1 .TH SSH-KEYGEN 1 "February 5 2014 " ""
4 \- authentication key generation, management and conversion
10 [\fB\-t\fP \fItype\fP]
11 [\fB\-N\fP \fInew_passphrase\fP]
12 [\fB\-C\fP \fIcomment\fP]
13 [\fB\-f\fP \fIoutput_keyfile\fP]
17 [\fB\-P\fP \fIold_passphrase\fP]
18 [\fB\-N\fP \fInew_passphrase\fP]
19 [\fB\-f\fP \fIkeyfile\fP]
23 [\fB\-m\fP \fIkey_format\fP]
24 [\fB\-f\fP \fIinput_keyfile\fP]
28 [\fB\-m\fP \fIkey_format\fP]
29 [\fB\-f\fP \fIinput_keyfile\fP]
33 [\fB\-f\fP \fIinput_keyfile\fP]
37 [\fB\-P\fP \fIpassphrase\fP]
38 [\fB\-C\fP \fIcomment\fP]
39 [\fB\-f\fP \fIkeyfile\fP]
43 [\fB\-f\fP \fIinput_keyfile\fP]
47 [\fB\-f\fP \fIinput_keyfile\fP]
50 \fB\-D\fP \fIpkcs11\fP
53 \fB\-F\fP \fIhostname\fP
54 [\fB\-f\fP \fIknown_hosts_file\fP]
59 [\fB\-f\fP \fIknown_hosts_file\fP]
62 \fB\-R\fP \fIhostname\fP
63 [\fB\-f\fP \fIknown_hosts_file\fP]
66 \fB\-r\fP \fIhostname\fP
67 [\fB\-f\fP \fIinput_keyfile\fP]
71 \fB\-G\fP \fIoutput_file\fP
73 [\fB\-b\fP \fIbits\fP]
74 [\fB\-M\fP \fImemory\fP]
75 [\fB\-S\fP \fIstart_point\fP]
78 \fB\-T\fP \fIoutput_file\fP
79 \fB\-f\fP \fIinput_file\fP
81 [\fB\-a\fP \fIrounds\fP]
82 [\fB\-J\fP \fInum_lines\fP]
83 [\fB\-j\fP \fIstart_line\fP]
84 [\fB\-K\fP \fIcheckpt\fP]
85 [\fB\-W\fP \fIgenerator\fP]
88 \fB\-s\fP \fIca_key\fP
89 \fB\-I\fP \fIcertificate_identity\fP
91 [\fB\-n\fP \fIprincipals\fP]
92 [\fB\-O\fP \fIoption\fP]
93 [\fB\-V\fP \fIvalidity_interval\fP]
94 [\fB\-z\fP \fIserial_number\fP]
99 [\fB\-f\fP \fIinput_keyfile\fP]
106 \fB\-f\fP \fIkrl_file\fP
108 [\fB\-s\fP \fIca_public\fP]
109 [\fB\-z\fP \fIversion_number\fP]
114 \fB\-f\fP \fIkrl_file\fP
118 generates, manages and converts authentication keys for
121 can create RSA keys for use by SSH protocol version 1 and
122 DSA, ECDSA, ED25519 or RSA keys for use by SSH protocol version 2.
123 The type of key to be generated is specified with the
126 If invoked without any arguments,
128 will generate an RSA key for use in SSH protocol 2 connections.
131 is also used to generate groups for use in Diffie-Hellman group
139 can be used to generate and update Key Revocation Lists, and to test whether
140 given keys have been revoked by one.
142 .B KEY REVOCATION LISTS
145 Normally each user wishing to use SSH
146 with public key authentication runs this once to create the authentication
148 \fI~/.ssh/identity\fP,
150 \fI~/.ssh/id_ecdsa\fP,
151 \fI~/.ssh/id_ed25519\fP
154 Additionally, the system administrator may use this to generate host keys,
158 Normally this program generates the key and asks for a file in which
159 to store the private key.
