1.\" $OpenBSD: ssh-keygen.1,v 1.229 2023/07/23 20:04:45 naddy Exp $ 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this 9.\" software must be clearly marked as such, and if the derived work is 10.\" incompatible with the protocol description in the RFC file, it must be 11.\" called by a name other than "ssh" or "Secure Shell". 12.\" 13.\" 14.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 15.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 16.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 17.\" 18.\" Redistribution and use in source and binary forms, with or without 19.\" modification, are permitted provided that the following conditions 20.\" are met: 21.\" 1. Redistributions of source code must retain the above copyright 22.\" notice, this list of conditions and the following disclaimer. 23.\" 2. Redistributions in binary form must reproduce the above copyright 24.\" notice, this list of conditions and the following disclaimer in the 25.\" documentation and/or other materials provided with the distribution. 26.\" 27.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 28.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 29.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 37.\" 38.Dd $Mdocdate: July 23 2023 $ 39.Dt SSH-KEYGEN 1 40.Os 41.Sh NAME 42.Nm ssh-keygen 43.Nd OpenSSH authentication key utility 44.Sh SYNOPSIS 45.Nm ssh-keygen 46.Op Fl q 47.Op Fl a Ar rounds 48.Op Fl b Ar bits 49.Op Fl C Ar comment 50.Op Fl f Ar output_keyfile 51.Op Fl m Ar format 52.Op Fl N Ar new_passphrase 53.Op Fl O Ar option 54.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa 55.Op Fl w Ar provider 56.Op Fl Z Ar cipher 57.Nm ssh-keygen 58.Fl p 59.Op Fl a Ar rounds 60.Op Fl f Ar keyfile 61.Op Fl m Ar format 62.Op Fl N Ar new_passphrase 63.Op Fl P Ar old_passphrase 64.Op Fl Z Ar cipher 65.Nm ssh-keygen 66.Fl i 67.Op Fl f Ar input_keyfile 68.Op Fl m Ar key_format 69.Nm ssh-keygen 70.Fl e 71.Op Fl f Ar input_keyfile 72.Op Fl m Ar key_format 73.Nm ssh-keygen 74.Fl y 75.Op Fl f Ar input_keyfile 76.Nm ssh-keygen 77.Fl c 78.Op Fl a Ar rounds 79.Op Fl C Ar comment 80.Op Fl f Ar keyfile 81.Op Fl P Ar passphrase 82.Nm ssh-keygen 83.Fl l 84.Op Fl v 85.Op Fl E Ar fingerprint_hash 86.Op Fl f Ar input_keyfile 87.Nm ssh-keygen 88.Fl B 89.Op Fl f Ar input_keyfile 90.Nm ssh-keygen 91.Fl D Ar pkcs11 92.Nm ssh-keygen 93.Fl F Ar hostname 94.Op Fl lv 95.Op Fl f Ar known_hosts_file 96.Nm ssh-keygen 97.Fl H 98.Op Fl f Ar known_hosts_file 99.Nm ssh-keygen 100.Fl K 101.Op Fl a Ar rounds 102.Op Fl w Ar provider 103.Nm ssh-keygen 104.Fl R Ar hostname 105.Op Fl f Ar known_hosts_file 106.Nm ssh-keygen 107.Fl r Ar hostname 108.Op Fl g 109.Op Fl f Ar input_keyfile 110.Nm ssh-keygen 111.Fl M Cm generate 112.Op Fl O Ar option 113.Ar output_file 114.Nm ssh-keygen 115.Fl M Cm screen 116.Op Fl f Ar input_file 117.Op Fl O Ar option 118.Ar output_file 119.Nm ssh-keygen 120.Fl I Ar certificate_identity 121.Fl s Ar ca_key 122.Op Fl hU 123.Op Fl D Ar pkcs11_provider 124.Op Fl n Ar principals 125.Op Fl O Ar option 126.Op Fl V Ar validity_interval 127.Op Fl z Ar serial_number 128.Ar 129.Nm ssh-keygen 130.Fl L 131.Op Fl f Ar input_keyfile 132.Nm ssh-keygen 133.Fl A 134.Op Fl a Ar rounds 135.Op Fl f Ar prefix_path 136.Nm ssh-keygen 137.Fl k 138.Fl f Ar krl_file 139.Op Fl u 140.Op Fl s Ar ca_public 141.Op Fl z Ar version_number 142.Ar 143.Nm ssh-keygen 144.Fl Q 145.Op Fl l 146.Fl f Ar krl_file 147.Ar 148.Nm ssh-keygen 149.Fl Y Cm find-principals 150.Op Fl O Ar option 151.Fl s Ar signature_file 152.Fl f Ar allowed_signers_file 153.Nm ssh-keygen 154.Fl Y Cm match-principals 155.Fl I Ar signer_identity 156.Fl f Ar allowed_signers_file 157.Nm ssh-keygen 158.Fl Y Cm check-novalidate 159.Op Fl O Ar option 160.Fl n Ar namespace 161.Fl s Ar signature_file 162.Nm ssh-keygen 163.Fl Y Cm sign 164.Op Fl O Ar option 165.Fl f Ar key_file 166.Fl n Ar namespace 167.Ar 168.Nm ssh-keygen 169.Fl Y Cm verify 170.Op Fl O Ar option 171.Fl f Ar allowed_signers_file 172.Fl I Ar signer_identity 173.Fl n Ar namespace 174.Fl s Ar signature_file 175.Op Fl r Ar revocation_file 176.Sh DESCRIPTION 177.Nm 178generates, manages and converts authentication keys for 179.Xr ssh 1 . 180.Nm 181can create keys for use by SSH protocol version 2. 182.Pp 183The type of key to be generated is specified with the 184.Fl t 185option. 186If invoked without any arguments, 187.Nm 188will generate an RSA key. 189.Pp 190.Nm 191is also used to generate groups for use in Diffie-Hellman group 192exchange (DH-GEX). 193See the 194.Sx MODULI GENERATION 195section for details. 196.Pp 197Finally, 198.Nm 199can be used to generate and update Key Revocation Lists, and to test whether 200given keys have been revoked by one. 201See the 202.Sx KEY REVOCATION LISTS 203section for details. 204.Pp 205Normally each user wishing to use SSH 206with public key authentication runs this once to create the authentication 207key in 208.Pa ~/.ssh/id_dsa , 209.Pa ~/.ssh/id_ecdsa , 210.Pa ~/.ssh/id_ecdsa_sk , 211.Pa ~/.ssh/id_ed25519 , 212.Pa ~/.ssh/id_ed25519_sk 213or 214.Pa ~/.ssh/id_rsa . 215Additionally, the system administrator may use this to generate host keys, 216as seen in 217.Pa /etc/rc . 218.Pp 219Normally this program generates the key and asks for a file in which 220to store the private key. 221The public key is stored in a file with the same name but 222.Dq .pub 223appended. 224The program also asks for a passphrase. 225The passphrase may be empty to indicate no passphrase 226(host keys must have an empty passphrase), or it may be a string of 227arbitrary length. 