2008-06-13 03:18:03 +08:00
|
|
|
.\" $OpenBSD: ssh-keygen.1,v 1.78 2008/06/12 19:10:09 jmc Exp $
|
2001-01-29 15:39:26 +08:00
|
|
|
.\"
|
1999-10-29 07:15:49 +08:00
|
|
|
.\" -*- nroff -*-
|
|
|
|
.\"
|
|
|
|
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
|
|
|
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
|
|
|
.\" All rights reserved
|
|
|
|
.\"
|
2000-09-16 10:29:08 +08:00
|
|
|
.\" As far as I am concerned, the code I have written for this software
|
|
|
|
.\" can be used freely for any purpose. Any derived versions of this
|
|
|
|
.\" software must be clearly marked as such, and if the derived work is
|
|
|
|
.\" incompatible with the protocol description in the RFC file, it must be
|
|
|
|
.\" called by a name other than "ssh" or "Secure Shell".
|
|
|
|
.\"
|
|
|
|
.\"
|
2001-03-05 14:59:27 +08:00
|
|
|
.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
|
|
|
|
.\" Copyright (c) 1999 Aaron Campbell. All rights reserved.
|
|
|
|
.\" Copyright (c) 1999 Theo de Raadt. All rights reserved.
|
2000-09-16 10:29:08 +08:00
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
1999-10-29 07:15:49 +08:00
|
|
|
.\"
|
2000-09-16 10:29:08 +08:00
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
|
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
|
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
|
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
|
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
|
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
|
|
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
|
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
|
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
1999-10-29 07:15:49 +08:00
|
|
|
.\"
|
2008-06-13 03:18:03 +08:00
|
|
|
.Dd $Mdocdate: June 12 2008 $
|
1999-10-29 07:15:49 +08:00
|
|
|
.Dt SSH-KEYGEN 1
|
|
|
|
.Os
|
|
|
|
.Sh NAME
|
|
|
|
.Nm ssh-keygen
|
2001-04-23 01:15:46 +08:00
|
|
|
.Nd authentication key generation, management and conversion
|
1999-10-29 07:15:49 +08:00
|
|
|
.Sh SYNOPSIS
|
|
|
|
.Nm ssh-keygen
|
2003-04-01 19:42:14 +08:00
|
|
|
.Bk -words
|
2000-11-13 19:57:25 +08:00
|
|
|
.Op Fl q
|
1999-10-29 07:15:49 +08:00
|
|
|
.Op Fl b Ar bits
|
2002-02-19 12:22:07 +08:00
|
|
|
.Fl t Ar type
|
1999-10-29 07:15:49 +08:00
|
|
|
.Op Fl N Ar new_passphrase
|
|
|
|
.Op Fl C Ar comment
|
2000-09-02 07:08:09 +08:00
|
|
|
.Op Fl f Ar output_keyfile
|
2003-04-01 19:42:14 +08:00
|
|
|
.Ek
|
1999-10-29 07:15:49 +08:00
|
|
|
.Nm ssh-keygen
|
|
|
|
.Fl p
|
|
|
|
.Op Fl P Ar old_passphrase
|
|
|
|
.Op Fl N Ar new_passphrase
|
1999-11-17 14:29:08 +08:00
|
|
|
.Op Fl f Ar keyfile
|
1999-10-29 07:15:49 +08:00
|
|
|
.Nm ssh-keygen
|
2001-04-23 01:15:46 +08:00
|
|
|
.Fl i
|
2000-09-02 07:08:09 +08:00
|
|
|
.Op Fl f Ar input_keyfile
|
- Remove references to SSLeay.
- Big OpenBSD CVS update
- markus@cvs.openbsd.org
[clientloop.c]
- typo
[session.c]
- update proctitle on pty alloc/dealloc, e.g. w/ windows client
[session.c]
- update proctitle for proto 1, too
[channels.h nchan.c serverloop.c session.c sshd.c]
- use c-style comments
- deraadt@cvs.openbsd.org
[scp.c]
- more atomicio
- markus@cvs.openbsd.org
[channels.c]
- set O_NONBLOCK
[ssh.1]
- update AUTHOR
[readconf.c ssh-keygen.c ssh.h]
- default DSA key file ~/.ssh/id_dsa
[clientloop.c]
- typo, rm verbose debug
- deraadt@cvs.openbsd.org
[ssh-keygen.1]
- document DSA use of ssh-keygen
[sshd.8]
- a start at describing what i understand of the DSA side
[ssh-keygen.1]
- document -X and -x
[ssh-keygen.c]
- simplify usage
- markus@cvs.openbsd.org
[sshd.8]
- there is no rhosts_dsa
[ssh-keygen.1]
- document -y, update -X,-x
[nchan.c]
- fix close for non-open ssh1 channels
[servconf.c servconf.h ssh.h sshd.8 sshd.c ]
- s/DsaKey/HostDSAKey/, document option
[sshconnect2.c]
- respect number_of_password_prompts
[channels.c channels.h servconf.c servconf.h session.c sshd.8]
- GatewayPorts for sshd, ok deraadt@
[ssh-add.1 ssh-agent.1 ssh.1]
- more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
[ssh.1]
- more info on proto 2
[sshd.8]
- sync AUTHOR w/ ssh.1
[key.c key.h sshconnect.c]
- print key type when talking about host keys
[packet.c]
- clear padding in ssh2
[dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
- replace broken uuencode w/ libc b64_ntop
[auth2.c]
- log failure before sending the reply
[key.c radix.c uuencode.c]
- remote trailing comments before calling __b64_pton
[auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
[sshconnect2.c sshd.8]
- add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
- Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
2000-05-07 10:03:14 +08:00
|
|
|
.Nm ssh-keygen
|
2001-04-23 01:15:46 +08:00
|
|
|
.Fl e
|
2000-09-02 07:08:09 +08:00
|
|
|
.Op Fl f Ar input_keyfile
|
- Remove references to SSLeay.
- Big OpenBSD CVS update
- markus@cvs.openbsd.org
[clientloop.c]
- typo
[session.c]
- update proctitle on pty alloc/dealloc, e.g. w/ windows client
[session.c]
- update proctitle for proto 1, too
[channels.h nchan.c serverloop.c session.c sshd.c]
- use c-style comments
- deraadt@cvs.openbsd.org
[scp.c]
- more atomicio
- markus@cvs.openbsd.org
[channels.c]
- set O_NONBLOCK
[ssh.1]
- update AUTHOR
[readconf.c ssh-keygen.c ssh.h]
- default DSA key file ~/.ssh/id_dsa
[clientloop.c]
- typo, rm verbose debug
- deraadt@cvs.openbsd.org
[ssh-keygen.1]
- document DSA use of ssh-keygen
[sshd.8]
- a start at describing what i understand of the DSA side
[ssh-keygen.1]
- document -X and -x
[ssh-keygen.c]
- simplify usage
- markus@cvs.openbsd.org
[sshd.8]
- there is no rhosts_dsa
[ssh-keygen.1]
- document -y, update -X,-x
[nchan.c]
- fix close for non-open ssh1 channels
[servconf.c servconf.h ssh.h sshd.8 sshd.c ]
- s/DsaKey/HostDSAKey/, document option
[sshconnect2.c]
- respect number_of_password_prompts
[channels.c channels.h servconf.c servconf.h session.c sshd.8]
- GatewayPorts for sshd, ok deraadt@
[ssh-add.1 ssh-agent.1 ssh.1]
- more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
[ssh.1]
- more info on proto 2
[sshd.8]
- sync AUTHOR w/ ssh.1
[key.c key.h sshconnect.c]
- print key type when talking about host keys
[packet.c]
- clear padding in ssh2
[dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
- replace broken uuencode w/ libc b64_ntop
[auth2.c]
- log failure before sending the reply
[key.c radix.c uuencode.c]
- remote trailing comments before calling __b64_pton
[auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
[sshconnect2.c sshd.8]
- add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
- Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
2000-05-07 10:03:14 +08:00
|
|
|
.Nm ssh-keygen
|
|
|
|
.Fl y
|
2000-09-02 07:08:09 +08:00
|
|
|
.Op Fl f Ar input_keyfile
|
- Remove references to SSLeay.
