1.\" $OpenBSD: ssh-keygen.1,v 1.109 2012/07/06 00:41:59 dtucker Exp $ 2.\" $FreeBSD$ 3.\" 4.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 5.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 6.\" All rights reserved 7.\" 8.\" As far as I am concerned, the code I have written for this software 9.\" can be used freely for any purpose. Any derived versions of this 10.\" software must be clearly marked as such, and if the derived work is 11.\" incompatible with the protocol description in the RFC file, it must be 12.\" called by a name other than "ssh" or "Secure Shell". 13.\" 14.\" 15.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 16.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 17.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 18.\" 19.\" Redistribution and use in source and binary forms, with or without 20.\" modification, are permitted provided that the following conditions 21.\" are met: 22.\" 1. Redistributions of source code must retain the above copyright 23.\" notice, this list of conditions and the following disclaimer. 24.\" 2. Redistributions in binary form must reproduce the above copyright 25.\" notice, this list of conditions and the following disclaimer in the 26.\" documentation and/or other materials provided with the distribution. 27.\" 28.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 29.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 30.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 31.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 32.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 33.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 34.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 35.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 36.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 37.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 38.\" 39.Dd July 6 2012 40.Dt SSH-KEYGEN 1 41.Os 42.Sh NAME 43.Nm ssh-keygen 44.Nd authentication key generation, management and conversion 45.Sh SYNOPSIS 46.Bk -words 47.Nm ssh-keygen 48.Op Fl q 49.Op Fl b Ar bits 50.Fl t Ar type 51.Op Fl N Ar new_passphrase 52.Op Fl C Ar comment 53.Op Fl f Ar output_keyfile 54.Nm ssh-keygen 55.Fl p 56.Op Fl P Ar old_passphrase 57.Op Fl N Ar new_passphrase 58.Op Fl f Ar keyfile 59.Nm ssh-keygen 60.Fl i 61.Op Fl m Ar key_format 62.Op Fl f Ar input_keyfile 63.Nm ssh-keygen 64.Fl e 65.Op Fl m Ar key_format 66.Op Fl f Ar input_keyfile 67.Nm ssh-keygen 68.Fl y 69.Op Fl f Ar input_keyfile 70.Nm ssh-keygen 71.Fl c 72.Op Fl P Ar passphrase 73.Op Fl C Ar comment 74.Op Fl f Ar keyfile 75.Nm ssh-keygen 76.Fl l 77.Op Fl f Ar input_keyfile 78.Nm ssh-keygen 79.Fl B 80.Op Fl f Ar input_keyfile 81.Nm ssh-keygen 82.Fl D Ar pkcs11 83.Nm ssh-keygen 84.Fl F Ar hostname 85.Op Fl f Ar known_hosts_file 86.Op Fl l 87.Nm ssh-keygen 88.Fl H 89.Op Fl f Ar known_hosts_file 90.Nm ssh-keygen 91.Fl R Ar hostname 92.Op Fl f Ar known_hosts_file 93.Nm ssh-keygen 94.Fl r Ar hostname 95.Op Fl f Ar input_keyfile 96.Op Fl g 97.Nm ssh-keygen 98.Fl G Ar output_file 99.Op Fl v 100.Op Fl b Ar bits 101.Op Fl M Ar memory 102.Op Fl S Ar start_point 103.Nm ssh-keygen 104.Fl T Ar output_file 105.Fl f Ar input_file 106.Op Fl v 107.Op Fl a Ar num_trials 108.Op Fl J Ar num_lines 109.Op Fl j Ar start_line 110.Op Fl K Ar checkpt 111.Op Fl W Ar generator 112.Nm ssh-keygen 113.Fl s Ar ca_key 114.Fl I Ar certificate_identity 115.Op Fl h 116.Op Fl n Ar principals 117.Op Fl O Ar option 118.Op Fl V Ar validity_interval 119.Op Fl z Ar serial_number 120.Ar 121.Nm ssh-keygen 122.Fl L 123.Op Fl f Ar input_keyfile 124.Nm ssh-keygen 125.Fl A 126.Ek 127.Sh DESCRIPTION 128.Nm 129generates, manages and converts authentication keys for 130.Xr ssh 1 . 131.Nm 132can create RSA keys for use by SSH protocol version 1 and DSA, ECDSA or RSA 133keys for use by SSH protocol version 2. 134The type of key to be generated is specified with the 135.Fl t 136option. 137If invoked without any arguments, 138.Nm 139will generate an RSA key for use in SSH protocol 2 connections. 140.Pp 141.Nm 142is also used to generate groups for use in Diffie-Hellman group 143exchange (DH-GEX). 144See the 145.Sx MODULI GENERATION 146section for details. 147.Pp 148Normally each user wishing to use SSH 149with public key authentication runs this once to create the authentication 150key in 151.Pa ~/.ssh/identity , 152.Pa ~/.ssh/id_ecdsa , 153.Pa ~/.ssh/id_dsa 154or 155.Pa ~/.ssh/id_rsa . 156Additionally, the system administrator may use this to generate host keys, 157as seen in 158.Pa /etc/rc . 159.Pp 160Normally this program generates the key and asks for a file in which 161to store the private key. 162The public key is stored in a file with the same name but 163.Dq .pub 164appended. 