228A passphrase is similar to a password, except it can be a phrase with a 229series of words, punctuation, numbers, whitespace, or any string of 230characters you want. 231Good passphrases are 10-30 characters long, are 232not simple sentences or otherwise easily guessable (English 233prose has only 1-2 bits of entropy per character, and provides very bad 234passphrases), and contain a mix of upper and lowercase letters, 235numbers, and non-alphanumeric characters. 236The passphrase can be changed later by using the 237.Fl p 238option. 239.Pp 240There is no way to recover a lost passphrase. 241If the passphrase is lost or forgotten, a new key must be generated 242and the corresponding public key copied to other machines. 243.Pp 244.Nm 245will by default write keys in an OpenSSH-specific format. 246This format is preferred as it offers better protection for 247keys at rest as well as allowing storage of key comments within 248the private key file itself. 249The key comment may be useful to help identify the key. 250The comment is initialized to 251.Dq user@host 252when the key is created, but can be changed using the 253.Fl c 254option. 255.Pp 256It is still possible for 257.Nm 258to write the previously-used PEM format private keys using the 259.Fl m 260flag. 261This may be used when generating new keys, and existing new-format 262keys may be converted using this option in conjunction with the 263.Fl p 264(change passphrase) flag. 265.Pp 266After a key is generated, 267.Nm 268will ask where the keys 269should be placed to be activated. 270.Pp 271The options are as follows: 272.Bl -tag -width Ds 273.It Fl A 274Generate host keys of all default key types (rsa, ecdsa, and 275ed25519) if they do not already exist. 276The host keys are generated with the default key file path, 277an empty passphrase, default bits for the key type, and default comment. 278If 279.Fl f 280has also been specified, its argument is used as a prefix to the 281default path for the resulting host key files. 282This is used by 283.Pa /etc/rc 284to generate new host keys. 285.It Fl a Ar rounds 286When saving a private key, this option specifies the number of KDF 287(key derivation function, currently 288.Xr bcrypt_pbkdf 3 ) 289rounds used. 290Higher numbers result in slower passphrase verification and increased 291resistance to brute-force password cracking (should the keys be stolen). 292The default is 16 rounds. 293.It Fl B 294Show the bubblebabble digest of specified private or public key file. 295.It Fl b Ar bits 296Specifies the number of bits in the key to create. 297For RSA keys, the minimum size is 1024 bits and the default is 3072 bits. 298Generally, 3072 bits is considered sufficient. 299DSA keys must be exactly 1024 bits as specified by FIPS 186-2. 300For ECDSA keys, the 301.Fl b 302flag determines the key length by selecting from one of three elliptic 303curve sizes: 256, 384 or 521 bits. 304Attempting to use bit lengths other than these three values for ECDSA keys 305will fail. 306ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length and the 307.Fl b 308flag will be ignored. 309.It Fl C Ar comment 310Provides a new comment. 311.It Fl c 312Requests changing the comment in the private and public key files. 313The program will prompt for the file containing the private keys, for 314the passphrase if the key has one, and for the new comment. 315.It Fl D Ar pkcs11 316Download the public keys provided by the PKCS#11 shared library 317.Ar pkcs11 . 318When used in combination with 319.Fl s , 320this option indicates that a CA key resides in a PKCS#11 token (see the 321.Sx CERTIFICATES 322section for details). 323.It Fl E Ar fingerprint_hash 324Specifies the hash algorithm used when displaying key fingerprints. 325Valid options are: 326.Dq md5 327and 328.Dq sha256 . 329The default is 330.Dq sha256 . 331.It Fl e 332This option will read a private or public OpenSSH key file and 333print to stdout a public key in one of the formats specified by the 334.Fl m 335option. 336The default export format is 337.Dq RFC4716 . 338This option allows exporting OpenSSH keys for use by other programs, including 339several commercial SSH implementations. 340.It Fl F Ar hostname | [hostname]:port 341Search for the specified 342.Ar hostname 343(with optional port number) 344in a 345.Pa known_hosts 346file, listing any occurrences found. 347This option is useful to find hashed host names or addresses and may also be 348used in conjunction with the 349.Fl H 350option to print found keys in a hashed format. 351.It Fl f Ar filename 352Specifies the filename of the key file. 353.It Fl g 354Use generic DNS format when printing fingerprint resource records using the 355.Fl r 356command. 357.It Fl H 358Hash a 359.Pa known_hosts 360file. 361This replaces all hostnames and addresses with hashed representations 362within the specified file; the original content is moved to a file with 363a .old suffix. 364These hashes may be used normally by 365.Nm ssh 366and 367.Nm sshd , 368but they do not reveal identifying information should the file's contents 369be disclosed. 370This option will not modify existing hashed hostnames and is therefore safe 371to use on files that mix hashed and non-hashed names. 372.It Fl h 373When signing a key, create a host certificate instead of a user 374certificate. 375See the 376.Sx CERTIFICATES 377section for details. 378.It Fl I Ar certificate_identity 379Specify the key identity when signing a public key. 380See the 381.Sx CERTIFICATES 382section for details. 383.It Fl i 384This option will read an unencrypted private (or public) key file 385in the format specified by the 386.Fl m 387option and print an OpenSSH compatible private 388(or public) key to stdout. 