- Big OpenBSD CVS update
- markus@cvs.openbsd.org
[clientloop.c]
- typo
[session.c]
- update proctitle on pty alloc/dealloc, e.g. w/ windows client
[session.c]
- update proctitle for proto 1, too
[channels.h nchan.c serverloop.c session.c sshd.c]
- use c-style comments
- deraadt@cvs.openbsd.org
[scp.c]
- more atomicio
- markus@cvs.openbsd.org
[channels.c]
- set O_NONBLOCK
[ssh.1]
- update AUTHOR
[readconf.c ssh-keygen.c ssh.h]
- default DSA key file ~/.ssh/id_dsa
[clientloop.c]
- typo, rm verbose debug
- deraadt@cvs.openbsd.org
[ssh-keygen.1]
- document DSA use of ssh-keygen
[sshd.8]
- a start at describing what i understand of the DSA side
[ssh-keygen.1]
- document -X and -x
[ssh-keygen.c]
- simplify usage
- markus@cvs.openbsd.org
[sshd.8]
- there is no rhosts_dsa
[ssh-keygen.1]
- document -y, update -X,-x
[nchan.c]
- fix close for non-open ssh1 channels
[servconf.c servconf.h ssh.h sshd.8 sshd.c ]
- s/DsaKey/HostDSAKey/, document option
[sshconnect2.c]
- respect number_of_password_prompts
[channels.c channels.h servconf.c servconf.h session.c sshd.8]
- GatewayPorts for sshd, ok deraadt@
[ssh-add.1 ssh-agent.1 ssh.1]
- more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
[ssh.1]
- more info on proto 2
[sshd.8]
- sync AUTHOR w/ ssh.1
[key.c key.h sshconnect.c]
- print key type when talking about host keys
[packet.c]
- clear padding in ssh2
[dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
- replace broken uuencode w/ libc b64_ntop
[auth2.c]
- log failure before sending the reply
[key.c radix.c uuencode.c]
- remote trailing comments before calling __b64_pton
[auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
[sshconnect2.c sshd.8]
- add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
- Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
2000-05-07 10:03:14 +08:00
|
|
|
.Nm ssh-keygen
|
1999-10-29 07:15:49 +08:00
|
|
|
.Fl c
|
|
|
|
.Op Fl P Ar passphrase
|
|
|
|
.Op Fl C Ar comment
|
1999-11-17 14:29:08 +08:00
|
|
|
.Op Fl f Ar keyfile
|
|
|
|
.Nm ssh-keygen
|
|
|
|
.Fl l
|
2001-03-12 11:02:17 +08:00
|
|
|
.Op Fl f Ar input_keyfile
|
|
|
|
.Nm ssh-keygen
|
|
|
|
.Fl B
|
2000-09-02 07:08:09 +08:00
|
|
|
.Op Fl f Ar input_keyfile
|
2001-08-07 05:51:34 +08:00
|
|
|
.Nm ssh-keygen
|
|
|
|
.Fl D Ar reader
|
|
|
|
.Nm ssh-keygen
|
2005-03-01 18:48:35 +08:00
|
|
|
.Fl F Ar hostname
|
|
|
|
.Op Fl f Ar known_hosts_file
|
|
|
|
.Nm ssh-keygen
|
|
|
|
.Fl H
|
|
|
|
.Op Fl f Ar known_hosts_file
|
|
|
|
.Nm ssh-keygen
|
|
|
|
.Fl R Ar hostname
|
|
|
|
.Op Fl f Ar known_hosts_file
|
|
|
|
.Nm ssh-keygen
|
2001-08-07 05:51:34 +08:00
|
|
|
.Fl U Ar reader
|
|
|
|
.Op Fl f Ar input_keyfile
|
2003-05-15 08:19:46 +08:00
|
|
|
.Nm ssh-keygen
|
|
|
|
.Fl r Ar hostname
|
|
|
|
.Op Fl f Ar input_keyfile
|
|
|
|
.Op Fl g
|
2003-08-02 20:40:07 +08:00
|
|
|
.Nm ssh-keygen
|
|
|
|
.Fl G Ar output_file
|
2003-12-31 08:34:51 +08:00
|
|
|
.Op Fl v
|
2003-08-02 20:40:07 +08:00
|
|
|
.Op Fl b Ar bits
|
|
|
|
.Op Fl M Ar memory
|
|
|
|
.Op Fl S Ar start_point
|
|
|
|
.Nm ssh-keygen
|
|
|
|
.Fl T Ar output_file
|
|
|
|
.Fl f Ar input_file
|
2003-12-31 08:34:51 +08:00
|
|
|
.Op Fl v
|
2003-08-02 20:40:07 +08:00
|
|
|
.Op Fl a Ar num_trials
|
|
|
|
.Op Fl W Ar generator
|
2000-04-13 10:26:34 +08:00
|
|
|
.Sh DESCRIPTION
|
1999-10-29 07:15:49 +08:00
|
|
|
.Nm
|
2001-04-23 01:15:46 +08:00
|
|
|
generates, manages and converts authentication keys for
|
1999-10-29 07:15:49 +08:00
|
|
|
.Xr ssh 1 .
|
- Remove references to SSLeay.
- Big OpenBSD CVS update
- markus@cvs.openbsd.org
[clientloop.c]
- typo
[session.c]
- update proctitle on pty alloc/dealloc, e.g. w/ windows client
[session.c]
- update proctitle for proto 1, too
[channels.h nchan.c serverloop.c session.c sshd.c]
- use c-style comments
- deraadt@cvs.openbsd.org
[scp.c]
- more atomicio
- markus@cvs.openbsd.org
[channels.c]
- set O_NONBLOCK
[ssh.1]
- update AUTHOR
[readconf.c ssh-keygen.c ssh.h]
- default DSA key file ~/.ssh/id_dsa
[clientloop.c]
- typo, rm verbose debug
- deraadt@cvs.openbsd.org
[ssh-keygen.1]
- document DSA use of ssh-keygen
[sshd.8]
- a start at describing what i understand of the DSA side
[ssh-keygen.1]
- document -X and -x
[ssh-keygen.c]
- simplify usage
- markus@cvs.openbsd.org
[sshd.8]
- there is no rhosts_dsa
[ssh-keygen.1]
- document -y, update -X,-x
[nchan.c]
- fix close for non-open ssh1 channels
[servconf.c servconf.h ssh.h sshd.8 sshd.c ]
- s/DsaKey/HostDSAKey/, document option
[sshconnect2.c]
- respect number_of_password_prompts
[channels.c channels.h servconf.c servconf.h session.c sshd.8]
- GatewayPorts for sshd, ok deraadt@
[ssh-add.1 ssh-agent.1 ssh.1]
- more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
[ssh.1]
- more info on proto 2
[sshd.8]
- sync AUTHOR w/ ssh.1
[key.c key.h sshconnect.c]
- print key type when talking about host keys
[packet.c]
- clear padding in ssh2
[dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
- replace broken uuencode w/ libc b64_ntop
[auth2.c]
- log failure before sending the reply
[key.c radix.c uuencode.c]
- remote trailing comments before calling __b64_pton
[auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
[sshconnect2.c sshd.8]
- add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
- Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
2000-05-07 10:03:14 +08:00
|
|
|
.Nm
|
2002-06-21 08:41:51 +08:00
|
|
|
can create RSA keys for use by SSH protocol version 1 and RSA or DSA
|
2003-05-23 16:44:23 +08:00
|
|
|
keys for use by SSH protocol version 2.
|
|
|
|
The type of key to be generated is specified with the
|
2000-11-13 19:57:25 +08:00
|
|
|
.Fl t
|
2002-01-22 20:05:08 +08:00
|
|
|
option.
|
2005-11-05 12:15:49 +08:00
|
|
|
If invoked without any arguments,
|
|
|
|
.Nm
|
2005-11-05 12:16:27 +08:00
|
|
|
will generate an RSA key for use in SSH protocol 2 connections.
|
- Remove references to SSLeay.
