version 1.22, 2018/08/26 07:46:36 |
version 1.23, 2019/04/20 17:16:40 |
|
|
.\" $NetBSD$ |
.\" $NetBSD$ |
.\" $OpenBSD: ssh-keygen.1,v 1.148 2018/08/08 01:16:01 djm Exp $ |
.\" $OpenBSD: ssh-keygen.1,v 1.157 2019/03/05 16:17:12 naddy Exp $ |
.\" |
.\" |
.\" -*- nroff -*- |
.\" -*- nroff -*- |
.\" |
.\" |
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
.\" |
.\" |
.Dd August 8 2018 |
.Dd March 5 2019 |
.Dt SSH-KEYGEN 1 |
.Dt SSH-KEYGEN 1 |
.Os |
.Os |
.Sh NAME |
.Sh NAME |
|
|
.Op Fl N Ar new_passphrase |
.Op Fl N Ar new_passphrase |
.Op Fl C Ar comment |
.Op Fl C Ar comment |
.Op Fl f Ar output_keyfile |
.Op Fl f Ar output_keyfile |
|
.Op Fl m Ar format |
.Nm ssh-keygen |
.Nm ssh-keygen |
.Fl p |
.Fl p |
.Op Fl P Ar old_passphrase |
.Op Fl P Ar old_passphrase |
.Op Fl N Ar new_passphrase |
.Op Fl N Ar new_passphrase |
.Op Fl f Ar keyfile |
.Op Fl f Ar keyfile |
|
.Op Fl m Ar format |
.Nm ssh-keygen |
.Nm ssh-keygen |
.Fl i |
.Fl i |
.Op Fl m Ar key_format |
.Op Fl m Ar key_format |
Line 208 There is no way to recover a lost passph |
|
Line 210 There is no way to recover a lost passph |
|
If the passphrase is lost or forgotten, a new key must be generated |
If the passphrase is lost or forgotten, a new key must be generated |
and the corresponding public key copied to other machines. |
and the corresponding public key copied to other machines. |
.Pp |
.Pp |
For keys stored in the newer OpenSSH format, |
.Nm |
there is also a comment field in the key file that is only for |
will by default write keys in an OpenSSH-specific format. |
convenience to the user to help identify the key. |
This format is preferred as it offers better protection for |
The comment can tell what the key is for, or whatever is useful. |
keys at rest as well as allowing storage of key comments within |
|
the private key file itself. |
|
The key comment may be useful to help identify the key. |
The comment is initialized to |
The comment is initialized to |
.Dq user@host |
.Dq user@host |
when the key is created, but can be changed using the |
when the key is created, but can be changed using the |
.Fl c |
.Fl c |
option. |
option. |
.Pp |
.Pp |
|
It is still possible for |
|
.Nm |
|
to write the previously-used PEM format private keys using the |
|
.Fl m |
|
flag. |
|
This may be used when generating new keys, and existing new-format |
|
keys may be converted using this option in conjunction with the |
|
.Fl p |
|
(change passphrase) flag. |
|
.Pp |
After a key is generated, instructions below detail where the keys |
After a key is generated, instructions below detail where the keys |
should be placed to be activated. |
should be placed to be activated. |
.Pp |
.Pp |
Line 268 Requests changing the comment in the pri |
|
Line 282 Requests changing the comment in the pri |
|
The program will prompt for the file containing the private keys, for |
The program will prompt for the file containing the private keys, for |
the passphrase if the key has one, and for the new comment. |
the passphrase if the key has one, and for the new comment. |
.It Fl D Ar pkcs11 |
.It Fl D Ar pkcs11 |
Download the RSA public keys provided by the PKCS#11 shared library |
Download the public keys provided by the PKCS#11 shared library |
.Ar pkcs11 . |
.Ar pkcs11 . |
When used in combination with |
When used in combination with |
.Fl s , |
.Fl s , |
|
|
.Dq sha256 . |
.Dq sha256 . |
.It Fl e |
.It Fl e |
This option will read a private or public OpenSSH key file and |
This option will read a private or public OpenSSH key file and |
print to stdout the key in one of the formats specified by the |