389This option allows importing keys from other software, including several 390commercial SSH implementations. 391The default import format is 392.Dq RFC4716 . 393.It Fl K 394Download resident keys from a FIDO authenticator. 395Public and private key files will be written to the current directory for 396each downloaded key. 397If multiple FIDO authenticators are attached, keys will be downloaded from 398the first touched authenticator. 399See the 400.Sx FIDO AUTHENTICATOR 401section for more information. 402.It Fl k 403Generate a KRL file. 404In this mode, 405.Nm 406will generate a KRL file at the location specified via the 407.Fl f 408flag that revokes every key or certificate presented on the command line. 409Keys/certificates to be revoked may be specified by public key file or 410using the format described in the 411.Sx KEY REVOCATION LISTS 412section. 413.It Fl L 414Prints the contents of one or more certificates. 415.It Fl l 416Show fingerprint of specified public key file. 417For RSA and DSA keys 418.Nm 419tries to find the matching public key file and prints its fingerprint. 420If combined with 421.Fl v , 422a visual ASCII art representation of the key is supplied with the 423fingerprint. 424.It Fl M Cm generate 425Generate candidate Diffie-Hellman Group Exchange (DH-GEX) parameters for 426eventual use by the 427.Sq diffie-hellman-group-exchange-* 428key exchange methods. 429The numbers generated by this operation must be further screened before 430use. 431See the 432.Sx MODULI GENERATION 433section for more information. 434.It Fl M Cm screen 435Screen candidate parameters for Diffie-Hellman Group Exchange. 436This will accept a list of candidate numbers and test that they are 437safe (Sophie Germain) primes with acceptable group generators. 438The results of this operation may be added to the 439.Pa /etc/moduli 440file. 441See the 442.Sx MODULI GENERATION 443section for more information. 444.It Fl m Ar key_format 445Specify a key format for key generation, the 446.Fl i 447(import), 448.Fl e 449(export) conversion options, and the 450.Fl p 451change passphrase operation. 452The latter may be used to convert between OpenSSH private key and PEM 453private key formats. 454The supported key formats are: 455.Dq RFC4716 456(RFC 4716/SSH2 public or private key), 457.Dq PKCS8 458(PKCS8 public or private key) 459or 460.Dq PEM 461(PEM public key). 462By default OpenSSH will write newly-generated private keys in its own 463format, but when converting public keys for export the default format is 464.Dq RFC4716 . 465Setting a format of 466.Dq PEM 467when generating or updating a supported private key type will cause the 468key to be stored in the legacy PEM private key format. 469.It Fl N Ar new_passphrase 470Provides the new passphrase. 471.It Fl n Ar principals 472Specify one or more principals (user or host names) to be included in 473a certificate when signing a key. 474Multiple principals may be specified, separated by commas. 475See the 476.Sx CERTIFICATES 477section for details. 478.It Fl O Ar option 479Specify a key/value option. 480These are specific to the operation that 481.Nm 482has been requested to perform. 483.Pp 484When signing certificates, one of the options listed in the 485.Sx CERTIFICATES 486section may be specified here. 487.Pp 488When performing moduli generation or screening, one of the options 489listed in the 490.Sx MODULI GENERATION 491section may be specified. 492.Pp 493When generating FIDO authenticator-backed keys, the options listed in the 494.Sx FIDO AUTHENTICATOR 495section may be specified. 496.Pp 497When performing signature-related options using the 498.Fl Y 499flag, the following options are accepted: 500.Bl -tag -width Ds 501.It Cm hashalg Ns = Ns Ar algorithm 502Selects the hash algorithm to use for hashing the message to be signed. 503Valid algorithms are 504.Dq sha256 505and 506.Dq sha512. 507The default is 508.Dq sha512. 509.It Cm print-pubkey 510Print the full public key to standard output after signature verification. 511.It Cm verify-time Ns = Ns Ar timestamp 512Specifies a time to use when validating signatures instead of the current 513time. 514The time may be specified as a date or time in the YYYYMMDD[Z] or 515in YYYYMMDDHHMM[SS][Z] formats. 516Dates and times will be interpreted in the current system time zone unless 517suffixed with a Z character, which causes them to be interpreted in the 518UTC time zone. 519.El 520.Pp 521When generating SSHFP DNS records from public keys using the 522.Fl r 523flag, the following options are accepted: 524.Bl -tag -width Ds 525.It Cm hashalg Ns = Ns Ar algorithm 526Selects a hash algorithm to use when printing SSHFP records using the 527.Fl D 528flag. 529Valid algorithms are 530.Dq sha1 531and 532.Dq sha256 . 533The default is to print both. 534.El 535.Pp 536The 537.Fl O 538option may be specified multiple times. 539.It Fl P Ar passphrase 540Provides the (old) passphrase. 541.It Fl p 542Requests changing the passphrase of a private key file instead of 543creating a new private key. 544The program will prompt for the file 545containing the private key, for the old passphrase, and twice for the 546new passphrase. 547.It Fl Q 548Test whether keys have been revoked in a KRL. 549If the 550.Fl l 551option is also specified then the contents of the KRL will be printed. 552.It Fl q 553Silence 554.Nm ssh-keygen . 555.It Fl R Ar hostname | [hostname]:port 556Removes all keys belonging to the specified 557.Ar hostname 558(with optional port number) 559from a 560.Pa known_hosts 561file. 562This option is useful to delete hashed hosts (see the 563.Fl H 564option above). 