165The program also asks for a passphrase. 166The passphrase may be empty to indicate no passphrase 167(host keys must have an empty passphrase), or it may be a string of 168arbitrary length. 169A passphrase is similar to a password, except it can be a phrase with a 170series of words, punctuation, numbers, whitespace, or any string of 171characters you want. 172Good passphrases are 10-30 characters long, are 173not simple sentences or otherwise easily guessable (English 174prose has only 1-2 bits of entropy per character, and provides very bad 175passphrases), and contain a mix of upper and lowercase letters, 176numbers, and non-alphanumeric characters. 177The passphrase can be changed later by using the 178.Fl p 179option. 180.Pp 181There is no way to recover a lost passphrase. 182If the passphrase is lost or forgotten, a new key must be generated 183and the corresponding public key copied to other machines. 184.Pp 185For RSA1 keys, 186there is also a comment field in the key file that is only for 187convenience to the user to help identify the key. 188The comment can tell what the key is for, or whatever is useful. 189The comment is initialized to 190.Dq user@host 191when the key is created, but can be changed using the 192.Fl c 193option. 194.Pp 195After a key is generated, instructions below detail where the keys 196should be placed to be activated. 197.Pp 198The options are as follows: 199.Bl -tag -width Ds 200.It Fl A 201For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys 202do not exist, generate the host keys with the default key file path, 203an empty passphrase, default bits for the key type, and default comment. 204This is used by 205.Pa /etc/rc 206to generate new host keys. 207.It Fl a Ar trials 208Specifies the number of primality tests to perform when screening DH-GEX 209candidates using the 210.Fl T 211command. 212.It Fl B 213Show the bubblebabble digest of specified private or public key file. 214.It Fl b Ar bits 215Specifies the number of bits in the key to create. 216For RSA keys, the minimum size is 768 bits and the default is 2048 bits. 217Generally, 2048 bits is considered sufficient. 218DSA keys must be exactly 1024 bits as specified by FIPS 186-2. 219For ECDSA keys, the 220.Fl b 221flag determines the key length by selecting from one of three elliptic 222curve sizes: 256, 384 or 521 bits. 223Attempting to use bit lengths other than these three values for ECDSA keys 224will fail. 225.It Fl C Ar comment 226Provides a new comment. 227.It Fl c 228Requests changing the comment in the private and public key files. 229This operation is only supported for RSA1 keys. 230The program will prompt for the file containing the private keys, for 231the passphrase if the key has one, and for the new comment. 232.It Fl D Ar pkcs11 233Download the RSA public keys provided by the PKCS#11 shared library 234.Ar pkcs11 . 235When used in combination with 236.Fl s , 237this option indicates that a CA key resides in a PKCS#11 token (see the 238.Sx CERTIFICATES 239section for details). 240.It Fl e 241This option will read a private or public OpenSSH key file and 242print to stdout the key in one of the formats specified by the 243.Fl m 244option. 245The default export format is 246.Dq RFC4716 . 247This option allows exporting OpenSSH keys for use by other programs, including 248several commercial SSH implementations. 249.It Fl F Ar hostname 250Search for the specified 251.Ar hostname 252in a 253.Pa known_hosts 254file, listing any occurrences found. 255This option is useful to find hashed host names or addresses and may also be 256used in conjunction with the 257.Fl H 258option to print found keys in a hashed format. 259.It Fl f Ar filename 260Specifies the filename of the key file. 261.It Fl G Ar output_file 262Generate candidate primes for DH-GEX. 263These primes must be screened for 264safety (using the 265.Fl T 266option) before use. 267.It Fl g 268Use generic DNS format when printing fingerprint resource records using the 269.Fl r 270command. 271.It Fl H 272Hash a 273.Pa known_hosts 274file. 275This replaces all hostnames and addresses with hashed representations 276within the specified file; the original content is moved to a file with 277a .old suffix. 278These hashes may be used normally by 279.Nm ssh 280and 281.Nm sshd , 282but they do not reveal identifying information should the file's contents 283be disclosed. 284This option will not modify existing hashed hostnames and is therefore safe 285to use on files that mix hashed and non-hashed names. 286.It Fl h 287When signing a key, create a host certificate instead of a user 288certificate. 