1.\" -*- nroff -*- 2.\" 3.\" ssh-keygen.1 4.\" 5.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 6.\" 7.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8.\" All rights reserved 9.\" 10.\" Created: Sat Apr 22 23:55:14 1995 ylo 11.\" 12.\" $Id: ssh-keygen.1,v 1.18 2000/05/08 17:26:04 hugh Exp $ 13.\" 14.Dd September 25, 1999 15.Dt SSH-KEYGEN 1 16.Os 17.Sh NAME 18.Nm ssh-keygen 19.Nd authentication key generation 20.Sh SYNOPSIS 21.Nm ssh-keygen 22.Op Fl dq 23.Op Fl b Ar bits 24.Op Fl N Ar new_passphrase 25.Op Fl C Ar comment 26.Op Fl f Ar keyfile 27.Nm ssh-keygen 28.Fl p 29.Op Fl P Ar old_passphrase 30.Op Fl N Ar new_passphrase 31.Op Fl f Ar keyfile 32.Nm ssh-keygen 33.Fl x 34.Op Fl f Ar keyfile 35.Nm ssh-keygen 36.Fl X 37.Op Fl f Ar keyfile 38.Nm ssh-keygen 39.Fl y 40.Op Fl f Ar keyfile 41.Nm ssh-keygen 42.Fl c 43.Op Fl P Ar passphrase 44.Op Fl C Ar comment 45.Op Fl f Ar keyfile 46.Nm ssh-keygen 47.Fl l 48.Op Fl f Ar keyfile 49.Nm ssh-keygen 50.Fl R 51.Sh DESCRIPTION 52.Nm 53generates and manages authentication keys for 54.Xr ssh 1 . 55.Nm 56defaults to generating an RSA key for use by protocols 1.3 and 1.5; 57specifying the 58.Fl d 59flag will create a DSA key instead for use by protocol 2.0. 60.Pp 61Normally each user wishing to use SSH 62with RSA or DSA authentication runs this once to create the authentication 63key in 64.Pa $HOME/.ssh/identity 65or 66.Pa $HOME/.ssh/id_dsa . 67Additionally, the system administrator may use this to generate host keys, 68as seen in 69.Pa /etc/rc . 70.Pp 71Normally this program generates the key and asks for a file in which 72to store the private key. 73The public key is stored in a file with the same name but 74.Dq .pub 75appended. 76The program also asks for a passphrase. 77The passphrase may be empty to indicate no passphrase 78(host keys must have empty passphrase), or it may be a string of 79arbitrary length. 80Good passphrases are 10-30 characters long and are 81not simple sentences or otherwise easily guessable (English 82prose has only 1-2 bits of entropy per word, and provides very bad 83passphrases). 84The passphrase can be changed later by using the 85.Fl p 86option. 87.Pp 88There is no way to recover a lost passphrase. 89If the passphrase is 90lost or forgotten, you will have to generate a new key and copy the 91corresponding public key to other machines. 92.Pp 93For RSA, there is also a comment field in the key file that is only for 94convenience to the user to help identify the key. 95The comment can tell what the key is for, or whatever is useful. 96The comment is initialized to 97.Dq user@host 98when the key is created, but can be changed using the 99.Fl c 100option. 101.Pp 102After a key is generated, instructions below detail where the keys 103should be placed to be activated. 104.Pp 105The options are as follows: 106.Bl -tag -width Ds 107.It Fl b Ar bits 108Specifies the number of bits in the key to create. 109Minimum is 512 bits. 110Generally 1024 bits is considered sufficient, and key sizes 111above that no longer improve security but make things slower. 112The default is 1024 bits. 113.It Fl c 114Requests changing the comment in the private and public key files. 115The program will prompt for the file containing the private keys, for 116passphrase if the key has one, and for the new comment. 117.It Fl f 118Specifies the filename of the key file. 119.It Fl l 120Show fingerprint of specified private or public key file. 121.It Fl p 122Requests changing the passphrase of a private key file instead of 123creating a new private key. 124The program will prompt for the file 125containing the private key, for the old passphrase, and twice for the 126new passphrase. 127.It Fl q 128Silence 129.Nm ssh-keygen . 130Used by 131.Pa /etc/rc 132when creating a new key. 133.It Fl C Ar comment 134Provides the new comment. 135.It Fl N Ar new_passphrase 136Provides the new passphrase. 137.It Fl P Ar passphrase 138Provides the (old) passphrase. 139.It Fl R 140If RSA support is functional, immediately exits with code 0. If RSA 141support is not functional, exits with code 1. This flag will be 142removed once the RSA patent expires. 143.It Fl x 144This option will read a private 145OpenSSH DSA format file and print a SSH2-compatible public key to stdout. 146.It Fl X 147This option will read a 148SSH2-compatible public key file and print an OpenSSH DSA compatible public key to stdout. 149.It Fl y 150This option will read a private 151OpenSSH DSA format file and print an OpenSSH DSA public key to stdout. 152.El 153.Sh FILES 154.Bl -tag -width Ds 155.It Pa $HOME/.ssh/identity 156Contains the RSA authentication identity of the user. 157This file should not be readable by anyone but the user. 158It is possible to 159specify a passphrase when generating the key; that passphrase will be 160used to encrypt the private part of this file using 3DES. 161This file is not automatically accessed by 162.Nm 163but it is offered as the default file for the private key. 164.Xr sshd 8 165will read this file when a login attempt is made. 166.It Pa $HOME/.ssh/identity.pub 167Contains the public key for authentication. 168The contents of this file should be added to 169.Pa $HOME/.ssh/authorized_keys 170on all machines 171where you wish to log in using RSA authentication. 172There is no need to keep the contents of this file secret. 173.It Pa $HOME/.ssh/id_dsa 174Contains the DSA authentication identity of the user. 175This file should not be readable by anyone but the user. 176It is possible to 177specify a passphrase when generating the key; that passphrase will be 178used to encrypt the private part of this file using 3DES. 179This file is not automatically accessed by 180.Nm 181but it is offered as the default file for the private key. 182.Xr sshd 8 183will read this file when a login attempt is made. 184.It Pa $HOME/.ssh/id_dsa.pub 185Contains the public key for authentication. 186The contents of this file should be added to 187.Pa $HOME/.ssh/authorized_keys2 188on all machines 189where you wish to log in using DSA authentication. 190There is no need to keep the contents of this file secret. 191.Sh AUTHOR 192Tatu Ylonen <ylo@cs.hut.fi> 193.Pp 194OpenSSH 195is a derivative of the original (free) ssh 1.2.12 release, but with bugs 196removed and newer features re-added. 197Rapidly after the 1.2.12 release, 198newer versions bore successively more restrictive licenses. 199This version of OpenSSH 200.Bl -bullet 201.It 202has all components of a restrictive nature (i.e., patents, see 203.Xr ssl 8 ) 204directly removed from the source code; any licensed or patented components 205are chosen from 206external libraries. 207.It 208has been updated to support ssh protocol 1.5. 209.It 210contains added support for 211.Xr kerberos 8 212authentication and ticket passing. 213.It 214supports one-time password authentication with 215.Xr skey 1 . 216.El 217.Pp 218The libraries described in 219.Xr ssl 8 220are required for proper operation. 221.Sh SEE ALSO 222.Xr ssh 1 , 223.Xr ssh-add 1 , 224.Xr ssh-agent 1 , 225.Xr sshd 8 , 226.Xr ssl 8 227