565.It Fl r Ar hostname 566Print the SSHFP fingerprint resource record named 567.Ar hostname 568for the specified public key file. 569.It Fl s Ar ca_key 570Certify (sign) a public key using the specified CA key. 571See the 572.Sx CERTIFICATES 573section for details. 574.Pp 575When generating a KRL, 576.Fl s 577specifies a path to a CA public key file used to revoke certificates directly 578by key ID or serial number. 579See the 580.Sx KEY REVOCATION LISTS 581section for details. 582.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa 583Specifies the type of key to create. 584The possible values are 585.Dq dsa , 586.Dq ecdsa , 587.Dq ecdsa-sk , 588.Dq ed25519 , 589.Dq ed25519-sk , 590or 591.Dq rsa . 592.Pp 593This flag may also be used to specify the desired signature type when 594signing certificates using an RSA CA key. 595The available RSA signature variants are 596.Dq ssh-rsa 597(SHA1 signatures, not recommended), 598.Dq rsa-sha2-256 , 599and 600.Dq rsa-sha2-512 601(the default). 602.It Fl U 603When used in combination with 604.Fl s 605or 606.Fl Y Cm sign , 607this option indicates that a CA key resides in a 608.Xr ssh-agent 1 . 609See the 610.Sx CERTIFICATES 611section for more information. 612.It Fl u 613Update a KRL. 614When specified with 615.Fl k , 616keys listed via the command line are added to the existing KRL rather than 617a new KRL being created. 618.It Fl V Ar validity_interval 619Specify a validity interval when signing a certificate. 620A validity interval may consist of a single time, indicating that the 621certificate is valid beginning now and expiring at that time, or may consist 622of two times separated by a colon to indicate an explicit time interval. 623.Pp 624The start time may be specified as: 625.Bl -bullet -compact 626.It 627The string 628.Dq always 629to indicate the certificate has no specified start time. 630.It 631A date or time in the system time zone formatted as YYYYMMDD or 632YYYYMMDDHHMM[SS]. 633.It 634A date or time in the UTC time zone as YYYYMMDDZ or YYYYMMDDHHMM[SS]Z. 635.It 636A relative time before the current system time consisting of a minus sign 637followed by an interval in the format described in the 638TIME FORMATS section of 639.Xr sshd_config 5 . 640.It 641A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a hexadecimal 642number beginning with 643.Dq 0x . 644.El 645.Pp 646The end time may be specified similarly to the start time: 647.Bl -bullet -compact 648.It 649The string 650.Dq forever 651to indicate the certificate has no specified end time. 652.It 653A date or time in the system time zone formatted as YYYYMMDD or 654YYYYMMDDHHMM[SS]. 655.It 656A date or time in the UTC time zone as YYYYMMDDZ or YYYYMMDDHHMM[SS]Z. 657.It 658A relative time after the current system time consisting of a plus sign 659followed by an interval in the format described in the 660TIME FORMATS section of 661.Xr sshd_config 5 . 662.It 663A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a hexadecimal 664number beginning with 665.Dq 0x . 666.El 667.Pp 668For example: 669.Bl -tag -width Ds 670.It +52w1d 671Valid from now to 52 weeks and one day from now. 672.It -4w:+4w 673Valid from four weeks ago to four weeks from now. 674.It 20100101123000:20110101123000 675Valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011. 676.It 20100101123000Z:20110101123000Z 677Similar, but interpreted in the UTC time zone rather than the system time zone. 678.It -1d:20110101 679Valid from yesterday to midnight, January 1st, 2011. 680.It 0x1:0x2000000000 681Valid from roughly early 1970 to May 2033. 682.It -1m:forever 683Valid from one minute ago and never expiring. 684.El 685.It Fl v 686Verbose mode. 687Causes 688.Nm 689to print debugging messages about its progress. 690This is helpful for debugging moduli generation. 691Multiple 692.Fl v 693options increase the verbosity. 694The maximum is 3. 695.It Fl w Ar provider 696Specifies a path to a library that will be used when creating 697FIDO authenticator-hosted keys, overriding the default of using 698the internal USB HID support. 699.It Fl Y Cm find-principals 700Find the principal(s) associated with the public key of a signature, 701provided using the 702.Fl s 703flag in an authorized signers file provided using the 704.Fl f 705flag. 706The format of the allowed signers file is documented in the 707.Sx ALLOWED SIGNERS 708section below. 709If one or more matching principals are found, they are returned on 710standard output. 711.It Fl Y Cm match-principals 712Find principal matching the principal name provided using the 713.Fl I 714flag in the authorized signers file specified using the 715.Fl f 716flag. 717If one or more matching principals are found, they are returned on 718standard output. 719.It Fl Y Cm check-novalidate 720Checks that a signature generated using 721.Nm 722.Fl Y Cm sign 723has a valid structure. 724This does not validate if a signature comes from an authorized signer. 725When testing a signature, 726.Nm 727accepts a message on standard input and a signature namespace using 728.Fl n . 729A file containing the corresponding signature must also be supplied using the 730.Fl s 731flag. 732Successful testing of the signature is signalled by 733.Nm 734returning a zero exit status. 735.It Fl Y Cm sign 736Cryptographically sign a file or some data using an SSH key. 737When signing, 738.Nm 739accepts zero or more files to sign on the command-line - if no files 740are specified then 741.Nm 742will sign data presented on standard input. 743Signatures are written to the path of the input file with 744.Dq .sig 745appended, or to standard output if the message to be signed was read from 746standard input. 