print to stdout a public key in one of the formats specified by the |
.Fl m |
.Fl m |
option. |
option. |
The default export format is |
The default export format is |
.Dq RFC4716 . |
.Dq RFC4716 . |
This option allows exporting OpenSSH keys for use by other programs, including |
This option allows exporting OpenSSH keys for use by other programs, including |
several commercial SSH implementations. |
several commercial SSH implementations. |
.It Fl F Ar hostname |
.It Fl F Ar hostname | [hostname]:port |
Search for the specified |
Search for the specified |
.Ar hostname |
.Ar hostname |
|
(with optional port number) |
in a |
in a |
.Pa known_hosts |
.Pa known_hosts |
file, listing any occurrences found. |
file, listing any occurrences found. |
|
|
Specify the amount of memory to use (in megabytes) when generating |
Specify the amount of memory to use (in megabytes) when generating |
candidate moduli for DH-GEX. |
candidate moduli for DH-GEX. |
.It Fl m Ar key_format |
.It Fl m Ar key_format |
Specify a key format for the |
Specify a key format for key generation, the |
.Fl i |
.Fl i |
(import) or |
(import), |
.Fl e |
.Fl e |
(export) conversion options. |
(export) conversion options, and the |
|
.Fl p |
|
change passphrase operation. |
|
The latter may be used to convert between OpenSSH private key and PEM |
|
private key formats. |
The supported key formats are: |
The supported key formats are: |
.Dq RFC4716 |
.Dq RFC4716 |
(RFC 4716/SSH2 public or private key), |
(RFC 4716/SSH2 public or private key), |
|
|
Used by |
Used by |
.Pa /etc/rc.d/sshd |
.Pa /etc/rc.d/sshd |
when creating a new key. |
when creating a new key. |
.It Fl R Ar hostname |
.It Fl R Ar hostname | [hostname]:port |
Removes all keys belonging to |
Removes all keys belonging to the specified |
.Ar hostname |
.Ar hostname |
|
(with optional port number) |
from a |
from a |
.Pa known_hosts |
.Pa known_hosts |
file. |
file. |
Line 626 OpenSSH format file and print an OpenSSH |
|
Line 646 OpenSSH format file and print an OpenSSH |
|
.It Fl z Ar serial_number |
.It Fl z Ar serial_number |
Specifies a serial number to be embedded in the certificate to distinguish |
Specifies a serial number to be embedded in the certificate to distinguish |
this certificate from others from the same CA. |
this certificate from others from the same CA. |
|
If the |
|
.Ar serial_number |
|
is prefixed with a |
|
.Sq + |
|
character, then the serial number will be incremented for each certificate |
|
signed on a single command-line. |
The default serial number is zero. |
The default serial number is zero. |
.Pp |
.Pp |
When generating a KRL, the |
When generating a KRL, the |
|
|
Revokes the specified key. |
Revokes the specified key. |
If a certificate is listed, then it is revoked as a plain public key. |
If a certificate is listed, then it is revoked as a plain public key. |
.It Cm sha1 : Ar public_key |
.It Cm sha1 : Ar public_key |
Revokes the specified key by its SHA1 hash. |
Revokes the specified key by including its SHA1 hash in the KRL. |
|
.It Cm sha256 : Ar public_key |
|
Revokes the specified key by including its SHA256 hash in the KRL. |
|
KRLs that revoke keys by SHA256 hash are not supported by OpenSSH versions |
|
prior to 7.9. |
|
.It Cm hash : Ar fingerprint |
|
Revokes a key using a fingerprint hash, as obtained from a |
|
.Xr sshd 8 |
|
authentication log message or the |
|
.Nm |
|
.Fl l |
|
flag. |
|
Only SHA256 fingerprints are supported here and resultant KRLs are |
|
not supported by OpenSSH versions prior to 7.9. |
.El |
.El |
.Pp |
.Pp |
KRLs may be updated using the |
KRLs may be updated using the |