- Big OpenBSD CVS update
- markus@cvs.openbsd.org
[clientloop.c]
- typo
[session.c]
- update proctitle on pty alloc/dealloc, e.g. w/ windows client
[session.c]
- update proctitle for proto 1, too
[channels.h nchan.c serverloop.c session.c sshd.c]
- use c-style comments
- deraadt@cvs.openbsd.org
[scp.c]
- more atomicio
- markus@cvs.openbsd.org
[channels.c]
- set O_NONBLOCK
[ssh.1]
- update AUTHOR
[readconf.c ssh-keygen.c ssh.h]
- default DSA key file ~/.ssh/id_dsa
[clientloop.c]
- typo, rm verbose debug
- deraadt@cvs.openbsd.org
[ssh-keygen.1]
- document DSA use of ssh-keygen
[sshd.8]
- a start at describing what i understand of the DSA side
[ssh-keygen.1]
- document -X and -x
[ssh-keygen.c]
- simplify usage
- markus@cvs.openbsd.org
[sshd.8]
- there is no rhosts_dsa
[ssh-keygen.1]
- document -y, update -X,-x
[nchan.c]
- fix close for non-open ssh1 channels
[servconf.c servconf.h ssh.h sshd.8 sshd.c ]
- s/DsaKey/HostDSAKey/, document option
[sshconnect2.c]
- respect number_of_password_prompts
[channels.c channels.h servconf.c servconf.h session.c sshd.8]
- GatewayPorts for sshd, ok deraadt@
[ssh-add.1 ssh-agent.1 ssh.1]
- more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
[ssh.1]
- more info on proto 2
[sshd.8]
- sync AUTHOR w/ ssh.1
[key.c key.h sshconnect.c]
- print key type when talking about host keys
[packet.c]
- clear padding in ssh2
[dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
- replace broken uuencode w/ libc b64_ntop
[auth2.c]
- log failure before sending the reply
[key.c radix.c uuencode.c]
- remote trailing comments before calling __b64_pton
[auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
[sshconnect2.c sshd.8]
- add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
- Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
2000-05-07 10:03:14 +08:00
|
|
|
.Pp
|
2003-08-02 20:40:07 +08:00
|
|
|
.Nm
|
|
|
|
is also used to generate groups for use in Diffie-Hellman group
|
|
|
|
exchange (DH-GEX).
|
|
|
|
See the
|
|
|
|
.Sx MODULI GENERATION
|
|
|
|
section for details.
|
|
|
|
.Pp
|
1999-10-29 07:15:49 +08:00
|
|
|
Normally each user wishing to use SSH
|
- Remove references to SSLeay.
- Big OpenBSD CVS update
- markus@cvs.openbsd.org
[clientloop.c]
- typo
[session.c]
- update proctitle on pty alloc/dealloc, e.g. w/ windows client
[session.c]
- update proctitle for proto 1, too
[channels.h nchan.c serverloop.c session.c sshd.c]
- use c-style comments
- deraadt@cvs.openbsd.org
[scp.c]
- more atomicio
- markus@cvs.openbsd.org
[channels.c]
- set O_NONBLOCK
[ssh.1]
- update AUTHOR
[readconf.c ssh-keygen.c ssh.h]
- default DSA key file ~/.ssh/id_dsa
[clientloop.c]
- typo, rm verbose debug
- deraadt@cvs.openbsd.org
[ssh-keygen.1]
- document DSA use of ssh-keygen
[sshd.8]
- a start at describing what i understand of the DSA side
[ssh-keygen.1]
- document -X and -x
[ssh-keygen.c]
- simplify usage
- markus@cvs.openbsd.org
[sshd.8]
- there is no rhosts_dsa
[ssh-keygen.1]
- document -y, update -X,-x
[nchan.c]
- fix close for non-open ssh1 channels
[servconf.c servconf.h ssh.h sshd.8 sshd.c ]
- s/DsaKey/HostDSAKey/, document option
[sshconnect2.c]
- respect number_of_password_prompts
[channels.c channels.h servconf.c servconf.h session.c sshd.8]
- GatewayPorts for sshd, ok deraadt@
[ssh-add.1 ssh-agent.1 ssh.1]
- more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
[ssh.1]
- more info on proto 2
[sshd.8]
- sync AUTHOR w/ ssh.1
[key.c key.h sshconnect.c]
- print key type when talking about host keys
[packet.c]
- clear padding in ssh2
[dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
- replace broken uuencode w/ libc b64_ntop
[auth2.c]
- log failure before sending the reply
[key.c radix.c uuencode.c]
- remote trailing comments before calling __b64_pton
[auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
[sshconnect2.c sshd.8]
- add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
- Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
2000-05-07 10:03:14 +08:00
|
|
|
with RSA or DSA authentication runs this once to create the authentication
|
1999-10-29 07:15:49 +08:00
|
|
|
key in
|
2005-05-26 10:04:02 +08:00
|
|
|
.Pa ~/.ssh/identity ,
|
|
|
|
.Pa ~/.ssh/id_dsa
|
- Remove references to SSLeay.
- Big OpenBSD CVS update
- markus@cvs.openbsd.org
[clientloop.c]
- typo
[session.c]
- update proctitle on pty alloc/dealloc, e.g. w/ windows client
[session.c]
- update proctitle for proto 1, too
[channels.h nchan.c serverloop.c session.c sshd.c]
- use c-style comments
- deraadt@cvs.openbsd.org
[scp.c]
- more atomicio
- markus@cvs.openbsd.org
[channels.c]
- set O_NONBLOCK
[ssh.1]
- update AUTHOR
[readconf.c ssh-keygen.c ssh.h]
- default DSA key file ~/.ssh/id_dsa
[clientloop.c]
- typo, rm verbose debug
- deraadt@cvs.openbsd.org
[ssh-keygen.1]
- document DSA use of ssh-keygen
[sshd.8]
- a start at describing what i understand of the DSA side
[ssh-keygen.1]
- document -X and -x
[ssh-keygen.c]
- simplify usage
- markus@cvs.openbsd.org
[sshd.8]
- there is no rhosts_dsa
[ssh-keygen.1]
- document -y, update -X,-x
[nchan.c]
- fix close for non-open ssh1 channels
[servconf.c servconf.h ssh.h sshd.8 sshd.c ]
- s/DsaKey/HostDSAKey/, document option
[sshconnect2.c]
- respect number_of_password_prompts
[channels.c channels.h servconf.c servconf.h session.c sshd.8]
- GatewayPorts for sshd, ok deraadt@
[ssh-add.1 ssh-agent.1 ssh.1]
- more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
[ssh.1]
- more info on proto 2
[sshd.8]
- sync AUTHOR w/ ssh.1
[key.c key.h sshconnect.c]
- print key type when talking about host keys
[packet.c]
- clear padding in ssh2
[dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
- replace broken uuencode w/ libc b64_ntop
[auth2.c]
- log failure before sending the reply
[key.c radix.c uuencode.c]
- remote trailing comments before calling __b64_pton
[auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
[sshconnect2.c sshd.8]
- add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
- Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
2000-05-07 10:03:14 +08:00
|
|
|
or
|
2005-05-26 10:04:02 +08:00
|
|
|
.Pa ~/.ssh/id_rsa .
|
- Remove references to SSLeay.
