mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-11-24 02:02:10 +08:00
e247cc402b
- Big OpenBSD CVS update - markus@cvs.openbsd.org [clientloop.c] - typo [session.c] - update proctitle on pty alloc/dealloc, e.g. w/ windows client [session.c] - update proctitle for proto 1, too [channels.h nchan.c serverloop.c session.c sshd.c] - use c-style comments - deraadt@cvs.openbsd.org [scp.c] - more atomicio - markus@cvs.openbsd.org [channels.c] - set O_NONBLOCK [ssh.1] - update AUTHOR [readconf.c ssh-keygen.c ssh.h] - default DSA key file ~/.ssh/id_dsa [clientloop.c] - typo, rm verbose debug - deraadt@cvs.openbsd.org [ssh-keygen.1] - document DSA use of ssh-keygen [sshd.8] - a start at describing what i understand of the DSA side [ssh-keygen.1] - document -X and -x [ssh-keygen.c] - simplify usage - markus@cvs.openbsd.org [sshd.8] - there is no rhosts_dsa [ssh-keygen.1] - document -y, update -X,-x [nchan.c] - fix close for non-open ssh1 channels [servconf.c servconf.h ssh.h sshd.8 sshd.c ] - s/DsaKey/HostDSAKey/, document option [sshconnect2.c] - respect number_of_password_prompts [channels.c channels.h servconf.c servconf.h session.c sshd.8] - GatewayPorts for sshd, ok deraadt@ [ssh-add.1 ssh-agent.1 ssh.1] - more doc on: DSA, id_dsa, known_hosts2, authorized_keys2 [ssh.1] - more info on proto 2 [sshd.8] - sync AUTHOR w/ ssh.1 [key.c key.h sshconnect.c] - print key type when talking about host keys [packet.c] - clear padding in ssh2 [dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h] - replace broken uuencode w/ libc b64_ntop [auth2.c] - log failure before sending the reply [key.c radix.c uuencode.c] - remote trailing comments before calling __b64_pton [auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1] [sshconnect2.c sshd.8] - add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8 - Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
221 lines
6.3 KiB
Groff
221 lines
6.3 KiB
Groff
.\" -*- nroff -*-
|
|
.\"
|
|
.\" ssh-keygen.1
|
|
.\"
|
|
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
|
.\"
|
|
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
|
.\" All rights reserved
|
|
.\"
|
|
.\" Created: Sat Apr 22 23:55:14 1995 ylo
|
|
.\"
|
|
.\" $Id: ssh-keygen.1,v 1.14 2000/05/07 02:03:18 damien Exp $
|
|
.\"
|
|
.Dd September 25, 1999
|
|
.Dt SSH-KEYGEN 1
|
|
.Os
|
|
.Sh NAME
|
|
.Nm ssh-keygen
|
|
.Nd authentication key generation
|
|
.Sh SYNOPSIS
|
|
.Nm ssh-keygen
|
|
.Op Fl dq
|
|
.Op Fl b Ar bits
|
|
.Op Fl N Ar new_passphrase
|
|
.Op Fl C Ar comment
|
|
.Op Fl f Ar keyfile
|
|
.Nm ssh-keygen
|
|
.Fl p
|
|
.Op Fl P Ar old_passphrase
|
|
.Op Fl N Ar new_passphrase
|
|
.Op Fl f Ar keyfile
|
|
.Nm ssh-keygen
|
|
.Fl x
|
|
.Op Fl f Ar keyfile
|
|
.Nm ssh-keygen
|
|
.Fl X
|
|
.Op Fl f Ar keyfile
|
|
.Nm ssh-keygen
|
|
.Fl y
|
|
.Op Fl f Ar keyfile
|
|
.Nm ssh-keygen
|
|
.Fl c
|
|
.Op Fl P Ar passphrase
|
|
.Op Fl C Ar comment
|
|
.Op Fl f Ar keyfile
|
|
.Nm ssh-keygen
|
|
.Fl l
|
|
.Op Fl f Ar keyfile
|
|
.Nm ssh-keygen
|
|
.Fl R
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
generates and manages authentication keys for
|
|
.Xr ssh 1 .
|
|
.Nm
|
|
defaults to generating an RSA key for use by protocols 1.3 and 1.5;
|
|
specifying the
|
|
.Fl d
|
|
flag will create a DSA key instead for use by protocol 2.0.
|
|
.Pp
|
|
Normally each user wishing to use SSH
|
|
with RSA or DSA authentication runs this once to create the authentication
|
|
key in
|
|
.Pa $HOME/.ssh/identity
|
|
or
|
|
.Pa $HOME/.ssh/id_dsa .
|
|
Additionally, the system administrator may use this to generate host keys,
|
|
as seen in
|
|
.Pa /etc/rc .
|
|
.Pp
|
|
Normally this program generates the key and asks for a file in which
|
|
to store the private key.
|
|
The public key is stored in a file with the same name but
|
|
.Dq .pub
|
|
appended.
|
|
The program also asks for a passphrase.
|
|
The passphrase may be empty to indicate no passphrase
|
|
(host keys must have empty passphrase), or it may be a string of
|
|
arbitrary length.
|
|
Good passphrases are 10-30 characters long and are
|
|
not simple sentences or otherwise easily guessable (English
|
|
prose has only 1-2 bits of entropy per word, and provides very bad
|
|
passphrases).
|
|
The passphrase can be changed later by using the
|
|
.Fl p
|
|
option.
|
|
.Pp
|
|
There is no way to recover a lost passphrase.