289Please see the 290.Sx CERTIFICATES 291section for details. 292.It Fl I Ar certificate_identity 293Specify the key identity when signing a public key. 294Please see the 295.Sx CERTIFICATES 296section for details. 297.It Fl i 298This option will read an unencrypted private (or public) key file 299in the format specified by the 300.Fl m 301option and print an OpenSSH compatible private 302(or public) key to stdout. 303.It Fl J Ar num_lines 304Exit after screening the specified number of lines 305while performing DH candidate screening using the 306.Fl T 307option. 308.It Fl j Ar start_line 309Start screening at the specified line number 310while performing DH candidate screening using the 311.Fl T 312option. 313.It Fl K Ar checkpt 314Write the last line processed to the file 315.Ar checkpt 316while performing DH candidate screening using the 317.Fl T 318option. 319This will be used to skip lines in the input file that have already been 320processed if the job is restarted. 321This option allows importing keys from other software, including several 322commercial SSH implementations. 323The default import format is 324.Dq RFC4716 . 325.It Fl L 326Prints the contents of a certificate. 327.It Fl l 328Show fingerprint of specified public key file. 329Private RSA1 keys are also supported. 330For RSA and DSA keys 331.Nm 332tries to find the matching public key file and prints its fingerprint. 333If combined with 334.Fl v , 335an ASCII art representation of the key is supplied with the fingerprint. 336.It Fl M Ar memory 337Specify the amount of memory to use (in megabytes) when generating 338candidate moduli for DH-GEX. 339.It Fl m Ar key_format 340Specify a key format for the 341.Fl i 342(import) or 343.Fl e 344(export) conversion options. 345The supported key formats are: 346.Dq RFC4716 347(RFC 4716/SSH2 public or private key), 348.Dq PKCS8 349(PEM PKCS8 public key) 350or 351.Dq PEM 352(PEM public key). 353The default conversion format is 354.Dq RFC4716 . 355.It Fl N Ar new_passphrase 356Provides the new passphrase. 357.It Fl n Ar principals 358Specify one or more principals (user or host names) to be included in 359a certificate when signing a key. 360Multiple principals may be specified, separated by commas. 361Please see the 362.Sx CERTIFICATES 363section for details. 364.It Fl O Ar option 365Specify a certificate option when signing a key. 366This option may be specified multiple times. 367Please see the 368.Sx CERTIFICATES 369section for details. 370The options that are valid for user certificates are: 371.Bl -tag -width Ds 372.It Ic clear 373Clear all enabled permissions. 374This is useful for clearing the default set of permissions so permissions may 375be added individually. 376.It Ic force-command Ns = Ns Ar command 377Forces the execution of 378.Ar command 379instead of any shell or command specified by the user when 380the certificate is used for authentication. 381.It Ic no-agent-forwarding 382Disable 383.Xr ssh-agent 1 384forwarding (permitted by default). 385.It Ic no-port-forwarding 386Disable port forwarding (permitted by default). 387.It Ic no-pty 388Disable PTY allocation (permitted by default). 389.It Ic no-user-rc 390Disable execution of 391.Pa ~/.ssh/rc 392by 393.Xr sshd 8 394(permitted by default). 395.It Ic no-x11-forwarding 396Disable X11 forwarding (permitted by default). 397.It Ic permit-agent-forwarding 398Allows 399.Xr ssh-agent 1 400forwarding. 401.It Ic permit-port-forwarding 402Allows port forwarding. 403.It Ic permit-pty 404Allows PTY allocation. 405.It Ic permit-user-rc 406Allows execution of 407.Pa ~/.ssh/rc 408by 409.Xr sshd 8 . 410.It Ic permit-x11-forwarding 411Allows X11 forwarding. 412.It Ic source-address Ns = Ns Ar address_list 413Restrict the source addresses from which the certificate is considered valid. 414The 415.Ar address_list 416is a comma-separated list of one or more address/netmask pairs in CIDR 417format. 418.El 419.Pp 420At present, no options are valid for host keys. 421.It Fl P Ar passphrase 422Provides the (old) passphrase. 423.It Fl p 424Requests changing the passphrase of a private key file instead of 425creating a new private key. 426The program will prompt for the file 427containing the private key, for the old passphrase, and twice for the 428new passphrase. 429.It Fl q 430Silence 431.Nm ssh-keygen . 432.It Fl R Ar hostname 433Removes all keys belonging to 434.Ar hostname 435from a 436.Pa known_hosts 437file. 438This option is useful to delete hashed hosts (see the 439.Fl H 440option above). 