1.\" $OpenBSD: ssh-keygen.1,v 1.101 2010/10/28 18:33:28 jmc Exp $ 2.\" $FreeBSD$ 3.\" 4.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 5.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 6.\" All rights reserved 7.\" 8.\" As far as I am concerned, the code I have written for this software 9.\" can be used freely for any purpose. Any derived versions of this 10.\" software must be clearly marked as such, and if the derived work is 11.\" incompatible with the protocol description in the RFC file, it must be 12.\" called by a name other than "ssh" or "Secure Shell". 13.\" 14.\" 15.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 16.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 17.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 18.\" 19.\" Redistribution and use in source and binary forms, with or without 20.\" modification, are permitted provided that the following conditions 21.\" are met: 22.\" 1. Redistributions of source code must retain the above copyright 23.\" notice, this list of conditions and the following disclaimer. 24.\" 2. Redistributions in binary form must reproduce the above copyright 25.\" notice, this list of conditions and the following disclaimer in the 26.\" documentation and/or other materials provided with the distribution. 27.\" 28.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 29.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 30.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 31.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 32.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 33.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 34.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 35.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 36.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 37.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 38.\" 39.Dd October 28, 2010 40.Dt SSH-KEYGEN 1 41.Os 42.Sh NAME 43.Nm ssh-keygen 44.Nd authentication key generation, management and conversion 45.Sh SYNOPSIS 46.Bk -words 47.Nm ssh-keygen 48.Op Fl q 49.Op Fl b Ar bits 50.Fl t Ar type 51.Op Fl N Ar new_passphrase 52.Op Fl C Ar comment 53.Op Fl f Ar output_keyfile 54.Nm ssh-keygen 55.Fl p 56.Op Fl P Ar old_passphrase 57.Op Fl N Ar new_passphrase 58.Op Fl f Ar keyfile 59.Nm ssh-keygen 60.Fl i 61.Op Fl m Ar key_format 62.Op Fl f Ar input_keyfile 63.Nm ssh-keygen 64.Fl e 65.Op Fl m Ar key_format 66.Op Fl f Ar input_keyfile 67.Nm ssh-keygen 68.Fl y 69.Op Fl f Ar input_keyfile 70.Nm ssh-keygen 71.Fl c 72.Op Fl P Ar passphrase 73.Op Fl C Ar comment 74.Op Fl f Ar keyfile 75.Nm ssh-keygen 76.Fl l 77.Op Fl f Ar input_keyfile 78.Nm ssh-keygen 79.Fl B 80.Op Fl f Ar input_keyfile 81.Nm ssh-keygen 82.Fl D Ar pkcs11 83.Nm ssh-keygen 84.Fl F Ar hostname 85.Op Fl f Ar known_hosts_file 86.Op Fl l 87.Nm ssh-keygen 88.Fl H 89.Op Fl f Ar known_hosts_file 90.Nm ssh-keygen 91.Fl R Ar hostname 92.Op Fl f Ar known_hosts_file 93.Nm ssh-keygen 94.Fl r Ar hostname 95.Op Fl f Ar input_keyfile 96.Op Fl g 97.Nm ssh-keygen 98.Fl G Ar output_file 99.Op Fl v 100.Op Fl b Ar bits 101.Op Fl M Ar memory 102.Op Fl S Ar start_point 103.Nm ssh-keygen 104.Fl T Ar output_file 105.Fl f Ar input_file 106.Op Fl v 107.Op Fl a Ar num_trials 108.Op Fl W Ar generator 109.Nm ssh-keygen 110.Fl s Ar ca_key 111.Fl I Ar certificate_identity 112.Op Fl h 113.Op Fl n Ar principals 114.Op Fl O Ar option 115.Op Fl V Ar validity_interval 116.Op Fl z Ar serial_number 117.Ar 118.Nm ssh-keygen 119.Fl L 120.Op Fl f Ar input_keyfile 121.Ek 122.Sh DESCRIPTION 123.Nm 124generates, manages and converts authentication keys for 125.Xr ssh 1 . 126.Nm 127can create RSA keys for use by SSH protocol version 1 and DSA, ECDSA or RSA 128keys for use by SSH protocol version 2. 129The type of key to be generated is specified with the 130.Fl t 131option. 132If invoked without any arguments, 133.Nm 134will generate an RSA key for use in SSH protocol 2 connections. 135.Pp 136.Nm 137is also used to generate groups for use in Diffie-Hellman group 138exchange (DH-GEX). 139See the 140.Sx MODULI GENERATION 141section for details. 142.Pp 143Normally each user wishing to use SSH 144with public key authentication runs this once to create the authentication 145key in 146.Pa ~/.ssh/identity , 147.Pa ~/.ssh/id_ecdsa , 148.Pa ~/.ssh/id_dsa 149or 150.Pa ~/.ssh/id_rsa . 151Additionally, the system administrator may use this to generate host keys, 152as seen in 153.Pa /etc/rc . 