- Big OpenBSD CVS update
- markus@cvs.openbsd.org
[clientloop.c]
- typo
[session.c]
- update proctitle on pty alloc/dealloc, e.g. w/ windows client
[session.c]
- update proctitle for proto 1, too
[channels.h nchan.c serverloop.c session.c sshd.c]
- use c-style comments
- deraadt@cvs.openbsd.org
[scp.c]
- more atomicio
- markus@cvs.openbsd.org
[channels.c]
- set O_NONBLOCK
[ssh.1]
- update AUTHOR
[readconf.c ssh-keygen.c ssh.h]
- default DSA key file ~/.ssh/id_dsa
[clientloop.c]
- typo, rm verbose debug
- deraadt@cvs.openbsd.org
[ssh-keygen.1]
- document DSA use of ssh-keygen
[sshd.8]
- a start at describing what i understand of the DSA side
[ssh-keygen.1]
- document -X and -x
[ssh-keygen.c]
- simplify usage
- markus@cvs.openbsd.org
[sshd.8]
- there is no rhosts_dsa
[ssh-keygen.1]
- document -y, update -X,-x
[nchan.c]
- fix close for non-open ssh1 channels
[servconf.c servconf.h ssh.h sshd.8 sshd.c ]
- s/DsaKey/HostDSAKey/, document option
[sshconnect2.c]
- respect number_of_password_prompts
[channels.c channels.h servconf.c servconf.h session.c sshd.8]
- GatewayPorts for sshd, ok deraadt@
[ssh-add.1 ssh-agent.1 ssh.1]
- more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
[ssh.1]
- more info on proto 2
[sshd.8]
- sync AUTHOR w/ ssh.1
[key.c key.h sshconnect.c]
- print key type when talking about host keys
[packet.c]
- clear padding in ssh2
[dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
- replace broken uuencode w/ libc b64_ntop
[auth2.c]
- log failure before sending the reply
[key.c radix.c uuencode.c]
- remote trailing comments before calling __b64_pton
[auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
[sshconnect2.c sshd.8]
- add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
- Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
2000-05-07 10:03:14 +08:00
|
|
|
Additionally, the system administrator may use this to generate host keys,
|
|
|
|
as seen in
|
|
|
|
.Pa /etc/rc .
|
1999-10-29 07:15:49 +08:00
|
|
|
.Pp
|
|
|
|
Normally this program generates the key and asks for a file in which
|
2000-03-26 11:04:51 +08:00
|
|
|
to store the private key.
|
|
|
|
The public key is stored in a file with the same name but
|
1999-10-29 07:15:49 +08:00
|
|
|
.Dq .pub
|
2000-03-26 11:04:51 +08:00
|
|
|
appended.
|
|
|
|
The program also asks for a passphrase.
|
|
|
|
The passphrase may be empty to indicate no passphrase
|
2001-01-18 10:04:35 +08:00
|
|
|
(host keys must have an empty passphrase), or it may be a string of
|
2000-03-26 11:04:51 +08:00
|
|
|
arbitrary length.
|
2001-12-07 00:43:21 +08:00
|
|
|
A passphrase is similar to a password, except it can be a phrase with a
|
|
|
|
series of words, punctuation, numbers, whitespace, or any string of
|
|
|
|
characters you want.
|
|
|
|
Good passphrases are 10-30 characters long, are
|
1999-10-29 07:15:49 +08:00
|
|
|
not simple sentences or otherwise easily guessable (English
|
2001-06-09 09:13:40 +08:00
|
|
|
prose has only 1-2 bits of entropy per character, and provides very bad
|
2001-12-07 00:43:21 +08:00
|
|
|
passphrases), and contain a mix of upper and lowercase letters,
|
|
|
|
numbers, and non-alphanumeric characters.
|
2000-03-26 11:04:51 +08:00
|
|
|
The passphrase can be changed later by using the
|
1999-10-29 07:15:49 +08:00
|
|
|
.Fl p
|
|
|
|
option.
|
|
|
|
.Pp
|
2000-03-26 11:04:51 +08:00
|
|
|
There is no way to recover a lost passphrase.
|
|
|
|
If the passphrase is
|
2001-09-13 02:35:30 +08:00
|
|
|
lost or forgotten, a new key must be generated and copied to the
|
1999-10-29 07:15:49 +08:00
|
|
|
corresponding public key to other machines.
|
|
|
|
.Pp
|
2001-04-23 01:15:46 +08:00
|
|
|
For RSA1 keys,
|
|
|
|
there is also a comment field in the key file that is only for
|
2000-03-26 11:04:51 +08:00
|
|
|
convenience to the user to help identify the key.
|
|
|
|
The comment can tell what the key is for, or whatever is useful.
|
|
|
|
The comment is initialized to
|
1999-10-29 07:15:49 +08:00
|
|
|
.Dq user@host
|
|
|
|
when the key is created, but can be changed using the
|
|
|
|
.Fl c
|
|
|
|
option.
|
|
|
|
.Pp
|
- Remove references to SSLeay.
- Big OpenBSD CVS update
- markus@cvs.openbsd.org
[clientloop.c]
- typo
[session.c]
- update proctitle on pty alloc/dealloc, e.g. w/ windows client
[session.c]
- update proctitle for proto 1, too
[channels.h nchan.c serverloop.c session.c sshd.c]
- use c-style comments
- deraadt@cvs.openbsd.org
[scp.c]
- more atomicio
- markus@cvs.openbsd.org
[channels.c]
- set O_NONBLOCK
[ssh.1]
- update AUTHOR
[readconf.c ssh-keygen.c ssh.h]
- default DSA key file ~/.ssh/id_dsa
[clientloop.c]
- typo, rm verbose debug
- deraadt@cvs.openbsd.org
[ssh-keygen.1]
- document DSA use of ssh-keygen
[sshd.8]
- a start at describing what i understand of the DSA side
[ssh-keygen.1]
- document -X and -x
[ssh-keygen.c]
- simplify usage
- markus@cvs.openbsd.org
[sshd.8]
- there is no rhosts_dsa
[ssh-keygen.1]
- document -y, update -X,-x
[nchan.c]
- fix close for non-open ssh1 channels
[servconf.c servconf.h ssh.h sshd.8 sshd.c ]
- s/DsaKey/HostDSAKey/, document option
[sshconnect2.c]
- respect number_of_password_prompts
[channels.c channels.h servconf.c servconf.h session.c sshd.8]
- GatewayPorts for sshd, ok deraadt@
[ssh-add.1 ssh-agent.1 ssh.1]
- more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
[ssh.1]
- more info on proto 2
[sshd.8]
- sync AUTHOR w/ ssh.1
[key.c key.h sshconnect.c]
- print key type when talking about host keys
[packet.c]
- clear padding in ssh2
[dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
- replace broken uuencode w/ libc b64_ntop
[auth2.c]
- log failure before sending the reply
[key.c radix.c uuencode.c]
- remote trailing comments before calling __b64_pton
[auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
[sshconnect2.c sshd.8]
- add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
- Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
2000-05-07 10:03:14 +08:00
|
|
|
After a key is generated, instructions below detail where the keys
|
|
|
|
should be placed to be activated.
|
|
|
|
.Pp
|
1999-10-29 07:15:49 +08:00
|
|
|
The options are as follows:
|
|
|
|
.Bl -tag -width Ds
|
2003-08-02 20:40:07 +08:00
|
|
|
.It Fl a Ar trials
|
|
|
|
Specifies the number of primality tests to perform when screening DH-GEX
|
|
|
|
candidates using the
|
|
|
|
.Fl T
|
|
|
|
command.