160 The public key is stored in a file with the same name but
163 The program also asks for a passphrase.
164 The passphrase may be empty to indicate no passphrase
165 (host keys must have an empty passphrase), or it may be a string of
167 A passphrase is similar to a password, except it can be a phrase with a
168 series of words, punctuation, numbers, whitespace, or any string of
170 Good passphrases are 10-30 characters long, are
171 not simple sentences or otherwise easily guessable (English
172 prose has only 1-2 bits of entropy per character, and provides very bad
173 passphrases), and contain a mix of upper and lowercase letters,
174 numbers, and non-alphanumeric characters.
175 The passphrase can be changed later by using the
179 There is no way to recover a lost passphrase.
180 If the passphrase is lost or forgotten, a new key must be generated
181 and the corresponding public key copied to other machines.
184 there is also a comment field in the key file that is only for
185 convenience to the user to help identify the key.
186 The comment can tell what the key is for, or whatever is useful.
187 The comment is initialized to
189 when the key is created, but can be changed using the
193 After a key is generated, instructions below detail where the keys
194 should be placed to be activated.
196 The options are as follows:
199 For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519)
201 do not exist, generate the host keys with the default key file path,
202 an empty passphrase, default bits for the key type, and default comment.
205 to generate new host keys.
207 \fB\-a\fP \fIrounds\fP
208 When saving a new-format private key (i.e. an ed25519 key or any SSH protocol
211 flag is set), this option specifies the number of KDF (key derivation function)
213 Higher numbers result in slower passphrase verification and increased
214 resistance to brute-force password cracking (should the keys be stolen).
216 When screening DH-GEX candidates (
220 This option specifies the number of primality tests to perform.
223 Show the bubblebabble digest of specified private or public key file.
226 Specifies the number of bits in the key to create.
227 For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
228 Generally, 2048 bits is considered sufficient.
229 DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
232 flag determines the key length by selecting from one of three elliptic
233 curve sizes: 256, 384 or 521 bits.
234 Attempting to use bit lengths other than these three values for ECDSA keys
236 ED25519 keys have a fixed length and the
238 flag will be ignored.
240 \fB\-C\fP \fIcomment\fP
241 Provides a new comment.
244 Requests changing the comment in the private and public key files.
245 This operation is only supported for RSA1 keys.
246 The program will prompt for the file containing the private keys, for
247 the passphrase if the key has one, and for the new comment.
249 \fB\-D\fP \fIpkcs11\fP
250 Download the RSA public keys provided by the PKCS#11 shared library
252 When used in combination with
254 this option indicates that a CA key resides in a PKCS#11 token (see the
256 section for details).
259 This option will read a private or public OpenSSH key file and
260 print to stdout the key in one of the formats specified by the
263 The default export format is
265 This option allows exporting OpenSSH keys for use by other programs, including
266 several commercial SSH implementations.
268 \fB\-F\fP \fIhostname\fP
269 Search for the specified
273 file, listing any occurrences found.
274 This option is useful to find hashed host names or addresses and may also be
275 used in conjunction with the
277 option to print found keys in a hashed format.
279 \fB\-f\fP \fIfilename\fP
280 Specifies the filename of the key file.
282 \fB\-G\fP \fIoutput_file\fP
283 Generate candidate primes for DH-GEX.
284 These primes must be screened for
290 Use generic DNS format when printing fingerprint resource records using the
298 This replaces all hostnames and addresses with hashed representations
299 within the specified file; the original content is moved to a file with
301 These hashes may be used normally by
305 but they do not reveal identifying information should the file's contents
307 This option will not modify existing hashed hostnames and is therefore safe
308 to use on files that mix hashed and non-hashed names.
311 When signing a key, create a host certificate instead of a user
317 \fB\-I\fP \fIcertificate_identity\fP
318 Specify the key identity when signing a public key.
324 This option will read an unencrypted private (or public) key file
325 in the format specified by the
327 option and print an OpenSSH compatible private
328 (or public) key to stdout.
330 \fB\-J\fP \fInum_lines\fP
331 Exit after screening the specified number of lines
332 while performing DH candidate screening using the
336 \fB\-j\fP \fIstart_line\fP
337 Start screening at the specified line number
338 while performing DH candidate screening using the
342 \fB\-K\fP \fIcheckpt\fP
343 Write the last line processed to the file
345 while performing DH candidate screening using the
348 This will be used to skip lines in the input file that have already been
349 processed if the job is restarted.