747.Pp 748The key used for signing is specified using the 749.Fl f 750option and may refer to either a private key, or a public key with the private 751half available via 752.Xr ssh-agent 1 . 753An additional signature namespace, used to prevent signature confusion across 754different domains of use (e.g. file signing vs email signing) must be provided 755via the 756.Fl n 757flag. 758Namespaces are arbitrary strings, and may include: 759.Dq file 760for file signing, 761.Dq email 762for email signing. 763For custom uses, it is recommended to use names following a 764NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces. 765.It Fl Y Cm verify 766Request to verify a signature generated using 767.Nm 768.Fl Y Cm sign 769as described above. 770When verifying a signature, 771.Nm 772accepts a message on standard input and a signature namespace using 773.Fl n . 774A file containing the corresponding signature must also be supplied using the 775.Fl s 776flag, along with the identity of the signer using 777.Fl I 778and a list of allowed signers via the 779.Fl f 780flag. 781The format of the allowed signers file is documented in the 782.Sx ALLOWED SIGNERS 783section below. 784A file containing revoked keys can be passed using the 785.Fl r 786flag. 787The revocation file may be a KRL or a one-per-line list of public keys. 788Successful verification by an authorized signer is signalled by 789.Nm 790returning a zero exit status. 791.It Fl y 792This option will read a private 793OpenSSH format file and print an OpenSSH public key to stdout. 794.It Fl Z Ar cipher 795Specifies the cipher to use for encryption when writing an OpenSSH-format 796private key file. 797The list of available ciphers may be obtained using 798.Qq ssh -Q cipher . 799The default is 800.Dq aes256-ctr . 801.It Fl z Ar serial_number 802Specifies a serial number to be embedded in the certificate to distinguish 803this certificate from others from the same CA. 804If the 805.Ar serial_number 806is prefixed with a 807.Sq + 808character, then the serial number will be incremented for each certificate 809signed on a single command-line. 810The default serial number is zero. 811.Pp 812When generating a KRL, the 813.Fl z 814flag is used to specify a KRL version number. 815.El 816.Sh MODULI GENERATION 817.Nm 818may be used to generate groups for the Diffie-Hellman Group Exchange 819(DH-GEX) protocol. 820Generating these groups is a two-step process: first, candidate 821primes are generated using a fast, but memory intensive process. 822These candidate primes are then tested for suitability (a CPU-intensive 823process). 824.Pp 825Generation of primes is performed using the 826.Fl M Cm generate 827option. 828The desired length of the primes may be specified by the 829.Fl O Cm bits 830option. 831For example: 832.Pp 833.Dl # ssh-keygen -M generate -O bits=2048 moduli-2048.candidates 834.Pp 835By default, the search for primes begins at a random point in the 836desired length range. 837This may be overridden using the 838.Fl O Cm start 839option, which specifies a different start point (in hex). 840.Pp 841Once a set of candidates have been generated, they must be screened for 842suitability. 843This may be performed using the 844.Fl M Cm screen 845option. 846In this mode 847.Nm 848will read candidates from standard input (or a file specified using the 849.Fl f 850option). 851For example: 852.Pp 853.Dl # ssh-keygen -M screen -f moduli-2048.candidates moduli-2048 854.Pp 855By default, each candidate will be subjected to 100 primality tests. 856This may be overridden using the 857.Fl O Cm prime-tests 858option. 859The DH generator value will be chosen automatically for the 860prime under consideration. 861If a specific generator is desired, it may be requested using the 862.Fl O Cm generator 863option. 864Valid generator values are 2, 3, and 5. 865.Pp 866Screened DH groups may be installed in 867.Pa /etc/moduli . 868It is important that this file contains moduli of a range of bit lengths. 869.Pp 870A number of options are available for moduli generation and screening via the 871.Fl O 872flag: 873.Bl -tag -width Ds 874.It Ic lines Ns = Ns Ar number 875Exit after screening the specified number of lines while performing DH 876candidate screening. 877.It Ic start-line Ns = Ns Ar line-number 878Start screening at the specified line number while performing DH candidate 879screening. 880.It Ic checkpoint Ns = Ns Ar filename 881Write the last line processed to the specified file while performing DH 882candidate screening. 883This will be used to skip lines in the input file that have already been 884processed if the job is restarted. 885.It Ic memory Ns = Ns Ar mbytes 886Specify the amount of memory to use (in megabytes) when generating 887candidate moduli for DH-GEX. 888.It Ic start Ns = Ns Ar hex-value 889Specify start point (in hex) when generating candidate moduli for DH-GEX. 890.It Ic generator Ns = Ns Ar value 891Specify desired generator (in decimal) when testing candidate moduli for DH-GEX. 892.El 893.Sh CERTIFICATES 894.Nm 895supports signing of keys to produce certificates that may be used for 896user or host authentication. 897Certificates consist of a public key, some identity information, zero or 898more principal (user or host) names and a set of options that 899are signed by a Certification Authority (CA) key. 900Clients or servers may then trust only the CA key and verify its signature 901on a certificate rather than trusting many user/host keys. 902Note that OpenSSH certificates are a different, and much simpler, format to 903the X.509 certificates used in 904.Xr ssl 8 . 