|
|
If the passphrase is
|
|
lost or forgotten, you will have to generate a new key and copy the
|
|
corresponding public key to other machines.
|
|
.Pp
|
|
For RSA, there is also a comment field in the key file that is only for
|
|
convenience to the user to help identify the key.
|
|
The comment can tell what the key is for, or whatever is useful.
|
|
The comment is initialized to
|
|
.Dq user@host
|
|
when the key is created, but can be changed using the
|
|
.Fl c
|
|
option.
|
|
.Pp
|
|
After a key is generated, instructions below detail where the keys
|
|
should be placed to be activated.
|
|
.Pp
|
|
The options are as follows:
|
|
.Bl -tag -width Ds
|
|
.It Fl b Ar bits
|
|
Specifies the number of bits in the key to create.
|
|
Minimum is 512 bits.
|
|
Generally 1024 bits is considered sufficient, and key sizes
|
|
above that no longer improve security but make things slower.
|
|
The default is 1024 bits.
|
|
.It Fl c
|
|
Requests changing the comment in the private and public key files.
|
|
The program will prompt for the file containing the private keys, for
|
|
passphrase if the key has one, and for the new comment.
|
|
.It Fl f
|
|
Specifies the filename of the key file.
|
|
.It Fl l
|
|
Show fingerprint of specified private or public key file.
|
|
.It Fl p
|
|
Requests changing the passphrase of a private key file instead of
|
|
creating a new private key.
|
|
The program will prompt for the file
|
|
containing the private key, for the old passphrase, and twice for the
|
|
new passphrase.
|
|
.It Fl q
|
|
Silence
|
|
.Nm ssh-keygen .
|
|
Used by
|
|
.Pa /etc/rc
|
|
when creating a new key.
|
|
.It Fl C Ar comment
|
|
Provides the new comment.
|
|
.It Fl N Ar new_passphrase
|
|
Provides the new passphrase.
|
|
.It Fl P Ar passphrase
|
|
Provides the (old) passphrase.
|
|
.It Fl R
|
|
If RSA support is functional, immediately exits with code 0. If RSA
|
|
support is not functional, exits with code 1. This flag will be
|
|
removed once the RSA patent expires.
|
|
.It Fl x
|
|
This option will read a private
|
|
OpenSSH DSA format file and prints to stdout a SSH2-compatible public key.
|
|
.It Fl X
|
|
This option will read a
|
|
SSH2-compatible public key file and print to stdout an OpenSSH DSA compatible public key.
|
|
.It Fl y
|
|
This option will read a private
|
|
OpenSSH DSA format file and prints to stdout an OpenSSH DSA public key.
|
|
.El
|
|
.Sh FILES
|
|
.Bl -tag -width Ds
|
|
.It Pa $HOME/.ssh/identity
|
|
Contains the RSA authentication identity of the user.
|
|
This file should not be readable by anyone but the user.
|
|
It is possible to
|
|
specify a passphrase when generating the key; that passphrase will be
|
|
used to encrypt the private part of this file using 3DES.
|
|
This file is not automatically accessed by
|
|
.Nm
|
|
but it is offered as the default file for the private key.
|
|
.Xr sshd 8
|
|
will read this file when a login attempt is made.
|
|
.It Pa $HOME/.ssh/identity.pub
|
|
Contains the public key for authentication.
|
|
The contents of this file should be added to
|
|
.Pa $HOME/.ssh/authorized_keys
|
|
on all machines
|
|
where you wish to log in using RSA authentication.
|
|
There is no need to keep the contents of this file secret.
|
|
.It Pa $HOME/.ssh/id_dsa
|
|
Contains the DSA authentication identity of the user.
|
|
This file should not be readable by anyone but the user.
|
|
It is possible to
|
|
specify a passphrase when generating the key; that passphrase will be
|
|
used to encrypt the private part of this file using 3DES.
|
|
This file is not automatically accessed by
|
|
.Nm
|
|
but it is offered as the default file for the private key.
|
|
.Xr sshd 8
|
|
will read this file when a login attempt is made.
|
|
.It Pa $HOME/.ssh/id_dsa.pub
|
|
Contains the public key for authentication.
|
|
The contents of this file should be added to
|
|
.Pa $HOME/.ssh/authorized_keys2
|
|
on all machines
|
|
where you wish to log in using DSA authentication.
|
|
There is no need to keep the contents of this file secret.
|
|
.Sh AUTHOR
|
|
Tatu Ylonen <ylo@cs.hut.fi>
|
|
.Pp
|
|
OpenSSH
|
|
is a derivative of the original (free) ssh 1.2.12 release, but with bugs
|
|
removed and newer features re-added.
|
|
Rapidly after the 1.2.12 release,
|
|
newer versions bore successively more restrictive licenses.
|
|
This version of OpenSSH
|
|
.Bl -bullet
|
|
.It
|
|
has all components of a restrictive nature (i.e., patents)
|
|
directly removed from the source code; any licensed or patented components
|
|
are chosen from
|
|
external libraries.
|
|
.It
|
|
has been updated to support ssh protocol 1.5.
|
|
.It
|
|
contains added support for
|
|
.Xr kerberos 8
|
|
authentication and ticket passing.
|
|
.It
|
|
supports one-time password authentication with
|
|
.Xr skey 1 .
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr ssh 1 ,
|
|
.Xr ssh-add 1 ,
|
|
.Xr ssh-agent 1 ,
|
|
.Xr sshd 8 ,
|