441.It Fl r Ar hostname 442Print the SSHFP fingerprint resource record named 443.Ar hostname 444for the specified public key file. 445.It Fl S Ar start 446Specify start point (in hex) when generating candidate moduli for DH-GEX. 447.It Fl s Ar ca_key 448Certify (sign) a public key using the specified CA key. 449Please see the 450.Sx CERTIFICATES 451section for details. 452.It Fl T Ar output_file 453Test DH group exchange candidate primes (generated using the 454.Fl G 455option) for safety. 456.It Fl t Ar type 457Specifies the type of key to create. 458The possible values are 459.Dq rsa1 460for protocol version 1 and 461.Dq dsa , 462.Dq ecdsa 463or 464.Dq rsa 465for protocol version 2. 466.It Fl V Ar validity_interval 467Specify a validity interval when signing a certificate. 468A validity interval may consist of a single time, indicating that the 469certificate is valid beginning now and expiring at that time, or may consist 470of two times separated by a colon to indicate an explicit time interval. 471The start time may be specified as a date in YYYYMMDD format, a time 472in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting 473of a minus sign followed by a relative time in the format described in the 474.Sx TIME FORMATS 475section of 476.Xr sshd_config 5 . 477The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or 478a relative time starting with a plus character. 479.Pp 480For example: 481.Dq +52w1d 482(valid from now to 52 weeks and one day from now), 483.Dq -4w:+4w 484(valid from four weeks ago to four weeks from now), 485.Dq 20100101123000:20110101123000 486(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), 487.Dq -1d:20110101 488(valid from yesterday to midnight, January 1st, 2011). 489.It Fl v 490Verbose mode. 491Causes 492.Nm 493to print debugging messages about its progress. 494This is helpful for debugging moduli generation. 495Multiple 496.Fl v 497options increase the verbosity. 498The maximum is 3. 499.It Fl W Ar generator 500Specify desired generator when testing candidate moduli for DH-GEX. 501.It Fl y 502This option will read a private 503OpenSSH format file and print an OpenSSH public key to stdout. 504.It Fl z Ar serial_number 505Specifies a serial number to be embedded in the certificate to distinguish 506this certificate from others from the same CA. 507The default serial number is zero. 508.El 509.Sh MODULI GENERATION 510.Nm 511may be used to generate groups for the Diffie-Hellman Group Exchange 512(DH-GEX) protocol. 513Generating these groups is a two-step process: first, candidate 514primes are generated using a fast, but memory intensive process. 515These candidate primes are then tested for suitability (a CPU-intensive 516process). 517.Pp 518Generation of primes is performed using the 519.Fl G 520option. 521The desired length of the primes may be specified by the 522.Fl b 523option. 524For example: 525.Pp 526.Dl # ssh-keygen -G moduli-2048.candidates -b 2048 527.Pp 528By default, the search for primes begins at a random point in the 529desired length range. 530This may be overridden using the 531.Fl S 532option, which specifies a different start point (in hex). 533.Pp 534Once a set of candidates have been generated, they must be screened for 535suitability. 536This may be performed using the 537.Fl T 538option. 539In this mode 540.Nm 541will read candidates from standard input (or a file specified using the 542.Fl f 543option). 544For example: 545.Pp 546.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates 547.Pp 548By default, each candidate will be subjected to 100 primality tests. 549This may be overridden using the 550.Fl a 551option. 552The DH generator value will be chosen automatically for the 553prime under consideration. 554If a specific generator is desired, it may be requested using the 555.Fl W 556option. 557Valid generator values are 2, 3, and 5. 558.Pp 559Screened DH groups may be installed in 560.Pa /etc/moduli . 561It is important that this file contains moduli of a range of bit lengths and 562that both ends of a connection share common moduli. 563.Sh CERTIFICATES 564.Nm 565supports signing of keys to produce certificates that may be used for 566user or host authentication. 567Certificates consist of a public key, some identity information, zero or 568more principal (user or host) names and a set of options that 569are signed by a Certification Authority (CA) key. 570Clients or servers may then trust only the CA key and verify its signature 571on a certificate rather than trusting many user/host keys. 572Note that OpenSSH certificates are a different, and much simpler, format to 573the X.509 certificates used in 574.Xr ssl 8 . 575.Pp 576.Nm 577supports two types of certificates: user and host. 578User certificates authenticate users to servers, whereas host certificates 579authenticate server hosts to users. 