timestamp"
1159Indicates that the key is valid for use at or after the specified timestamp,
1160which may be a date in YYYYMMDD format or a time in YYYYMMDDHHMM[SS] format.
1161.It Cm valid-before Ns = Ns "timestamp"
1162Indicates that the key is valid for use at or before the specified timestamp.
1163.El
1164.Pp
1165When verifying signatures made by certificates, the expected principal
1166name must match both the principals pattern in the allowed signers file and
1167the principals embedded in the certificate itself.
1168.Pp
1169An example allowed signers file:
1170.Bd -literal -offset 3n
1171# Comments allowed at start of line
1172user1@example.com,user2@example.com ssh-rsa AAAAX1...
1173# A certificate authority, trusted for all principals in a domain.
1174*@example.com cert-authority ssh-ed25519 AAAB4...
1175# A key that is accepted only for file signing.
1176user2@example.com namespaces="file" ssh-ed25519 AAA41...
1177.Ed
1178.Sh ENVIRONMENT
1179.Bl -tag -width Ds
1180.It Ev SSH_SK_PROVIDER
1181Specifies a path to a library that will be used when loading any
1182FIDO authenticator-hosted keys, overriding the default of using
1183the built-in USB HID support.
1184.El
1185.Sh FILES
1186.Bl -tag -width Ds -compact
1187.It Pa ~/.ssh/id_dsa
1188.It Pa ~/.ssh/id_ecdsa
1189.It Pa ~/.ssh/id_ecdsa_sk
1190.It Pa ~/.ssh/id_ed25519
1191.It Pa ~/.ssh/id_ed25519_sk
1192.It Pa ~/.ssh/id_rsa
1193Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
1194authenticator-hosted Ed25519 or RSA authentication identity of the user.
1195This file should not be readable by anyone but the user.
1196It is possible to
1197specify a passphrase when generating the key; that passphrase will be
1198used to encrypt the private part of this file using 128-bit AES.
1199This file is not automatically accessed by
1200.Nm
1201but it is offered as the default file for the private key.
1202.Xr ssh 1
1203will read this file when a login attempt is made.
1204.Pp
1205.It Pa ~/.ssh/id_dsa.pub
1206.It Pa ~/.ssh/id_ecdsa.pub
1207.It Pa ~/.ssh/id_ecdsa_sk.pub
1208.It Pa ~/.ssh/id_ed25519.pub
1209.It Pa ~/.ssh/id_ed25519_sk.pub
1210.It Pa ~/.ssh/id_rsa.pub
1211Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
1212authenticator-hosted Ed25519 or RSA public key for authentication.
1213The contents of this file should be added to
1214.Pa ~/.ssh/authorized_keys
1215on all machines
1216where the user wishes to log in using public key authentication.
1217There is no need to keep the contents of this file secret.
1218.Pp
1219.It Pa /etc/moduli
1220Contains Diffie-Hellman groups used for DH-GEX.
1221The file format is described in
1222.Xr moduli 5 .
1223.El
1224.Sh SEE ALSO
1225.Xr ssh 1 ,
1226.Xr ssh-add 1 ,
1227.Xr ssh-agent 1 ,
1228.Xr moduli 5 ,
1229.Xr sshd 8
1230.Rs
1231.%R RFC 4716
1232.%T "The Secure Shell (SSH) Public Key File Format"
1233.%D 2006
1234.Re
1235.Sh AUTHORS
1236OpenSSH is a derivative of the original and free
1237ssh 1.2.12 release by Tatu Ylonen.
1238Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
1239Theo de Raadt and Dug Song
1240removed many bugs, re-added newer features and
1241created OpenSSH.
1242Markus Friedl contributed the support for SSH
1243protocol versions 1.5 and 2.0.
1244