154.Pp 155Normally this program generates the key and asks for a file in which 156to store the private key. 157The public key is stored in a file with the same name but 158.Dq .pub 159appended. 160The program also asks for a passphrase. 161The passphrase may be empty to indicate no passphrase 162(host keys must have an empty passphrase), or it may be a string of 163arbitrary length. 164A passphrase is similar to a password, except it can be a phrase with a 165series of words, punctuation, numbers, whitespace, or any string of 166characters you want. 167Good passphrases are 10-30 characters long, are 168not simple sentences or otherwise easily guessable (English 169prose has only 1-2 bits of entropy per character, and provides very bad 170passphrases), and contain a mix of upper and lowercase letters, 171numbers, and non-alphanumeric characters. 172The passphrase can be changed later by using the 173.Fl p 174option. 175.Pp 176There is no way to recover a lost passphrase. 177If the passphrase is 178lost or forgotten, a new key must be generated and copied to the 179corresponding public key to other machines. 180.Pp 181For RSA1 keys, 182there is also a comment field in the key file that is only for 183convenience to the user to help identify the key. 184The comment can tell what the key is for, or whatever is useful. 185The comment is initialized to 186.Dq user@host 187when the key is created, but can be changed using the 188.Fl c 189option. 190.Pp 191After a key is generated, instructions below detail where the keys 192should be placed to be activated. 193.Pp 194The options are as follows: 195.Bl -tag -width Ds 196.It Fl a Ar trials 197Specifies the number of primality tests to perform when screening DH-GEX 198candidates using the 199.Fl T 200command. 201.It Fl B 202Show the bubblebabble digest of specified private or public key file. 203.It Fl b Ar bits 204Specifies the number of bits in the key to create. 205For RSA keys, the minimum size is 768 bits and the default is 2048 bits. 206Generally, 2048 bits is considered sufficient. 207DSA keys must be exactly 1024 bits as specified by FIPS 186-2. 208.It Fl C Ar comment 209Provides a new comment. 210.It Fl c 211Requests changing the comment in the private and public key files. 212This operation is only supported for RSA1 keys. 213The program will prompt for the file containing the private keys, for 214the passphrase if the key has one, and for the new comment. 215.It Fl D Ar pkcs11 216Download the RSA public keys provided by the PKCS#11 shared library 217.Ar pkcs11 . 218When used in combination with 219.Fl s , 220this option indicates that a CA key resides in a PKCS#11 token (see the 221.Sx CERTIFICATES 222section for details). 223.It Fl e 224This option will read a private or public OpenSSH key file and 225print to stdout the key in one of the formats specified by the 226.Fl m 227option. 228The default export format is 229.Dq RFC4716 . 230This option allows exporting OpenSSH keys for use by other programs, including 231several commercial SSH implementations. 232.It Fl F Ar hostname 233Search for the specified 234.Ar hostname 235in a 236.Pa known_hosts 237file, listing any occurrences found. 238This option is useful to find hashed host names or addresses and may also be 239used in conjunction with the 240.Fl H 241option to print found keys in a hashed format. 242.It Fl f Ar filename 243Specifies the filename of the key file. 244.It Fl G Ar output_file 245Generate candidate primes for DH-GEX. 246These primes must be screened for 247safety (using the 248.Fl T 249option) before use. 250.It Fl g 251Use generic DNS format when printing fingerprint resource records using the 252.Fl r 253command. 254.It Fl H 255Hash a 256.Pa known_hosts 257file. 258This replaces all hostnames and addresses with hashed representations 259within the specified file; the original content is moved to a file with 260a .old suffix. 261These hashes may be used normally by 262.Nm ssh 263and 264.Nm sshd , 265but they do not reveal identifying information should the file's contents 266be disclosed. 267This option will not modify existing hashed hostnames and is therefore safe 268to use on files that mix hashed and non-hashed names. 269.It Fl h 270When signing a key, create a host certificate instead of a user 271certificate. 272Please see the 273.Sx CERTIFICATES 274section for details. 275.It Fl I Ar certificate_identity 276Specify the key identity when signing a public key. 277Please see the 278.Sx CERTIFICATES 279section for details. 