580To generate a user certificate: 581.Pp 582.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub 583.Pp 584The resultant certificate will be placed in 585.Pa /path/to/user_key-cert.pub . 586A host certificate requires the 587.Fl h 588option: 589.Pp 590.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub 591.Pp 592The host certificate will be output to 593.Pa /path/to/host_key-cert.pub . 594.Pp 595It is possible to sign using a CA key stored in a PKCS#11 token by 596providing the token library using 597.Fl D 598and identifying the CA key by providing its public half as an argument 599to 600.Fl s : 601.Pp 602.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub 603.Pp 604In all cases, 605.Ar key_id 606is a "key identifier" that is logged by the server when the certificate 607is used for authentication. 608.Pp 609Certificates may be limited to be valid for a set of principal (user/host) 610names. 611By default, generated certificates are valid for all users or hosts. 612To generate a certificate for a specified set of principals: 613.Pp 614.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub 615.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" 616.Pp 617Additional limitations on the validity and use of user certificates may 618be specified through certificate options. 619A certificate option may disable features of the SSH session, may be 620valid only when presented from particular source addresses or may 621force the use of a specific command. 622For a list of valid certificate options, see the documentation for the 623.Fl O 624option above. 625.Pp 626Finally, certificates may be defined with a validity lifetime. 627The 628.Fl V 629option allows specification of certificate start and end times. 630A certificate that is presented at a time outside this range will not be 631considered valid. 632By default, certificates have a maximum validity interval. 633.Pp 634For certificates to be used for user or host authentication, the CA 635public key must be trusted by 636.Xr sshd 8 637or 638.Xr ssh 1 . 639Please refer to those manual pages for details. 640.Sh FILES 641.Bl -tag -width Ds -compact 642.It Pa ~/.ssh/identity 643Contains the protocol version 1 RSA authentication identity of the user. 644This file should not be readable by anyone but the user. 645It is possible to 646specify a passphrase when generating the key; that passphrase will be 647used to encrypt the private part of this file using 3DES. 648This file is not automatically accessed by 649.Nm 650but it is offered as the default file for the private key. 651.Xr ssh 1 652will read this file when a login attempt is made. 653.Pp 654.It Pa ~/.ssh/identity.pub 655Contains the protocol version 1 RSA public key for authentication. 656The contents of this file should be added to 657.Pa ~/.ssh/authorized_keys 658on all machines 659where the user wishes to log in using RSA authentication. 660There is no need to keep the contents of this file secret. 661.Pp 662.It Pa ~/.ssh/id_dsa 663.It Pa ~/.ssh/id_ecdsa 664.It Pa ~/.ssh/id_rsa 665Contains the protocol version 2 DSA, ECDSA or RSA authentication identity of the user. 666This file should not be readable by anyone but the user. 667It is possible to 668specify a passphrase when generating the key; that passphrase will be 669used to encrypt the private part of this file using 128-bit AES. 670This file is not automatically accessed by 671.Nm 672but it is offered as the default file for the private key. 673.Xr ssh 1 674will read this file when a login attempt is made. 675.Pp 676.It Pa ~/.ssh/id_dsa.pub 677.It Pa ~/.ssh/id_ecdsa.pub 678.It Pa ~/.ssh/id_rsa.pub 679Contains the protocol version 2 DSA, ECDSA or RSA public key for authentication. 680The contents of this file should be added to 681.Pa ~/.ssh/authorized_keys 682on all machines 683where the user wishes to log in using public key authentication. 684There is no need to keep the contents of this file secret. 685.Pp 686.It Pa /etc/moduli 687Contains Diffie-Hellman groups used for DH-GEX. 688The file format is described in 689.Xr moduli 5 . 690.El 691.Sh SEE ALSO 692.Xr ssh 1 , 693.Xr ssh-add 1 , 694.Xr ssh-agent 1 , 695.Xr moduli 5 , 696.Xr sshd 8 697.Rs 698.%R RFC 4716 699.%T "The Secure Shell (SSH) Public Key File Format" 700.%D 2006 701.Re 702.Sh AUTHORS 703OpenSSH is a derivative of the original and free 704ssh 1.2.12 release by Tatu Ylonen. 705Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 706Theo de Raadt and Dug Song 707removed many bugs, re-added newer features and 708created OpenSSH. 709Markus Friedl contributed the support for SSH 710protocol versions 1.5 and 2.0. 711