SYNOPSIS
ssh-keygen [-q] [-b bits] [-t type] [-N new_passphrase] [-C
comment] [-f
output_keyfile]
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f
keyfile]
ssh-keygen -i [-f input_keyfile]
ssh-keygen -e [-f input_keyfile]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
ssh-keygen -l [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
DESCRIPTION
ssh-keygen generates, manages and converts authentication
keys for
ssh(1). ssh-keygen defaults to generating a RSA1 key for
use by SSH proM--
tocol version 1. specifying the -t option allows you to
create a key for
use by SSH protocol version 2.
Normally each user wishing to use SSH with RSA or DSA au-
thentication runs
this once to create the authentication key in
$HOME/.ssh/identity,
$HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa. Additionally, the
system adminisM--
trator may use this to generate host keys, as seen in
/etc/rc.
Normally this program generates the key and asks for a file
in which to
store the private key. The public key is stored in a file
with the same
name but ``.pub'' appended. The program also asks for a
passphrase. The
passphrase may be empty to indicate no passphrase (host keys
must have an
empty passphrase), or it may be a string of arbitrary
length. Good
passphrases are 10-30 characters long and are not simple
sentences or
otherwise easily guessable (English prose has only 1-2 bits
of entropy
per word, and provides very bad passphrases). The
passphrase can be
changed later by using the -p option.
There is no way to recover a lost passphrase. If the
passphrase is lost
After a key is generated, instructions below detail where
the keys should
be placed to be activated.
The options are as follows:
-b bits
Specifies the number of bits in the key to create.
Minimum is
512 bits. Generally 1024 bits is considered suffi-
cient, and key
sizes above that no longer improve security but make
things slowM--
er. The default is 1024 bits.
-c Requests changing the comment in the private and
public key
files. The program will prompt for the file con-
taining the priM--
vate keys, for passphrase if the key has one, and
for the new
comment.
-e This option will read a private or public OpenSSH
key file and
print the key in a `SECSH Public Key File Format' to
stdout.
This option allows exporting keys for use by several
commercial
SSH implementations.
-f Specifies the filename of the key file.
-i This option will read an unencrypted private (or
public) key file
in SSH2-compatible format and print an OpenSSH com-
patible private
(or public) key to stdout. ssh-keygen also reads
the `SECSH
Public Key File Format'. This option allows import-
ing keys from
several commercial SSH implementations.
-l Show fingerprint of specified private or public key
file.
-p Requests changing the passphrase of a private key
file instead of
creating a new private key. The program will prompt
for the file
containing the private key, for the old passphrase,
and twice for
col version 2. The default is ``rsa1''.
-B Show the bubblebabble digest of specified private or
public key
file.
-C comment
Provides the new comment.
-N new_passphrase
Provides the new passphrase.
-P passphrase
Provides the (old) passphrase.
FILES
$HOME/.ssh/identity
Contains the protocol version 1 RSA authentication
identity of
the user. This file should not be readable by any-
one but the usM--
er. It is possible to specify a passphrase when
generating the
key; that passphrase will be used to encrypt the
private part of
this file using 3DES. This file is not automatical-
ly accessed by
ssh-keygen but it is offered as the default file for
the private
key. sshd(8) will read this file when a login at-
tempt is made.
$HOME/.ssh/identity.pub
Contains the protocol version 1 RSA public key for
authenticaM--
tion. The contents of this file should be added to
$HOME/.ssh/authorized_keys on all machines where you
wish to log
in using RSA authentication. There is no need to
keep the conM--
tents of this file secret.
$HOME/.ssh/id_dsa
Contains the protocol version 2 DSA authentication
identity of
the user. This file should not be readable by any-
one but the usM--
er. It is possible to specify a passphrase when
generating the
key; that passphrase will be used to encrypt the
private part of
this file using 3DES. This file is not automatical-
need to keep the
contents of this file secret.
$HOME/.ssh/id_rsa
Contains the protocol version 2 RSA authentication
identity of
the user. This file should not be readable by any-
one but the usM--
er. It is possible to specify a passphrase when
generating the
key; that passphrase will be used to encrypt the
private part of
this file using 3DES. This file is not automatical-
ly accessed by
ssh-keygen but it is offered as the default file for
the private
key. sshd(8) will read this file when a login at-
tempt is made.
$HOME/.ssh/id_rsa.pub
Contains the protocol version 2 RSA public key for
authenticaM--
tion. The contents of this file should be added to
$HOME/.ssh/authorized_keys2 on all machines where
you wish to log
in using public key authentication. There is no
need to keep the
contents of this file secret.
AUTHORS
OpenSSH is a derivative of the original and free ssh 1.2.12
release by
Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels
Provos, Theo
de Raadt and Dug Song removed many bugs, re-added newer fea-
tures and creM--
ated OpenSSH. Markus Friedl contributed the support for SSH
protocol
versions 1.5 and 2.0.
SEE ALSO
ssh(1), ssh-add(1), ssh-agent(1), sshd(8)
J. Galbraith, and R. Thayer, SECSH Public Key File Format,
draft-ietf-
secsh-publickeyfile-01.txt, March 2001, work in progress ma-
terial.
BSD Experimental September 25, 1999
3
Man(1) output converted with man2html