350 This option allows importing keys from other software, including several
351 commercial SSH implementations.
352 The default import format is
359 will generate a KRL file at the location specified via the
361 flag that revokes every key or certificate presented on the command line.
362 Keys/certificates to be revoked may be specified by public key file or
363 using the format described in the
364 .B KEY REVOCATION LISTS
368 Prints the contents of a certificate.
371 Show fingerprint of specified public key file.
372 Private RSA1 keys are also supported.
375 tries to find the matching public key file and prints its fingerprint.
378 an ASCII art representation of the key is supplied with the fingerprint.
380 \fB\-M\fP \fImemory\fP
381 Specify the amount of memory to use (in megabytes) when generating
382 candidate moduli for DH-GEX.
384 \fB\-m\fP \fIkey_format\fP
385 Specify a key format for the
389 (export) conversion options.
390 The supported key formats are:
392 (RFC 4716/SSH2 public or private key),
394 (PEM PKCS8 public key)
398 The default conversion format is
401 \fB\-N\fP \fInew_passphrase\fP
402 Provides the new passphrase.
404 \fB\-n\fP \fIprincipals\fP
405 Specify one or more principals (user or host names) to be included in
406 a certificate when signing a key.
407 Multiple principals may be specified, separated by commas.
412 \fB\-O\fP \fIoption\fP
413 Specify a certificate option when signing a key.
414 This option may be specified multiple times.
418 The options that are valid for user certificates are:
421 Clear all enabled permissions.
422 This is useful for clearing the default set of permissions so permissions may
423 be added individually.
425 \fBforce-command Ns = Ns \fIcommand\fP\fP
426 Forces the execution of
428 instead of any shell or command specified by the user when
429 the certificate is used for authentication.
431 \fBno-agent-forwarding\fP
434 forwarding (permitted by default).
436 \fBno-port-forwarding\fP
437 Disable port forwarding (permitted by default).
440 Disable PTY allocation (permitted by default).
447 (permitted by default).
449 \fBno-x11-forwarding\fP
450 Disable X11 forwarding (permitted by default).
452 \fBpermit-agent-forwarding\fP
457 \fBpermit-port-forwarding\fP
458 Allows port forwarding.
461 Allows PTY allocation.
469 \fBpermit-x11-forwarding\fP
470 Allows X11 forwarding.
472 \fBsource-address Ns = Ns \fIaddress_list\fP\fP
473 Restrict the source addresses from which the certificate is considered valid.
476 is a comma-separated list of one or more address/netmask pairs in CIDR
479 At present, no options are valid for host keys.
484 to save SSH protocol 2 private keys using the new OpenSSH format rather than
485 the more compatible PEM format.
486 The new format has increased resistance to brute-force password cracking
487 but is not supported by versions of OpenSSH prior to 6.5.
488 Ed25519 keys always use the new private key format.
490 \fB\-P\fP \fIpassphrase\fP
491 Provides the (old) passphrase.
494 Requests changing the passphrase of a private key file instead of
495 creating a new private key.
496 The program will prompt for the file
497 containing the private key, for the old passphrase, and twice for the
501 Test whether keys have been revoked in a KRL.
507 \fB\-R\fP \fIhostname\fP
508 Removes all keys belonging to
513 This option is useful to delete hashed hosts (see the
517 \fB\-r\fP \fIhostname\fP
518 Print the SSHFP fingerprint resource record named
520 for the specified public key file.
522 \fB\-S\fP \fIstart\fP
523 Specify start point (in hex) when generating candidate moduli for DH-GEX.
525 \fB\-s\fP \fIca_key\fP
526 Certify (sign) a public key using the specified CA key.
531 When generating a KRL,
533 specifies a path to a CA public key file used to revoke certificates directly
534 by key ID or serial number.
536 .B KEY REVOCATION LISTS
539 \fB\-T\fP \fIoutput_file\fP
540 Test DH group exchange candidate primes (generated using the
545 Specifies the type of key to create.
546 The possible values are
548 for protocol version 1 and
554 for protocol version 2.
560 keys listed via the command line are added to the existing KRL rather than
561 a new KRL being created.