905.Pp 906.Nm 907supports two types of certificates: user and host. 908User certificates authenticate users to servers, whereas host certificates 909authenticate server hosts to users. 910To generate a user certificate: 911.Pp 912.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub 913.Pp 914The resultant certificate will be placed in 915.Pa /path/to/user_key-cert.pub . 916A host certificate requires the 917.Fl h 918option: 919.Pp 920.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub 921.Pp 922The host certificate will be output to 923.Pa /path/to/host_key-cert.pub . 924.Pp 925It is possible to sign using a CA key stored in a PKCS#11 token by 926providing the token library using 927.Fl D 928and identifying the CA key by providing its public half as an argument 929to 930.Fl s : 931.Pp 932.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub 933.Pp 934Similarly, it is possible for the CA key to be hosted in a 935.Xr ssh-agent 1 . 936This is indicated by the 937.Fl U 938flag and, again, the CA key must be identified by its public half. 939.Pp 940.Dl $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub 941.Pp 942In all cases, 943.Ar key_id 944is a "key identifier" that is logged by the server when the certificate 945is used for authentication. 946.Pp 947Certificates may be limited to be valid for a set of principal (user/host) 948names. 949By default, generated certificates are valid for all users or hosts. 950To generate a certificate for a specified set of principals: 951.Pp 952.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub 953.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub" 954.Pp 955Additional limitations on the validity and use of user certificates may 956be specified through certificate options. 957A certificate option may disable features of the SSH session, may be 958valid only when presented from particular source addresses or may 959force the use of a specific command. 960.Pp 961The options that are valid for user certificates are: 962.Pp 963.Bl -tag -width Ds -compact 964.It Ic clear 965Clear all enabled permissions. 966This is useful for clearing the default set of permissions so permissions may 967be added individually. 968.Pp 969.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents 970.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents 971Includes an arbitrary certificate critical option or extension. 972The specified 973.Ar name 974should include a domain suffix, e.g.\& 975.Dq name@example.com . 976If 977.Ar contents 978is specified then it is included as the contents of the extension/option 979encoded as a string, otherwise the extension/option is created with no 980contents (usually indicating a flag). 981Extensions may be ignored by a client or server that does not recognise them, 982whereas unknown critical options will cause the certificate to be refused. 983.Pp 984.It Ic force-command Ns = Ns Ar command 985Forces the execution of 986.Ar command 987instead of any shell or command specified by the user when 988the certificate is used for authentication. 989.Pp 990.It Ic no-agent-forwarding 991Disable 992.Xr ssh-agent 1 993forwarding (permitted by default). 994.Pp 995.It Ic no-port-forwarding 996Disable port forwarding (permitted by default). 997.Pp 998.It Ic no-pty 999Disable PTY allocation (permitted by default). 1000.Pp 1001.It Ic no-user-rc 1002Disable execution of 1003.Pa ~/.ssh/rc 1004by 1005.Xr sshd 8 1006(permitted by default). 1007.Pp 1008.It Ic no-x11-forwarding 1009Disable X11 forwarding (permitted by default). 1010.Pp 1011.It Ic permit-agent-forwarding 1012Allows 1013.Xr ssh-agent 1 1014forwarding. 1015.Pp 1016.It Ic permit-port-forwarding 1017Allows port forwarding. 1018.Pp 1019.It Ic permit-pty 1020Allows PTY allocation. 1021.Pp 1022.It Ic permit-user-rc 1023Allows execution of 1024.Pa ~/.ssh/rc 1025by 1026.Xr sshd 8 . 1027.Pp 1028.It Ic permit-X11-forwarding 1029Allows X11 forwarding. 1030.Pp 1031.It Ic no-touch-required 1032Do not require signatures made using this key include demonstration 1033of user presence (e.g. by having the user touch the authenticator). 1034This option only makes sense for the FIDO authenticator algorithms 1035.Cm ecdsa-sk 1036and 1037.Cm ed25519-sk . 1038.Pp 1039.It Ic source-address Ns = Ns Ar address_list 1040Restrict the source addresses from which the certificate is considered valid. 1041The 1042.Ar address_list 1043is a comma-separated list of one or more address/netmask pairs in CIDR 1044format. 1045.Pp 1046.It Ic verify-required 1047Require signatures made using this key indicate that the user was first 1048verified. 1049This option only makes sense for the FIDO authenticator algorithms 1050.Cm ecdsa-sk 1051and 1052.Cm ed25519-sk . 1053Currently PIN authentication is the only supported verification method, 1054but other methods may be supported in the future. 1055.El 1056.Pp 1057At present, no standard options are valid for host keys. 1058.Pp 1059Finally, certificates may be defined with a validity lifetime. 1060The 1061.Fl V 1062option allows specification of certificate start and end times. 1063A certificate that is presented at a time outside this range will not be 1064considered valid. 1065By default, certificates are valid from the 1066.Ux 1067Epoch to the distant future. 1068.Pp 1069For certificates to be used for user or host authentication, the CA 1070public key must be trusted by 1071.Xr sshd 8 1072or 1073.Xr ssh 1 . 1074Refer to those manual pages for details. 