280.It Fl i 281This option will read an unencrypted private (or public) key file 282in the format specified by the 283.Fl m 284option and print an OpenSSH compatible private 285(or public) key to stdout. 286This option allows importing keys from other software, including several 287commercial SSH implementations. 288The default import format is 289.Dq RFC4716 . 290.It Fl L 291Prints the contents of a certificate. 292.It Fl l 293Show fingerprint of specified public key file. 294Private RSA1 keys are also supported. 295For RSA and DSA keys 296.Nm 297tries to find the matching public key file and prints its fingerprint. 298If combined with 299.Fl v , 300an ASCII art representation of the key is supplied with the fingerprint. 301.It Fl M Ar memory 302Specify the amount of memory to use (in megabytes) when generating 303candidate moduli for DH-GEX. 304.It Fl m Ar key_format 305Specify a key format for the 306.Fl i 307(import) or 308.Fl e 309(export) conversion options. 310The supported key formats are: 311.Dq RFC4716 312(RFC 4716/SSH2 public or private key), 313.Dq PKCS8 314(PEM PKCS8 public key) 315or 316.Dq PEM 317(PEM public key). 318The default conversion format is 319.Dq RFC4716 . 320.It Fl N Ar new_passphrase 321Provides the new passphrase. 322.It Fl n Ar principals 323Specify one or more principals (user or host names) to be included in 324a certificate when signing a key. 325Multiple principals may be specified, separated by commas. 326Please see the 327.Sx CERTIFICATES 328section for details. 329.It Fl O Ar option 330Specify a certificate option when signing a key. 331This option may be specified multiple times. 332Please see the 333.Sx CERTIFICATES 334section for details. 335The options that are valid for user certificates are: 336.Bl -tag -width Ds 337.It Ic clear 338Clear all enabled permissions. 339This is useful for clearing the default set of permissions so permissions may 340be added individually. 341.It Ic force-command Ns = Ns Ar command 342Forces the execution of 343.Ar command 344instead of any shell or command specified by the user when 345the certificate is used for authentication. 346.It Ic no-agent-forwarding 347Disable 348.Xr ssh-agent 1 349forwarding (permitted by default). 350.It Ic no-port-forwarding 351Disable port forwarding (permitted by default). 352.It Ic no-pty 353Disable PTY allocation (permitted by default). 354.It Ic no-user-rc 355Disable execution of 356.Pa ~/.ssh/rc 357by 358.Xr sshd 8 359(permitted by default). 360.It Ic no-x11-forwarding 361Disable X11 forwarding (permitted by default). 362.It Ic permit-agent-forwarding 363Allows 364.Xr ssh-agent 1 365forwarding. 366.It Ic permit-port-forwarding 367Allows port forwarding. 368.It Ic permit-pty 369Allows PTY allocation. 370.It Ic permit-user-rc 371Allows execution of 372.Pa ~/.ssh/rc 373by 374.Xr sshd 8 . 375.It Ic permit-x11-forwarding 376Allows X11 forwarding. 377.It Ic source-address Ns = Ns Ar address_list 378Restrict the source addresses from which the certificate is considered valid. 379The 380.Ar address_list 381is a comma-separated list of one or more address/netmask pairs in CIDR 382format. 383.El 384.Pp 385At present, no options are valid for host keys. 386.It Fl P Ar passphrase 387Provides the (old) passphrase. 388.It Fl p 389Requests changing the passphrase of a private key file instead of 390creating a new private key. 391The program will prompt for the file 392containing the private key, for the old passphrase, and twice for the 393new passphrase. 394.It Fl q 395Silence 396.Nm ssh-keygen . 397Used by 398.Pa /etc/rc 399when creating a new key. 400.It Fl R Ar hostname 401Removes all keys belonging to 402.Ar hostname 403from a 404.Pa known_hosts 405file. 406This option is useful to delete hashed hosts (see the 407.Fl H 408option above). 409.It Fl r Ar hostname 410Print the SSHFP fingerprint resource record named 411.Ar hostname 412for the specified public key file. 413.It Fl S Ar start 414Specify start point (in hex) when generating candidate moduli for DH-GEX. 415.It Fl s Ar ca_key 416Certify (sign) a public key using the specified CA key. 417Please see the 418.Sx CERTIFICATES 419section for details. 420.It Fl T Ar output_file 421Test DH group exchange candidate primes (generated using the 422.Fl G 423option) for safety. 424.It Fl t Ar type 425Specifies the type of key to create. 