|
2005-03-02 09:05:06 +08:00
|
|
|
.It Fl B
|
|
|
|
Show the bubblebabble digest of specified private or public key file.
|
1999-10-29 07:15:49 +08:00
|
|
|
.It Fl b Ar bits
|
2000-03-26 11:04:51 +08:00
|
|
|
Specifies the number of bits in the key to create.
|
2005-11-28 13:41:46 +08:00
|
|
|
For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
|
2005-06-16 11:19:06 +08:00
|
|
|
Generally, 2048 bits is considered sufficient.
|
2005-11-28 13:41:46 +08:00
|
|
|
DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
|
2005-03-02 09:05:06 +08:00
|
|
|
.It Fl C Ar comment
|
|
|
|
Provides a new comment.
|
1999-10-29 07:15:49 +08:00
|
|
|
.It Fl c
|
|
|
|
Requests changing the comment in the private and public key files.
|
2001-11-12 07:52:44 +08:00
|
|
|
This operation is only supported for RSA1 keys.
|
1999-10-29 07:15:49 +08:00
|
|
|
The program will prompt for the file containing the private keys, for
|
2001-05-06 11:01:02 +08:00
|
|
|
the passphrase if the key has one, and for the new comment.
|
2005-03-02 09:05:06 +08:00
|
|
|
.It Fl D Ar reader
|
|
|
|
Download the RSA public key stored in the smartcard in
|
|
|
|
.Ar reader .
|
2001-04-23 01:15:46 +08:00
|
|
|
.It Fl e
|
2001-04-25 00:56:58 +08:00
|
|
|
This option will read a private or public OpenSSH key file and
|
2007-01-05 13:25:46 +08:00
|
|
|
print the key in
|
|
|
|
RFC 4716 SSH Public Key File Format
|
2001-04-23 01:15:46 +08:00
|
|
|
to stdout.
|
|
|
|
This option allows exporting keys for use by several commercial
|
|
|
|
SSH implementations.
|
2005-03-02 09:05:06 +08:00
|
|
|
.It Fl F Ar hostname
|
|
|
|
Search for the specified
|
|
|
|
.Ar hostname
|
|
|
|
in a
|
|
|
|
.Pa known_hosts
|
|
|
|
file, listing any occurrences found.
|
|
|
|
This option is useful to find hashed host names or addresses and may also be
|
|
|
|
used in conjunction with the
|
|
|
|
.Fl H
|
|
|
|
option to print found keys in a hashed format.
|
|
|
|
.It Fl f Ar filename
|
|
|
|
Specifies the filename of the key file.
|
|
|
|
.It Fl G Ar output_file
|
|
|
|
Generate candidate primes for DH-GEX.
|
|
|
|
These primes must be screened for
|
|
|
|
safety (using the
|
|
|
|
.Fl T
|
|
|
|
option) before use.
|
2003-05-15 08:19:46 +08:00
|
|
|
.It Fl g
|
2004-08-13 19:22:40 +08:00
|
|
|
Use generic DNS format when printing fingerprint resource records using the
|
2004-08-13 19:23:25 +08:00
|
|
|
.Fl r
|
2004-08-13 19:22:40 +08:00
|
|
|
command.
|
2005-03-02 09:05:06 +08:00
|
|
|
.It Fl H
|
|
|
|
Hash a
|
|
|
|
.Pa known_hosts
|
2005-03-14 20:15:58 +08:00
|
|
|
file.
|
|
|
|
This replaces all hostnames and addresses with hashed representations
|
|
|
|
within the specified file; the original content is moved to a file with
|
|
|
|
a .old suffix.
|
2005-03-02 09:05:06 +08:00
|
|
|
These hashes may be used normally by
|
|
|
|
.Nm ssh
|
|
|
|
and
|
|
|
|
.Nm sshd ,
|
|
|
|
but they do not reveal identifying information should the file's contents
|
|
|
|
be disclosed.
|
|
|
|
This option will not modify existing hashed hostnames and is therefore safe
|
|
|
|
to use on files that mix hashed and non-hashed names.
|
2001-04-23 01:15:46 +08:00
|
|
|
.It Fl i
|
|
|
|
This option will read an unencrypted private (or public) key file
|
|
|
|
in SSH2-compatible format and print an OpenSSH compatible private
|
|
|
|
(or public) key to stdout.
|
|
|
|
.Nm
|
2001-04-23 01:19:46 +08:00
|
|
|
also reads the
|
2007-02-19 19:09:06 +08:00
|
|
|
RFC 4716 SSH Public Key File Format.
|
2001-04-23 01:15:46 +08:00
|
|
|
This option allows importing keys from several commercial
|
|
|
|
SSH implementations.
|
1999-11-17 14:29:08 +08:00
|
|
|
.It Fl l
|
2008-06-13 02:43:15 +08:00
|
|
|
Show fingerprint of specified public key file.
|
2001-11-12 07:52:44 +08:00
|
|
|
Private RSA1 keys are also supported.
|
|
|
|
For RSA and DSA keys
|
|
|
|
.Nm
|
2008-06-13 03:18:03 +08:00
|
|
|
tries to find the matching public key file and prints its fingerprint.
|
|
|
|
If combined with
|
|
|
|
.Fl v ,
|
|
|
|
an ASCII art representation of the key is supplied with the fingerprint.
|
2005-03-02 09:05:06 +08:00
|
|
|
.It Fl M Ar memory
|
|
|
|
Specify the amount of memory to use (in megabytes) when generating
|
|
|
|
candidate moduli for DH-GEX.
|
|
|
|
.It Fl N Ar new_passphrase
|
|
|
|
Provides the new passphrase.
|
|
|
|
.It Fl P Ar passphrase
|
|
|
|
Provides the (old) passphrase.
|
1999-10-29 07:15:49 +08:00
|
|
|
.It Fl p
|
|
|
|
Requests changing the passphrase of a private key file instead of
|
2000-03-26 11:04:51 +08:00
|
|
|
creating a new private key.
|
|
|
|
The program will prompt for the file
|
1999-10-29 07:15:49 +08:00
|
|
|
containing the private key, for the old passphrase, and twice for the
|
|
|
|
new passphrase.
|
|
|
|
.It Fl q
|
|
|
|
Silence
|
|
|
|
.Nm ssh-keygen .
|
|
|
|
Used by
|
|
|
|
.Pa /etc/rc
|
|
|
|
when creating a new key.
|
2005-03-01 18:48:35 +08:00
|
|
|
.It Fl R Ar hostname
|
|
|
|
Removes all keys belonging to
|
|
|
|
.Ar hostname
|
2005-03-02 09:03:43 +08:00
|
|
|
from a
|
2005-03-01 18:48:35 +08:00
|
|
|
.Pa known_hosts
|
|
|
|
file.
|
2005-03-02 09:03:43 +08:00
|
|
|
This option is useful to delete hashed hosts (see the
|
2005-03-01 18:48:35 +08:00
|
|
|
.Fl H
|
|
|
|
option above).
|
2005-03-02 09:05:06 +08:00
|
|
|
.It Fl r Ar hostname
|
|
|
|
Print the SSHFP fingerprint resource record named
|
|
|
|
.Ar hostname
|
|
|
|
for the specified public key file.
|
2003-08-02 20:40:07 +08:00
|
|
|
.It Fl S Ar start
|
|
|
|
Specify start point (in hex) when generating candidate moduli for DH-GEX.
|
|
|
|
.It Fl T Ar output_file
|
|
|
|
Test DH group exchange candidate primes (generated using the
|
|
|
|
.Fl G
|
|
|
|
option) for safety.
|
2005-03-02 09:05:06 +08:00
|
|
|
.It Fl t Ar type
|
|
|
|
Specifies the type of key to create.
