1.\" -*- nroff -*- 2.\" 3.\" ssh-keygen.1 4.\" 5.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 6.\" 7.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8.\" All rights reserved 9.\" 10.\" Created: Sat Apr 22 23:55:14 1995 ylo 11.\" 12.\" $Id: ssh-keygen.1,v 1.11 2000/01/22 02:17:50 aaron Exp $ 13.\" 14.Dd September 25, 1999 15.Dt SSH-KEYGEN 1 16.Os 17.Sh NAME 18.Nm ssh-keygen 19.Nd authentication key generation 20.Sh SYNOPSIS 21.Nm ssh-keygen 22.Op Fl q 23.Op Fl b Ar bits 24.Op Fl N Ar new_passphrase 25.Op Fl C Ar comment 26.Op Fl f Ar keyfile 27.Nm ssh-keygen 28.Fl p 29.Op Fl P Ar old_passphrase 30.Op Fl N Ar new_passphrase 31.Op Fl f Ar keyfile 32.Nm ssh-keygen 33.Fl c 34.Op Fl P Ar passphrase 35.Op Fl C Ar comment 36.Op Fl f Ar keyfile 37.Nm ssh-keygen 38.Fl l 39.Op Fl f Ar keyfile 40.Sh DESCRIPTION 41.Nm 42generates and manages authentication keys for 43.Xr ssh 1 . 44Normally each user wishing to use SSH 45with RSA authentication runs this once to create the authentication 46key in 47.Pa $HOME/.ssh/identity . 48Additionally, the system administrator may use this to generate host keys. 49.Pp 50Normally this program generates the key and asks for a file in which 51to store the private key. The public key is stored in a file with the 52same name but 53.Dq .pub 54appended. The program also asks for a 55passphrase. The passphrase may be empty to indicate no passphrase 56(host keys must have empty passphrase), or it may be a string of 57arbitrary length. Good passphrases are 10-30 characters long and are 58not simple sentences or otherwise easily guessable (English 59prose has only 1-2 bits of entropy per word, and provides very bad 60passphrases). The passphrase can be changed later by using the 61.Fl p 62option. 63.Pp 64There is no way to recover a lost passphrase. If the passphrase is 65lost or forgotten, you will have to generate a new key and copy the 66corresponding public key to other machines. 67.Pp 68There is also a comment field in the key file that is only for 69convenience to the user to help identify the key. The comment can 70tell what the key is for, or whatever is useful. The comment is 71initialized to 72.Dq user@host 73when the key is created, but can be changed using the 74.Fl c 75option. 76.Pp 77The options are as follows: 78.Bl -tag -width Ds 79.It Fl b Ar bits 80Specifies the number of bits in the key to create. Minimum is 512 81bits. Generally 1024 bits is considered sufficient, and key sizes 82above that no longer improve security but make things slower. The 83default is 1024 bits. 84.It Fl c 85Requests changing the comment in the private and public key files. 86The program will prompt for the file containing the private keys, for 87passphrase if the key has one, and for the new comment. 88.It Fl f 89Specifies the filename of the key file. 90.It Fl l 91Show fingerprint of specified private or public key file. 92.It Fl p 93Requests changing the passphrase of a private key file instead of 94creating a new private key. The program will prompt for the file 95containing the private key, for the old passphrase, and twice for the 96new passphrase. 97.It Fl q 98Silence 99.Nm ssh-keygen . 100Used by 101.Pa /etc/rc 102when creating a new key. 103.It Fl C Ar comment 104Provides the new comment. 105.It Fl N Ar new_passphrase 106Provides the new passphrase. 107.It Fl P Ar passphrase 108Provides the (old) passphrase. 109.El 110.Sh FILES 111.Bl -tag -width Ds 112.It Pa $HOME/.ssh/identity 113Contains the RSA authentication identity of the user. This file 114should not be readable by anyone but the user. It is possible to 115specify a passphrase when generating the key; that passphrase will be 116used to encrypt the private part of this file using 3DES. This file 117is not automatically accessed by 118.Nm 119but it is offered as the default file for the private key. 120.It Pa $HOME/.ssh/identity.pub 121Contains the public key for authentication. The contents of this file 122should be added to 123.Pa $HOME/.ssh/authorized_keys 124on all machines 125where you wish to log in using RSA authentication. There is no 126need to keep the contents of this file secret. 127.Sh AUTHOR 128Tatu Ylonen <ylo@cs.hut.fi> 129.Pp 130OpenSSH 131is a derivative of the original (free) ssh 1.2.12 release, but with bugs 132removed and newer features re-added. Rapidly after the 1.2.12 release, 133newer versions bore successively more restrictive licenses. This version 134of OpenSSH 135.Bl -bullet 136.It 137has all components of a restrictive nature (i.e., patents, see 138.Xr ssl 8 ) 139directly removed from the source code; any licensed or patented components 140are chosen from 141external libraries. 142.It 143has been updated to support ssh protocol 1.5. 144.It 145contains added support for 146.Xr kerberos 8 147authentication and ticket passing. 148.It 149supports one-time password authentication with 150.Xr skey 1 . 151.El 152.Pp 153The libraries described in 154.Xr ssl 8 155are required for proper operation. 156.Sh SEE ALSO 157.Xr ssh 1 , 158.Xr ssh-add 1 , 159.Xr ssh-agent 1 , 160.Xr sshd 8 , 161.Xr ssl 8 162