426The possible values are 427.Dq rsa1 428for protocol version 1 and 429.Dq dsa , 430.Dq ecdsa 431or 432.Dq rsa 433for protocol version 2. 434.It Fl V Ar validity_interval 435Specify a validity interval when signing a certificate. 436A validity interval may consist of a single time, indicating that the 437certificate is valid beginning now and expiring at that time, or may consist 438of two times separated by a colon to indicate an explicit time interval. 439The start time may be specified as a date in YYYYMMDD format, a time 440in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting 441of a minus sign followed by a relative time in the format described in the 442.Sx TIME FORMATS 443section of 444.Xr sshd_config 5 . 445The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or 446a relative time starting with a plus character. 447.Pp 448For example: 449.Dq +52w1d 450(valid from now to 52 weeks and one day from now), 451.Dq -4w:+4w 452(valid from four weeks ago to four weeks from now), 453.Dq 20100101123000:20110101123000 454(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), 455.Dq -1d:20110101 456(valid from yesterday to midnight, January 1st, 2011). 457.It Fl v 458Verbose mode. 459Causes 460.Nm 461to print debugging messages about its progress. 462This is helpful for debugging moduli generation. 463Multiple 464.Fl v 465options increase the verbosity. 466The maximum is 3. 467.It Fl W Ar generator 468Specify desired generator when testing candidate moduli for DH-GEX. 469.It Fl y 470This option will read a private 471OpenSSH format file and print an OpenSSH public key to stdout. 472.It Fl z Ar serial_number 473Specifies a serial number to be embedded in the certificate to distinguish 474this certificate from others from the same CA. 475The default serial number is zero. 476.El 477.Sh MODULI GENERATION 478.Nm 479may be used to generate groups for the Diffie-Hellman Group Exchange 480(DH-GEX) protocol. 481Generating these groups is a two-step process: first, candidate 482primes are generated using a fast, but memory intensive process. 483These candidate primes are then tested for suitability (a CPU-intensive 484process). 485.Pp 486Generation of primes is performed using the 487.Fl G 488option. 489The desired length of the primes may be specified by the 490.Fl b 491option. 492For example: 493.Pp 494.Dl # ssh-keygen -G moduli-2048.candidates -b 2048 495.Pp 496By default, the search for primes begins at a random point in the 497desired length range. 498This may be overridden using the 499.Fl S 500option, which specifies a different start point (in hex). 501.Pp 502Once a set of candidates have been generated, they must be tested for 503suitability. 504This may be performed using the 505.Fl T 506option. 507In this mode 508.Nm 509will read candidates from standard input (or a file specified using the 510.Fl f 511option). 512For example: 513.Pp 514.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates 515.Pp 516By default, each candidate will be subjected to 100 primality tests. 517This may be overridden using the 518.Fl a 519option. 520The DH generator value will be chosen automatically for the 521prime under consideration. 522If a specific generator is desired, it may be requested using the 523.Fl W 524option. 525Valid generator values are 2, 3, and 5. 526.Pp 527Screened DH groups may be installed in 528.Pa /etc/moduli . 529It is important that this file contains moduli of a range of bit lengths and 530that both ends of a connection share common moduli. 531.Sh CERTIFICATES 532.Nm 533supports signing of keys to produce certificates that may be used for 534user or host authentication. 535Certificates consist of a public key, some identity information, zero or 536more principal (user or host) names and a set of options that 537are signed by a Certification Authority (CA) key. 538Clients or servers may then trust only the CA key and verify its signature 539on a certificate rather than trusting many user/host keys. 540Note that OpenSSH certificates are a different, and much simpler, format to 541the X.509 certificates used in 542.Xr ssl 8 . 543.Pp 544.Nm 545supports two types of certificates: user and host. 546User certificates authenticate users to servers, whereas host certificates 547authenticate server hosts to users. 548To generate a user certificate: 549.Pp 550.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub 551.Pp 552The resultant certificate will be placed in 553.Pa /path/to/user_key-cert.pub . 