|
|
|
|
The possible values are
|
|
|
|
.Dq rsa1
|
|
|
|
for protocol version 1 and
|
|
|
|
.Dq rsa
|
|
|
|
or
|
|
|
|
.Dq dsa
|
|
|
|
for protocol version 2.
|
2001-08-07 05:51:34 +08:00
|
|
|
.It Fl U Ar reader
|
|
|
|
Upload an existing RSA private key into the smartcard in
|
|
|
|
.Ar reader .
|
2003-12-31 08:34:51 +08:00
|
|
|
.It Fl v
|
|
|
|
Verbose mode.
|
|
|
|
Causes
|
|
|
|
.Nm
|
|
|
|
to print debugging messages about its progress.
|
|
|
|
This is helpful for debugging moduli generation.
|
|
|
|
Multiple
|
|
|
|
.Fl v
|
|
|
|
options increase the verbosity.
|
|
|
|
The maximum is 3.
|
2005-03-02 09:05:06 +08:00
|
|
|
.It Fl W Ar generator
|
|
|
|
Specify desired generator when testing candidate moduli for DH-GEX.
|
|
|
|
.It Fl y
|
|
|
|
This option will read a private
|
|
|
|
OpenSSH format file and print an OpenSSH public key to stdout.
|
1999-10-29 07:15:49 +08:00
|
|
|
.El
|
2003-08-02 20:40:07 +08:00
|
|
|
.Sh MODULI GENERATION
|
|
|
|
.Nm
|
|
|
|
may be used to generate groups for the Diffie-Hellman Group Exchange
|
|
|
|
(DH-GEX) protocol.
|
|
|
|
Generating these groups is a two-step process: first, candidate
|
|
|
|
primes are generated using a fast, but memory intensive process.
|
|
|
|
These candidate primes are then tested for suitability (a CPU-intensive
|
|
|
|
process).
|
|
|
|
.Pp
|
|
|
|
Generation of primes is performed using the
|
|
|
|
.Fl G
|
|
|
|
option.
|
|
|
|
The desired length of the primes may be specified by the
|
|
|
|
.Fl b
|
|
|
|
option.
|
|
|
|
For example:
|
|
|
|
.Pp
|
2005-03-02 09:05:06 +08:00
|
|
|
.Dl # ssh-keygen -G moduli-2048.candidates -b 2048
|
2003-08-02 20:40:07 +08:00
|
|
|
.Pp
|
|
|
|
By default, the search for primes begins at a random point in the
|
|
|
|
desired length range.
|
|
|
|
This may be overridden using the
|
|
|
|
.Fl S
|
|
|
|
option, which specifies a different start point (in hex).
|
|
|
|
.Pp
|
|
|
|
Once a set of candidates have been generated, they must be tested for
|
|
|
|
suitability.
|
|
|
|
This may be performed using the
|
|
|
|
.Fl T
|
|
|
|
option.
|
|
|
|
In this mode
|
|
|
|
.Nm
|
|
|
|
will read candidates from standard input (or a file specified using the
|
|
|
|
.Fl f
|
|
|
|
option).
|
|
|
|
For example:
|
|
|
|
.Pp
|
2005-03-02 09:05:06 +08:00
|
|
|
.Dl # ssh-keygen -T moduli-2048 -f moduli-2048.candidates
|
2003-08-02 20:40:07 +08:00
|
|
|
.Pp
|
|
|
|
By default, each candidate will be subjected to 100 primality tests.
|
|
|
|
This may be overridden using the
|
|
|
|
.Fl a
|
|
|
|
option.
|
|
|
|
The DH generator value will be chosen automatically for the
|
|
|
|
prime under consideration.
|
|
|
|
If a specific generator is desired, it may be requested using the
|
|
|
|
.Fl W
|
|
|
|
option.
|
2005-03-02 09:05:06 +08:00
|
|
|
Valid generator values are 2, 3, and 5.
|
2003-08-02 20:40:07 +08:00
|
|
|
.Pp
|
|
|
|
Screened DH groups may be installed in
|
|
|
|
.Pa /etc/moduli .
|
|
|
|
It is important that this file contains moduli of a range of bit lengths and
|
|
|
|
that both ends of a connection share common moduli.
|
1999-10-29 07:15:49 +08:00
|
|
|
.Sh FILES
|
|
|
|
.Bl -tag -width Ds
|
2005-05-26 10:04:02 +08:00
|
|
|
.It Pa ~/.ssh/identity
|
2001-04-11 23:59:35 +08:00
|
|
|
Contains the protocol version 1 RSA authentication identity of the user.
|
2000-03-26 11:04:51 +08:00
|
|
|
This file should not be readable by anyone but the user.
|
|
|
|
It is possible to
|
1999-10-29 07:15:49 +08:00
|
|
|
specify a passphrase when generating the key; that passphrase will be
|
2000-03-26 11:04:51 +08:00
|
|
|
used to encrypt the private part of this file using 3DES.
|
|
|
|
This file is not automatically accessed by
|
1999-10-29 07:15:49 +08:00
|
|
|
.Nm
|
|
|
|
but it is offered as the default file for the private key.
|
2001-07-04 11:35:24 +08:00
|
|
|
.Xr ssh 1
|
- Remove references to SSLeay.
- Big OpenBSD CVS update
- markus@cvs.openbsd.org
[clientloop.c]
- typo
[session.c]
- update proctitle on pty alloc/dealloc, e.g. w/ windows client
[session.c]
- update proctitle for proto 1, too
[channels.h nchan.c serverloop.c session.c sshd.c]
- use c-style comments
- deraadt@cvs.openbsd.org
[scp.c]
- more atomicio
- markus@cvs.openbsd.org
[channels.c]
- set O_NONBLOCK
[ssh.1]
- update AUTHOR
[readconf.c ssh-keygen.c ssh.h]
- default DSA key file ~/.ssh/id_dsa
[clientloop.c]
- typo, rm verbose debug
- deraadt@cvs.openbsd.org
[ssh-keygen.1]
- document DSA use of ssh-keygen
[sshd.8]
- a start at describing what i understand of the DSA side
[ssh-keygen.1]
- document -X and -x
[ssh-keygen.c]
- simplify usage
- markus@cvs.openbsd.org
[sshd.8]
- there is no rhosts_dsa
[ssh-keygen.1]
- document -y, update -X,-x
[nchan.c]
- fix close for non-open ssh1 channels
[servconf.c servconf.h ssh.h sshd.8 sshd.c ]
- s/DsaKey/HostDSAKey/, document option
[sshconnect2.c]
- respect number_of_password_prompts
[channels.c channels.h servconf.c servconf.h session.c sshd.8]
- GatewayPorts for sshd, ok deraadt@
[ssh-add.1 ssh-agent.1 ssh.1]
- more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
[ssh.1]
- more info on proto 2
[sshd.8]
- sync AUTHOR w/ ssh.1
[key.c key.h sshconnect.c]
- print key type when talking about host keys
[packet.c]
- clear padding in ssh2
[dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
- replace broken uuencode w/ libc b64_ntop
[auth2.c]
- log failure before sending the reply
[key.c radix.c uuencode.c]
- remote trailing comments before calling __b64_pton
[auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
[sshconnect2.c sshd.8]
- add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
- Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
2000-05-07 10:03:14 +08:00
|
|
|
will read this file when a login attempt is made.
|
2005-05-26 10:04:02 +08:00
|
|
|
.It Pa ~/.ssh/identity.pub
|
2001-04-11 23:59:35 +08:00
|
|
|
Contains the protocol version 1 RSA public key for authentication.
|
2000-03-26 11:04:51 +08:00
|
|
|
The contents of this file should be added to
|
2005-05-26 10:04:02 +08:00
|
|
|
.Pa ~/.ssh/authorized_keys
|
1999-10-29 07:15:49 +08:00
|
|
|
on all machines
|
2001-09-13 02:35:30 +08:00
|
|
|
where the user wishes to log in using RSA authentication.
|
2000-03-26 11:04:51 +08:00
|
|
|
There is no need to keep the contents of this file secret.
|
2005-05-26 10:04:02 +08:00
|
|
|
.It Pa ~/.ssh/id_dsa
|
2001-04-11 23:59:35 +08:00
|
|
|
Contains the protocol version 2 DSA authentication identity of the user.
|
- Remove references to SSLeay.