563 \fB\-V\fP \fIvalidity_interval\fP
564 Specify a validity interval when signing a certificate.
565 A validity interval may consist of a single time, indicating that the
566 certificate is valid beginning now and expiring at that time, or may consist
567 of two times separated by a colon to indicate an explicit time interval.
568 The start time may be specified as a date in YYYYMMDD format, a time
569 in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
570 of a minus sign followed by a relative time in the format described in the
571 TIME FORMATS section of
572 \fBsshd_config\fP(5).
573 The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
574 a relative time starting with a plus character.
578 (valid from now to 52 weeks and one day from now),
580 (valid from four weeks ago to four weeks from now),
581 ``20100101123000:20110101123000''
582 (valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
584 (valid from yesterday to midnight, January 1st, 2011).
590 to print debugging messages about its progress.
591 This is helpful for debugging moduli generation.
594 options increase the verbosity.
597 \fB\-W\fP \fIgenerator\fP
598 Specify desired generator when testing candidate moduli for DH-GEX.
601 This option will read a private
602 OpenSSH format file and print an OpenSSH public key to stdout.
604 \fB\-z\fP \fIserial_number\fP
605 Specifies a serial number to be embedded in the certificate to distinguish
606 this certificate from others from the same CA.
607 The default serial number is zero.
609 When generating a KRL, the
611 flag is used to specify a KRL version number.
612 .SH MODULI GENERATION
614 may be used to generate groups for the Diffie-Hellman Group Exchange
616 Generating these groups is a two-step process: first, candidate
617 primes are generated using a fast, but memory intensive process.
618 These candidate primes are then tested for suitability (a CPU-intensive
621 Generation of primes is performed using the
624 The desired length of the primes may be specified by the
629 Dl # ssh-keygen -G moduli-2048.candidates -b 2048
631 By default, the search for primes begins at a random point in the
632 desired length range.
633 This may be overridden using the
635 option, which specifies a different start point (in hex).
637 Once a set of candidates have been generated, they must be screened for
639 This may be performed using the
644 will read candidates from standard input (or a file specified using the
649 Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates
651 By default, each candidate will be subjected to 100 primality tests.
652 This may be overridden using the
655 The DH generator value will be chosen automatically for the
656 prime under consideration.
657 If a specific generator is desired, it may be requested using the
660 Valid generator values are 2, 3, and 5.
662 Screened DH groups may be installed in
663 \fI/etc/ssh/moduli\fP.
664 It is important that this file contains moduli of a range of bit lengths and
665 that both ends of a connection share common moduli.
668 supports signing of keys to produce certificates that may be used for
669 user or host authentication.
670 Certificates consist of a public key, some identity information, zero or
671 more principal (user or host) names and a set of options that
672 are signed by a Certification Authority (CA) key.
673 Clients or servers may then trust only the CA key and verify its signature
674 on a certificate rather than trusting many user/host keys.
675 Note that OpenSSH certificates are a different, and much simpler, format to
676 the X.509 certificates used in
680 supports two types of certificates: user and host.
681 User certificates authenticate users to servers, whereas host certificates
682 authenticate server hosts to users.
683 To generate a user certificate:
685 Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
687 The resultant certificate will be placed in
688 \fI/path/to/user_key-cert.pub\fP.
689 A host certificate requires the
693 Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
695 The host certificate will be output to
696 \fI/path/to/host_key-cert.pub\fP.
698 It is possible to sign using a CA key stored in a PKCS#11 token by
699 providing the token library using
701 and identifying the CA key by providing its public half as an argument
705 Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub
709 is a "key identifier" that is logged by the server when the certificate
710 is used for authentication.
712 Certificates may be limited to be valid for a set of principal (user/host)
714 By default, generated certificates are valid for all users or hosts.
715 To generate a certificate for a specified set of principals:
717 Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
718 Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
720 Additional limitations on the validity and use of user certificates may
721 be specified through certificate options.
722 A certificate option may disable features of the SSH session, may be
723 valid only when presented from particular source addresses or may
724 force the use of a specific command.
725 For a list of valid certificate options, see the documentation for the
729 Finally, certificates may be defined with a validity lifetime.
732 option allows specification of certificate start and end times.
