SYNOPSIS
ssh-keygen [-dq] [-b bits] [-N new_passphrase] [-C comment]
[-f
output_keyfile]
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f
keyfile]
ssh-keygen -x [-f input_keyfile]
ssh-keygen -X [-f input_keyfile]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
ssh-keygen -l [-f input_keyfile]
ssh-keygen -R
DESCRIPTION
ssh-keygen generates and manages authentication keys for
ssh(1). ssh-
keygen defaults to generating an RSA key for use by proto-
cols 1.3 and
1.5; specifying the -d flag will create a DSA key instead
for use by pro-
tocol 2.0.
Normally each user wishing to use SSH with RSA or DSA au-
thentication runs
this once to create the authentication key in
$HOME/.ssh/identity or
$HOME/.ssh/id_dsa. Additionally, the system administrator
may use this to
generate host keys, as seen in /etc/rc.
Normally this program generates the key and asks for a file
in which to
store the private key. The public key is stored in a file
with the same
name but ``.pub'' appended. The program also asks for a
passphrase. The
passphrase may be empty to indicate no passphrase (host keys
must have
empty passphrase), or it may be a string of arbitrary
length. Good
passphrases are 10-30 characters long and are not simple
sentences or
otherwise easily guessable (English prose has only 1-2 bits
of entropy
per word, and provides very bad passphrases). The
passphrase can be
changed later by using the -p option.
There is no way to recover a lost passphrase. If the
passphrase is lost
or forgotten, you will have to generate a new key and copy
the corre-
be placed to be activated.
The options are as follows:
-b bits
Specifies the number of bits in the key to create.
Minimum is
512 bits. Generally 1024 bits is considered suffi-
cient, and key
sizes above that no longer improve security but make
things slow-
er. The default is 1024 bits.
-c Requests changing the comment in the private and
public key
files. The program will prompt for the file con-
taining the pri-
vate keys, for passphrase if the key has one, and
for the new
comment.
-f Specifies the filename of the key file.
-l Show fingerprint of specified private or public key
file.
-p Requests changing the passphrase of a private key
file instead of
creating a new private key. The program will prompt
for the file
containing the private key, for the old passphrase,
and twice for
the new passphrase.
-q Silence ssh-keygen. Used by /etc/rc when creating a
new key.
-C comment
Provides the new comment.
-N new_passphrase
Provides the new passphrase.
-P passphrase
Provides the (old) passphrase.
-R If RSA support is functional, immediately exits with
code 0. If
RSA support is not functional, exits with code 1.
This flag will
be removed once the RSA patent expires.
FILES
$HOME/.ssh/identity
Contains the RSA authentication identity of the us-
er. This file
should not be readable by anyone but the user. It
is possible to
specify a passphrase when generating the key; that
passphrase
will be used to encrypt the private part of this
file using 3DES.
This file is not automatically accessed by ssh-key-
gen but it is
offered as the default file for the private key.
sshd(8) will
read this file when a login attempt is made.
$HOME/.ssh/identity.pub
Contains the public key for authentication. The
contents of this
file should be added to $HOME/.ssh/authorized_keys
on all ma-
chines where you wish to log in using RSA authenti-
cation. There
is no need to keep the contents of this file secret.
$HOME/.ssh/id_dsa
Contains the DSA authentication identity of the us-
er. This file
should not be readable by anyone but the user. It
is possible to
specify a passphrase when generating the key; that
passphrase
will be used to encrypt the private part of this
file using 3DES.
This file is not automatically accessed by ssh-key-
gen but it is
offered as the default file for the private key.
sshd(8) will
read this file when a login attempt is made.
$HOME/.ssh/id_dsa.pub
Contains the public key for authentication. The
contents of this
file should be added to $HOME/.ssh/authorized_keys2
on all ma-
chines where you wish to log in using DSA authenti-
cation. There
is no need to keep the contents of this file secret.
AUTHOR
Tatu Ylonen <ylo@cs.hut.fi>
o has been updated to support ssh protocol 1.5.
o contains added support for kerberos(8) authentication
and ticket
passing.
o supports one-time password authentication with skey(1).
SEE ALSO
ssh(1), ssh-add(1), ssh-agent(1), sshd(8), crypto(3)
BSD Experimental September 25, 1999
3
Man(1) output converted with man2html