- Big OpenBSD CVS update
- markus@cvs.openbsd.org
[clientloop.c]
- typo
[session.c]
- update proctitle on pty alloc/dealloc, e.g. w/ windows client
[session.c]
- update proctitle for proto 1, too
[channels.h nchan.c serverloop.c session.c sshd.c]
- use c-style comments
- deraadt@cvs.openbsd.org
[scp.c]
- more atomicio
- markus@cvs.openbsd.org
[channels.c]
- set O_NONBLOCK
[ssh.1]
- update AUTHOR
[readconf.c ssh-keygen.c ssh.h]
- default DSA key file ~/.ssh/id_dsa
[clientloop.c]
- typo, rm verbose debug
- deraadt@cvs.openbsd.org
[ssh-keygen.1]
- document DSA use of ssh-keygen
[sshd.8]
- a start at describing what i understand of the DSA side
[ssh-keygen.1]
- document -X and -x
[ssh-keygen.c]
- simplify usage
- markus@cvs.openbsd.org
[sshd.8]
- there is no rhosts_dsa
[ssh-keygen.1]
- document -y, update -X,-x
[nchan.c]
- fix close for non-open ssh1 channels
[servconf.c servconf.h ssh.h sshd.8 sshd.c ]
- s/DsaKey/HostDSAKey/, document option
[sshconnect2.c]
- respect number_of_password_prompts
[channels.c channels.h servconf.c servconf.h session.c sshd.8]
- GatewayPorts for sshd, ok deraadt@
[ssh-add.1 ssh-agent.1 ssh.1]
- more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
[ssh.1]
- more info on proto 2
[sshd.8]
- sync AUTHOR w/ ssh.1
[key.c key.h sshconnect.c]
- print key type when talking about host keys
[packet.c]
- clear padding in ssh2
[dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
- replace broken uuencode w/ libc b64_ntop
[auth2.c]
- log failure before sending the reply
[key.c radix.c uuencode.c]
- remote trailing comments before calling __b64_pton
[auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
[sshconnect2.c sshd.8]
- add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
- Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
2000-05-07 10:03:14 +08:00
|
|
|
This file should not be readable by anyone but the user.
|
|
|
|
It is possible to
|
|
|
|
specify a passphrase when generating the key; that passphrase will be
|
|
|
|
used to encrypt the private part of this file using 3DES.
|
|
|
|
This file is not automatically accessed by
|
|
|
|
.Nm
|
|
|
|
but it is offered as the default file for the private key.
|
2001-07-04 11:35:24 +08:00
|
|
|
.Xr ssh 1
|
- Remove references to SSLeay.
- Big OpenBSD CVS update
- markus@cvs.openbsd.org
[clientloop.c]
- typo
[session.c]
- update proctitle on pty alloc/dealloc, e.g. w/ windows client
[session.c]
- update proctitle for proto 1, too
[channels.h nchan.c serverloop.c session.c sshd.c]
- use c-style comments
- deraadt@cvs.openbsd.org
[scp.c]
- more atomicio
- markus@cvs.openbsd.org
[channels.c]
- set O_NONBLOCK
[ssh.1]
- update AUTHOR
[readconf.c ssh-keygen.c ssh.h]
- default DSA key file ~/.ssh/id_dsa
[clientloop.c]
- typo, rm verbose debug
- deraadt@cvs.openbsd.org
[ssh-keygen.1]
- document DSA use of ssh-keygen
[sshd.8]
- a start at describing what i understand of the DSA side
[ssh-keygen.1]
- document -X and -x
[ssh-keygen.c]
- simplify usage
- markus@cvs.openbsd.org
[sshd.8]
- there is no rhosts_dsa
[ssh-keygen.1]
- document -y, update -X,-x
[nchan.c]
- fix close for non-open ssh1 channels
[servconf.c servconf.h ssh.h sshd.8 sshd.c ]
- s/DsaKey/HostDSAKey/, document option
[sshconnect2.c]
- respect number_of_password_prompts
[channels.c channels.h servconf.c servconf.h session.c sshd.8]
- GatewayPorts for sshd, ok deraadt@
[ssh-add.1 ssh-agent.1 ssh.1]
- more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
[ssh.1]
- more info on proto 2
[sshd.8]
- sync AUTHOR w/ ssh.1
[key.c key.h sshconnect.c]
- print key type when talking about host keys
[packet.c]
- clear padding in ssh2
[dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
- replace broken uuencode w/ libc b64_ntop
[auth2.c]
- log failure before sending the reply
[key.c radix.c uuencode.c]
- remote trailing comments before calling __b64_pton
[auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
[sshconnect2.c sshd.8]
- add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
- Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
2000-05-07 10:03:14 +08:00
|
|
|
will read this file when a login attempt is made.
|
2005-05-26 10:04:02 +08:00
|
|
|
.It Pa ~/.ssh/id_dsa.pub
|
2001-04-11 23:59:35 +08:00
|
|
|
Contains the protocol version 2 DSA public key for authentication.
|
|
|
|
The contents of this file should be added to
|
2005-05-26 10:04:02 +08:00
|
|
|
.Pa ~/.ssh/authorized_keys
|
2001-04-11 23:59:35 +08:00
|
|
|
on all machines
|
2001-09-13 02:35:30 +08:00
|
|
|
where the user wishes to log in using public key authentication.
|
2001-04-11 23:59:35 +08:00
|
|
|
There is no need to keep the contents of this file secret.
|
2005-05-26 10:04:02 +08:00
|
|
|
.It Pa ~/.ssh/id_rsa
|
2001-04-11 23:59:35 +08:00
|
|
|
Contains the protocol version 2 RSA authentication identity of the user.
|
|
|
|
This file should not be readable by anyone but the user.
|
|
|
|
It is possible to
|
|
|
|
specify a passphrase when generating the key; that passphrase will be
|
|
|
|
used to encrypt the private part of this file using 3DES.
|
|
|
|
This file is not automatically accessed by
|
|
|
|
.Nm
|
|
|
|
but it is offered as the default file for the private key.
|
2001-07-04 11:35:24 +08:00
|
|
|
.Xr ssh 1
|
2001-04-11 23:59:35 +08:00
|
|
|
will read this file when a login attempt is made.
|
2005-05-26 10:04:02 +08:00
|
|
|
.It Pa ~/.ssh/id_rsa.pub
|
2001-04-11 23:59:35 +08:00
|
|
|
Contains the protocol version 2 RSA public key for authentication.
|
- Remove references to SSLeay.