1075.Sh FIDO AUTHENTICATOR 1076.Nm 1077is able to generate FIDO authenticator-backed keys, after which 1078they may be used much like any other key type supported by OpenSSH, so 1079long as the hardware authenticator is attached when the keys are used. 1080FIDO authenticators generally require the user to explicitly authorise 1081operations by touching or tapping them. 1082FIDO keys consist of two parts: a key handle part stored in the 1083private key file on disk, and a per-device private key that is unique 1084to each FIDO authenticator and that cannot be exported from the 1085authenticator hardware. 1086These are combined by the hardware at authentication time to derive 1087the real key that is used to sign authentication challenges. 1088Supported key types are 1089.Cm ecdsa-sk 1090and 1091.Cm ed25519-sk . 1092.Pp 1093The options that are valid for FIDO keys are: 1094.Bl -tag -width Ds 1095.It Cm application 1096Override the default FIDO application/origin string of 1097.Dq ssh: . 1098This may be useful when generating host or domain-specific resident keys. 1099The specified application string must begin with 1100.Dq ssh: . 1101.It Cm challenge Ns = Ns Ar path 1102Specifies a path to a challenge string that will be passed to the 1103FIDO authenticator during key generation. 1104The challenge string may be used as part of an out-of-band 1105protocol for key enrollment 1106(a random challenge is used by default). 1107.It Cm device 1108Explicitly specify a 1109.Xr fido 4 1110device to use, rather than letting the authenticator middleware select one. 1111.It Cm no-touch-required 1112Indicate that the generated private key should not require touch 1113events (user presence) when making signatures. 1114Note that 1115.Xr sshd 8 1116will refuse such signatures by default, unless overridden via 1117an authorized_keys option. 1118.It Cm resident 1119Indicate that the key handle should be stored on the FIDO 1120authenticator itself. 1121This makes it easier to use the authenticator on multiple computers. 1122Resident keys may be supported on FIDO2 authenticators and typically 1123require that a PIN be set on the authenticator prior to generation. 1124Resident keys may be loaded off the authenticator using 1125.Xr ssh-add 1 . 1126Storing both parts of a key on a FIDO authenticator increases the likelihood 1127of an attacker being able to use a stolen authenticator device. 1128.It Cm user 1129A username to be associated with a resident key, 1130overriding the empty default username. 1131Specifying a username may be useful when generating multiple resident keys 1132for the same application name. 1133.It Cm verify-required 1134Indicate that this private key should require user verification for 1135each signature. 1136Not all FIDO authenticators support this option. 1137Currently PIN authentication is the only supported verification method, 1138but other methods may be supported in the future. 1139.It Cm write-attestation Ns = Ns Ar path 1140May be used at key generation time to record the attestation data 1141returned from FIDO authenticators during key generation. 1142This information is potentially sensitive. 1143By default, this information is discarded. 1144.El 1145.Sh KEY REVOCATION LISTS 1146.Nm 1147is able to manage OpenSSH format Key Revocation Lists (KRLs). 1148These binary files specify keys or certificates to be revoked using a 1149compact format, taking as little as one bit per certificate if they are being 1150revoked by serial number. 1151.Pp 1152KRLs may be generated using the 1153.Fl k 1154flag. 1155This option reads one or more files from the command line and generates a new 1156KRL. 1157The files may either contain a KRL specification (see below) or public keys, 1158listed one per line. 1159Plain public keys are revoked by listing their hash or contents in the KRL and 1160certificates revoked by serial number or key ID (if the serial is zero or 1161not available). 1162.Pp 1163Revoking keys using a KRL specification offers explicit control over the 1164types of record used to revoke keys and may be used to directly revoke 1165certificates by serial number or key ID without having the complete original 1166certificate on hand. 1167A KRL specification consists of lines containing one of the following directives 1168followed by a colon and some directive-specific information. 1169.Bl -tag -width Ds 1170.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number 1171Revokes a certificate with the specified serial number. 1172Serial numbers are 64-bit values, not including zero and may be expressed 1173in decimal, hex or octal. 1174If two serial numbers are specified separated by a hyphen, then the range 1175of serial numbers including and between each is revoked. 1176The CA key must have been specified on the 1177.Nm 1178command line using the 1179.Fl s 1180option. 1181.It Cm id : Ar key_id 1182Revokes a certificate with the specified key ID string. 1183The CA key must have been specified on the 1184.Nm 1185command line using the 1186.Fl s 1187option. 1188.It Cm key : Ar public_key 1189Revokes the specified key. 1190If a certificate is listed, then it is revoked as a plain public key. 1191.It Cm sha1 : Ar public_key 1192Revokes the specified key by including its SHA1 hash in the KRL. 1193.It Cm sha256 : Ar public_key 1194Revokes the specified key by including its SHA256 hash in the KRL. 1195KRLs that revoke keys by SHA256 hash are not supported by OpenSSH versions 1196prior to 7.9. 1197.It Cm hash : Ar fingerprint 1198Revokes a key using a fingerprint hash, as obtained from a 1199.Xr sshd 8 1200authentication log message or the 1201.Nm 1202.Fl l 1203flag. 1204Only SHA256 fingerprints are supported here and resultant KRLs are 1205not supported by OpenSSH versions prior to 7.9. 1206.El 1207.Pp 1208KRLs may be updated using the 1209.Fl u 1210flag in addition to 1211.Fl k . 