554A host certificate requires the 555.Fl h 556option: 557.Pp 558.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub 559.Pp 560The host certificate will be output to 561.Pa /path/to/host_key-cert.pub . 562.Pp 563It is possible to sign using a CA key stored in a PKCS#11 token by 564providing the token library using 565.Fl D 566and identifying the CA key by providing its public half as an argument 567to 568.Fl s : 569.Pp 570.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub 571.Pp 572In all cases, 573.Ar key_id 574is a "key identifier" that is logged by the server when the certificate 575is used for authentication. 576.Pp 577Certificates may be limited to be valid for a set of principal (user/host) 578names. 579By default, generated certificates are valid for all users or hosts. 580To generate a certificate for a specified set of principals: 581.Pp 582.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub 583.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" 584.Pp 585Additional limitations on the validity and use of user certificates may 586be specified through certificate options. 587A certificate option may disable features of the SSH session, may be 588valid only when presented from particular source addresses or may 589force the use of a specific command. 590For a list of valid certificate options, see the documentation for the 591.Fl O 592option above. 593.Pp 594Finally, certificates may be defined with a validity lifetime. 595The 596.Fl V 597option allows specification of certificate start and end times. 598A certificate that is presented at a time outside this range will not be 599considered valid. 600By default, certificates have a maximum validity interval. 601.Pp 602For certificates to be used for user or host authentication, the CA 603public key must be trusted by 604.Xr sshd 8 605or 606.Xr ssh 1 . 607Please refer to those manual pages for details. 608.Sh FILES 609.Bl -tag -width Ds -compact 610.It Pa ~/.ssh/identity 611Contains the protocol version 1 RSA authentication identity of the user. 612This file should not be readable by anyone but the user. 613It is possible to 614specify a passphrase when generating the key; that passphrase will be 615used to encrypt the private part of this file using 3DES. 616This file is not automatically accessed by 617.Nm 618but it is offered as the default file for the private key. 619.Xr ssh 1 620will read this file when a login attempt is made. 621.Pp 622.It Pa ~/.ssh/identity.pub 623Contains the protocol version 1 RSA public key for authentication. 624The contents of this file should be added to 625.Pa ~/.ssh/authorized_keys 626on all machines 627where the user wishes to log in using RSA authentication. 628There is no need to keep the contents of this file secret. 629.Pp 630.It Pa ~/.ssh/id_dsa 631.It Pa ~/.ssh/id_ecdsa 632.It Pa ~/.ssh/id_rsa 633Contains the protocol version 2 DSA, ECDSA or RSA authentication identity of the user. 634This file should not be readable by anyone but the user. 635It is possible to 636specify a passphrase when generating the key; that passphrase will be 637used to encrypt the private part of this file using 128-bit AES. 638This file is not automatically accessed by 639.Nm 640but it is offered as the default file for the private key. 641.Xr ssh 1 642will read this file when a login attempt is made. 643.Pp 644.It Pa ~/.ssh/id_dsa.pub 645.It Pa ~/.ssh/id_ecdsa.pub 646.It Pa ~/.ssh/id_rsa.pub 647Contains the protocol version 2 DSA, ECDSA or RSA public key for authentication. 648The contents of this file should be added to 649.Pa ~/.ssh/authorized_keys 650on all machines 651where the user wishes to log in using public key authentication. 652There is no need to keep the contents of this file secret. 653.Pp 654.It Pa /etc/moduli 655Contains Diffie-Hellman groups used for DH-GEX. 656The file format is described in 657.Xr moduli 5 . 658.El 659.Sh SEE ALSO 660.Xr ssh 1 , 661.Xr ssh-add 1 , 662.Xr ssh-agent 1 , 663.Xr moduli 5 , 664.Xr sshd 8 665.Rs 666.%R RFC 4716 667.%T "The Secure Shell (SSH) Public Key File Format" 668.%D 2006 669.Re 670.Sh AUTHORS 671OpenSSH is a derivative of the original and free 672ssh 1.2.12 release by Tatu Ylonen. 673Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 674Theo de Raadt and Dug Song 675removed many bugs, re-added newer features and 676created OpenSSH. 677Markus Friedl contributed the support for SSH 678protocol versions 1.5 and 2.0. 679