- Big OpenBSD CVS update
- markus@cvs.openbsd.org
[clientloop.c]
- typo
[session.c]
- update proctitle on pty alloc/dealloc, e.g. w/ windows client
[session.c]
- update proctitle for proto 1, too
[channels.h nchan.c serverloop.c session.c sshd.c]
- use c-style comments
- deraadt@cvs.openbsd.org
[scp.c]
- more atomicio
- markus@cvs.openbsd.org
[channels.c]
- set O_NONBLOCK
[ssh.1]
- update AUTHOR
[readconf.c ssh-keygen.c ssh.h]
- default DSA key file ~/.ssh/id_dsa
[clientloop.c]
- typo, rm verbose debug
- deraadt@cvs.openbsd.org
[ssh-keygen.1]
- document DSA use of ssh-keygen
[sshd.8]
- a start at describing what i understand of the DSA side
[ssh-keygen.1]
- document -X and -x
[ssh-keygen.c]
- simplify usage
- markus@cvs.openbsd.org
[sshd.8]
- there is no rhosts_dsa
[ssh-keygen.1]
- document -y, update -X,-x
[nchan.c]
- fix close for non-open ssh1 channels
[servconf.c servconf.h ssh.h sshd.8 sshd.c ]
- s/DsaKey/HostDSAKey/, document option
[sshconnect2.c]
- respect number_of_password_prompts
[channels.c channels.h servconf.c servconf.h session.c sshd.8]
- GatewayPorts for sshd, ok deraadt@
[ssh-add.1 ssh-agent.1 ssh.1]
- more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
[ssh.1]
- more info on proto 2
[sshd.8]
- sync AUTHOR w/ ssh.1
[key.c key.h sshconnect.c]
- print key type when talking about host keys
[packet.c]
- clear padding in ssh2
[dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
- replace broken uuencode w/ libc b64_ntop
[auth2.c]
- log failure before sending the reply
[key.c radix.c uuencode.c]
- remote trailing comments before calling __b64_pton
[auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
[sshconnect2.c sshd.8]
- add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
- Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
2000-05-07 10:03:14 +08:00
|
|
|
The contents of this file should be added to
|
2005-05-26 10:04:02 +08:00
|
|
|
.Pa ~/.ssh/authorized_keys
|
- Remove references to SSLeay.
- Big OpenBSD CVS update
- markus@cvs.openbsd.org
[clientloop.c]
- typo
[session.c]
- update proctitle on pty alloc/dealloc, e.g. w/ windows client
[session.c]
- update proctitle for proto 1, too
[channels.h nchan.c serverloop.c session.c sshd.c]
- use c-style comments
- deraadt@cvs.openbsd.org
[scp.c]
- more atomicio
- markus@cvs.openbsd.org
[channels.c]
- set O_NONBLOCK
[ssh.1]
- update AUTHOR
[readconf.c ssh-keygen.c ssh.h]
- default DSA key file ~/.ssh/id_dsa
[clientloop.c]
- typo, rm verbose debug
- deraadt@cvs.openbsd.org
[ssh-keygen.1]
- document DSA use of ssh-keygen
[sshd.8]
- a start at describing what i understand of the DSA side
[ssh-keygen.1]
- document -X and -x
[ssh-keygen.c]
- simplify usage
- markus@cvs.openbsd.org
[sshd.8]
- there is no rhosts_dsa
[ssh-keygen.1]
- document -y, update -X,-x
[nchan.c]
- fix close for non-open ssh1 channels
[servconf.c servconf.h ssh.h sshd.8 sshd.c ]
- s/DsaKey/HostDSAKey/, document option
[sshconnect2.c]
- respect number_of_password_prompts
[channels.c channels.h servconf.c servconf.h session.c sshd.8]
- GatewayPorts for sshd, ok deraadt@
[ssh-add.1 ssh-agent.1 ssh.1]
- more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
[ssh.1]
- more info on proto 2
[sshd.8]
- sync AUTHOR w/ ssh.1
[key.c key.h sshconnect.c]
- print key type when talking about host keys
[packet.c]
- clear padding in ssh2
[dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
- replace broken uuencode w/ libc b64_ntop
[auth2.c]
- log failure before sending the reply
[key.c radix.c uuencode.c]
- remote trailing comments before calling __b64_pton
[auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
[sshconnect2.c sshd.8]
- add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
- Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
2000-05-07 10:03:14 +08:00
|
|
|
on all machines
|
2001-09-13 02:35:30 +08:00
|
|
|
where the user wishes to log in using public key authentication.
|
- Remove references to SSLeay.
- Big OpenBSD CVS update
- markus@cvs.openbsd.org
[clientloop.c]
- typo
[session.c]
- update proctitle on pty alloc/dealloc, e.g. w/ windows client
[session.c]
- update proctitle for proto 1, too
[channels.h nchan.c serverloop.c session.c sshd.c]
- use c-style comments
- deraadt@cvs.openbsd.org
[scp.c]
- more atomicio
- markus@cvs.openbsd.org
[channels.c]
- set O_NONBLOCK
[ssh.1]
- update AUTHOR
[readconf.c ssh-keygen.c ssh.h]
- default DSA key file ~/.ssh/id_dsa
[clientloop.c]
- typo, rm verbose debug
- deraadt@cvs.openbsd.org
[ssh-keygen.1]
- document DSA use of ssh-keygen
[sshd.8]
- a start at describing what i understand of the DSA side
[ssh-keygen.1]
- document -X and -x
[ssh-keygen.c]
- simplify usage
- markus@cvs.openbsd.org
[sshd.8]
- there is no rhosts_dsa
[ssh-keygen.1]
- document -y, update -X,-x
[nchan.c]
- fix close for non-open ssh1 channels
[servconf.c servconf.h ssh.h sshd.8 sshd.c ]
- s/DsaKey/HostDSAKey/, document option
[sshconnect2.c]
- respect number_of_password_prompts
[channels.c channels.h servconf.c servconf.h session.c sshd.8]
- GatewayPorts for sshd, ok deraadt@
[ssh-add.1 ssh-agent.1 ssh.1]
- more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
[ssh.1]
- more info on proto 2
[sshd.8]
- sync AUTHOR w/ ssh.1
[key.c key.h sshconnect.c]
- print key type when talking about host keys
[packet.c]
- clear padding in ssh2
[dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
- replace broken uuencode w/ libc b64_ntop
[auth2.c]
- log failure before sending the reply
[key.c radix.c uuencode.c]
- remote trailing comments before calling __b64_pton
[auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
[sshconnect2.c sshd.8]
- add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
- Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
2000-05-07 10:03:14 +08:00
|
|
|
There is no need to keep the contents of this file secret.
|
2003-08-02 20:40:07 +08:00
|
|
|
.It Pa /etc/moduli
|
|
|
|
Contains Diffie-Hellman groups used for DH-GEX.
|
|
|
|
The file format is described in
|
|
|
|
.Xr moduli 5 .
|
2000-07-11 15:31:38 +08:00
|
|
|
.El
|
1999-10-29 07:15:49 +08:00
|
|
|
.Sh SEE ALSO
|
|
|
|
.Xr ssh 1 ,
|
|
|
|
.Xr ssh-add 1 ,
|
1999-11-15 20:33:56 +08:00
|
|
|
.Xr ssh-agent 1 ,
|
2003-08-02 20:40:07 +08:00
|
|
|
.Xr moduli 5 ,
|
2001-02-11 07:10:33 +08:00
|
|
|
.Xr sshd 8
|
2001-04-23 01:15:46 +08:00
|
|
|
.Rs
|
2007-01-05 13:25:46 +08:00
|
|
|
.%R RFC 4716
|
|
|
|
.%T "The Secure Shell (SSH) Public Key File Format"
|
|
|
|
.%D 2006
|
2001-04-23 01:15:46 +08:00
|
|
|
.Re
|
2003-06-11 20:04:39 +08:00
|
|
|
.Sh AUTHORS
|
|
|
|
OpenSSH is a derivative of the original and free
|
|
|
|
ssh 1.2.12 release by Tatu Ylonen.
|
|
|
|
Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
|
|
|
|
Theo de Raadt and Dug Song
|
|
|
|
removed many bugs, re-added newer features and
|
|
|
|
created OpenSSH.
|
|
|
|
Markus Friedl contributed the support for SSH
|
|
|
|
protocol versions 1.5 and 2.0.
|