1212When this option is specified, keys listed via the command line are merged into 1213the KRL, adding to those already there. 1214.Pp 1215It is also possible, given a KRL, to test whether it revokes a particular key 1216(or keys). 1217The 1218.Fl Q 1219flag will query an existing KRL, testing each key specified on the command line. 1220If any key listed on the command line has been revoked (or an error encountered) 1221then 1222.Nm 1223will exit with a non-zero exit status. 1224A zero exit status will only be returned if no key was revoked. 1225.Sh ALLOWED SIGNERS 1226When verifying signatures, 1227.Nm 1228uses a simple list of identities and keys to determine whether a signature 1229comes from an authorized source. 1230This "allowed signers" file uses a format patterned after the 1231AUTHORIZED_KEYS FILE FORMAT described in 1232.Xr sshd 8 . 1233Each line of the file contains the following space-separated fields: 1234principals, options, keytype, base64-encoded key. 1235Empty lines and lines starting with a 1236.Ql # 1237are ignored as comments. 1238.Pp 1239The principals field is a pattern-list (see PATTERNS in 1240.Xr ssh_config 5 ) 1241consisting of one or more comma-separated USER@DOMAIN identity patterns 1242that are accepted for signing. 1243When verifying, the identity presented via the 1244.Fl I 1245option must match a principals pattern in order for the corresponding key to be 1246considered acceptable for verification. 1247.Pp 1248The options (if present) consist of comma-separated option specifications. 1249No spaces are permitted, except within double quotes. 1250The following option specifications are supported (note that option keywords 1251are case-insensitive): 1252.Bl -tag -width Ds 1253.It Cm cert-authority 1254Indicates that this key is accepted as a certificate authority (CA) and 1255that certificates signed by this CA may be accepted for verification. 1256.It Cm namespaces Ns = Ns "namespace-list" 1257Specifies a pattern-list of namespaces that are accepted for this key. 1258If this option is present, the signature namespace embedded in the 1259signature object and presented on the verification command-line must 1260match the specified list before the key will be considered acceptable. 1261.It Cm valid-after Ns = Ns "timestamp" 1262Indicates that the key is valid for use at or after the specified timestamp, 1263which may be a date or time in the YYYYMMDD[Z] or YYYYMMDDHHMM[SS][Z] formats. 1264Dates and times will be interpreted in the current system time zone unless 1265suffixed with a Z character, which causes them to be interpreted in the UTC 1266time zone. 1267.It Cm valid-before Ns = Ns "timestamp" 1268Indicates that the key is valid for use at or before the specified timestamp. 1269.El 1270.Pp 1271When verifying signatures made by certificates, the expected principal 1272name must match both the principals pattern in the allowed signers file and 1273the principals embedded in the certificate itself. 1274.Pp 1275An example allowed signers file: 1276.Bd -literal -offset 3n 1277# Comments allowed at start of line 1278user1@example.com,user2@example.com ssh-rsa AAAAX1... 1279# A certificate authority, trusted for all principals in a domain. 1280*@example.com cert-authority ssh-ed25519 AAAB4... 1281# A key that is accepted only for file signing. 1282user2@example.com namespaces="file" ssh-ed25519 AAA41... 1283.Ed 1284.Sh ENVIRONMENT 1285.Bl -tag -width Ds 1286.It Ev SSH_SK_PROVIDER 1287Specifies a path to a library that will be used when loading any 1288FIDO authenticator-hosted keys, overriding the default of using 1289the built-in USB HID support. 1290.El 1291.Sh FILES 1292.Bl -tag -width Ds -compact 1293.It Pa ~/.ssh/id_dsa 1294.It Pa ~/.ssh/id_ecdsa 1295.It Pa ~/.ssh/id_ecdsa_sk 1296.It Pa ~/.ssh/id_ed25519 1297.It Pa ~/.ssh/id_ed25519_sk 1298.It Pa ~/.ssh/id_rsa 1299Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, 1300authenticator-hosted Ed25519 or RSA authentication identity of the user. 1301This file should not be readable by anyone but the user. 1302It is possible to 1303specify a passphrase when generating the key; that passphrase will be 1304used to encrypt the private part of this file using 128-bit AES. 1305This file is not automatically accessed by 1306.Nm 1307but it is offered as the default file for the private key. 1308.Xr ssh 1 1309will read this file when a login attempt is made. 1310.Pp 1311.It Pa ~/.ssh/id_dsa.pub 1312.It Pa ~/.ssh/id_ecdsa.pub 1313.It Pa ~/.ssh/id_ecdsa_sk.pub 1314.It Pa ~/.ssh/id_ed25519.pub 1315.It Pa ~/.ssh/id_ed25519_sk.pub 1316.It Pa ~/.ssh/id_rsa.pub 1317Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, 1318authenticator-hosted Ed25519 or RSA public key for authentication. 1319The contents of this file should be added to 1320.Pa ~/.ssh/authorized_keys 1321on all machines 1322where the user wishes to log in using public key authentication. 1323There is no need to keep the contents of this file secret. 1324.Pp 1325.It Pa /etc/moduli 1326Contains Diffie-Hellman groups used for DH-GEX. 1327The file format is described in 1328.Xr moduli 5 . 1329.El 1330.Sh SEE ALSO 1331.Xr ssh 1 , 1332.Xr ssh-add 1 , 1333.Xr ssh-agent 1 , 1334.Xr moduli 5 , 1335.Xr sshd 8 1336.Rs 1337.%R RFC 4716 1338.%T "The Secure Shell (SSH) Public Key File Format" 1339.%D 2006 1340.Re 1341.Sh AUTHORS 1342OpenSSH is a derivative of the original and free 1343ssh 1.2.12 release by Tatu Ylonen. 1344Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 1345Theo de Raadt and Dug Song 1346removed many bugs, re-added newer features and 1347created OpenSSH. 1348Markus Friedl contributed the support for SSH 1349protocol versions 1.5 and 2.0. 1350