SYNOPSIS
ssh-keygen [-q] [-b bits] [-t type] [-N new_passphrase] [-C
comment]
[-f output_keyfile]
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f
keyfile]
ssh-keygen -i [-f input_keyfile]
ssh-keygen -e [-f input_keyfile]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
ssh-keygen -l [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D reader
ssh-keygen -U reader [-f input_keyfile]
DESCRIPTION
ssh-keygen generates, manages and converts authentication
keys for
ssh(1). ssh-keygen defaults to generating a RSA1 key for
use by SSH proM--
tocol version 1. Specifying the -t option instead creates a
key for use
by SSH protocol version 2.
Normally each user wishing to use SSH with RSA or DSA au-
thentication runs
this once to create the authentication key in
$HOME/.ssh/identity,
$HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa. Additionally, the
system adminM--
istrator may use this to generate host keys, as seen in
/etc/rc.
Normally this program generates the key and asks for a file
in which to
store the private key. The public key is stored in a file
with the same
name but ``.pub'' appended. The program also asks for a
passphrase. The
passphrase may be empty to indicate no passphrase (host keys
must have an
empty passphrase), or it may be a string of arbitrary
length. Good
passphrases are 10-30 characters long and are not simple
sentences or
otherwise easily guessable (English prose has only 1-2 bits
of entropy
per character, and provides very bad passphrases). The
passphrase can be
changed later by using the -p option.
There is no way to recover a lost passphrase. If the
After a key is generated, instructions below detail where
the keys should
be placed to be activated.
The options are as follows:
-b bits
Specifies the number of bits in the key to create.
Minimum is
512 bits. Generally 1024 bits is considered suffi-
cient, and key
sizes above that no longer improve security but make
things
slower. The default is 1024 bits.
-c Requests changing the comment in the private and
public key
files. This operation is only supported for RSA1
keys. The proM--
gram will prompt for the file containing the private
keys, for
the passphrase if the key has one, and for the new
comment.
-e This option will read a private or public OpenSSH
key file and
print the key in a `SECSH Public Key File Format' to
stdout.
This option allows exporting keys for use by several
commercial
SSH implementations.
-f filename
Specifies the filename of the key file.
-i This option will read an unencrypted private (or
public) key file
in SSH2-compatible format and print an OpenSSH com-
patible private
(or public) key to stdout. ssh-keygen also reads
the `SECSH
Public Key File Format'. This option allows import-
ing keys from
several commercial SSH implementations.
-l Show fingerprint of specified public key file. Pri-
vate RSA1 keys
are also supported. For RSA and DSA keys ssh-keygen
tries to
find the matching public key file and prints its
fingerprint.
OpenSSH public key to stdout.
-t type
Specifies the type of the key to create. The possi-
ble values are
``rsa1'' for protocol version 1 and ``rsa'' or
``dsa'' for protoM--
col version 2. The default is ``rsa1''.
-B Show the bubblebabble digest of specified private or
public key
file.
-C comment
Provides the new comment.
-D reader
Download the RSA public key stored in the smartcard
in reader.
-N new_passphrase
Provides the new passphrase.
-P passphrase
Provides the (old) passphrase.
-U reader
Upload an existing RSA private key into the smart-
card in reader.
FILES
$HOME/.ssh/identity
Contains the protocol version 1 RSA authentication
identity of
the user. This file should not be readable by any-
one but the
user. It is possible to specify a passphrase when
generating the
key; that passphrase will be used to encrypt the
private part of
this file using 3DES. This file is not automatical-
ly accessed by
ssh-keygen but it is offered as the default file for
the private
key. ssh(1) will read this file when a login at-
tempt is made.
$HOME/.ssh/identity.pub
Contains the protocol version 1 RSA public key for
authenticaM--
tion. The contents of this file should be added to
$HOME/.ssh/authorized_keys on all machines where the
this file using 3DES. This file is not automatical-
ly accessed by
ssh-keygen but it is offered as the default file for
the private
key. ssh(1) will read this file when a login at-
tempt is made.
$HOME/.ssh/id_dsa.pub
Contains the protocol version 2 DSA public key for
authenticaM--
tion. The contents of this file should be added to
$HOME/.ssh/authorized_keys on all machines where the
user wishes
to log in using public key authentication. There is
no need to
keep the contents of this file secret.
$HOME/.ssh/id_rsa
Contains the protocol version 2 RSA authentication
identity of
the user. This file should not be readable by any-
one but the
user. It is possible to specify a passphrase when
generating the
key; that passphrase will be used to encrypt the
private part of
this file using 3DES. This file is not automatical-
ly accessed by
ssh-keygen but it is offered as the default file for
the private
key. ssh(1) will read this file when a login at-
tempt is made.
$HOME/.ssh/id_rsa.pub
Contains the protocol version 2 RSA public key for
authenticaM--
tion. The contents of this file should be added to
$HOME/.ssh/authorized_keys on all machines where the
user wishes
to log in using public key authentication. There is
no need to
keep the contents of this file secret.
AUTHORS
OpenSSH is a derivative of the original and free ssh 1.2.12
release by
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels
Provos, Theo
de Raadt and Dug Song removed many bugs, re-added newer fea-
tures and creM--
ated OpenSSH. Markus Friedl contributed the support for SSH
protocol
Man(1) output converted with man2html