733 A certificate that is presented at a time outside this range will not be
735 By default, certificates are valid from
737 Epoch to the distant future.
739 For certificates to be used for user or host authentication, the CA
740 public key must be trusted by
744 Please refer to those manual pages for details.
745 .SH KEY REVOCATION LISTS
747 is able to manage OpenSSH format Key Revocation Lists (KRLs).
748 These binary files specify keys or certificates to be revoked using a
749 compact format, taking as little as one bit per certificate if they are being
750 revoked by serial number.
752 KRLs may be generated using the
755 This option reads one or more files from the command line and generates a new
757 The files may either contain a KRL specification (see below) or public keys,
759 Plain public keys are revoked by listing their hash or contents in the KRL and
760 certificates revoked by serial number or key ID (if the serial is zero or
763 Revoking keys using a KRL specification offers explicit control over the
764 types of record used to revoke keys and may be used to directly revoke
765 certificates by serial number or key ID without having the complete original
767 A KRL specification consists of lines containing one of the following directives
768 followed by a colon and some directive-specific information.
770 \fBserial\fP: \fIserial_number\fP[-\fIserial_number\fP]
771 Revokes a certificate with the specified serial number.
772 Serial numbers are 64-bit values, not including zero and may be expressed
773 in decimal, hex or octal.
774 If two serial numbers are specified separated by a hyphen, then the range
775 of serial numbers including and between each is revoked.
776 The CA key must have been specified on the
778 command line using the
782 \fBid\fP: \fIkey_id\fP
783 Revokes a certificate with the specified key ID string.
784 The CA key must have been specified on the
786 command line using the
790 \fBkey\fP: \fIpublic_key\fP
791 Revokes the specified key.
792 If a certificate is listed, then it is revoked as a plain public key.
794 \fBsha1\fP: \fIpublic_key\fP
795 Revokes the specified key by its SHA1 hash.
797 KRLs may be updated using the
801 When this option is specified, keys listed via the command line are merged into
802 the KRL, adding to those already there.
804 It is also possible, given a KRL, to test whether it revokes a particular key
808 flag will query an existing KRL, testing each key specified on the commandline.
809 If any key listed on the command line has been revoked (or an error encountered)
812 will exit with a non-zero exit status.
813 A zero exit status will only be returned if no key was revoked.
817 Contains the protocol version 1 RSA authentication identity of the user.
818 This file should not be readable by anyone but the user.
820 specify a passphrase when generating the key; that passphrase will be
821 used to encrypt the private part of this file using 3DES.
822 This file is not automatically accessed by
824 but it is offered as the default file for the private key.
826 will read this file when a login attempt is made.
829 .B ~/.ssh/identity.pub
830 Contains the protocol version 1 RSA public key for authentication.
831 The contents of this file should be added to
832 \fI~/.ssh/authorized_keys\fP
834 where the user wishes to log in using RSA authentication.
835 There is no need to keep the contents of this file secret.
845 Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
846 authentication identity of the user.
847 This file should not be readable by anyone but the user.
849 specify a passphrase when generating the key; that passphrase will be
850 used to encrypt the private part of this file using 128-bit AES.
851 This file is not automatically accessed by
853 but it is offered as the default file for the private key.
855 will read this file when a login attempt is made.
860 .B ~/.ssh/id_ecdsa.pub
862 .B ~/.ssh/id_ed25519.pub
865 Contains the protocol version 2 DSA, ECDSA, ED25519 or RSA
866 public key for authentication.
867 The contents of this file should be added to
868 \fI~/.ssh/authorized_keys\fP
870 where the user wishes to log in using public key authentication.
871 There is no need to keep the contents of this file secret.
875 Contains Diffie-Hellman groups used for DH-GEX.
876 The file format is described in
885 \fIThe Secure Shell (SSH) Public Key File Format\fP, RFC 4716, 2006.
887 OpenSSH is a derivative of the original and free
888 ssh 1.2.12 release by Tatu Ylonen.
889 Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
890 Theo de Raadt and Dug Song
891 removed many bugs, re-added newer features and
893 Markus Friedl contributed the support for SSH
894 protocol versions 1.5 and 2.0.