1SSH-KEYGEN(1) BSD General Commands Manual SSH-KEYGEN(1)
2
4 ssh-keygen — authentication key generation, management and conversion
5
7 ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
8 [-N new_passphrase] [-C comment] [-f output_keyfile]
9 ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
10 ssh-keygen -i [-m key_format] [-f input_keyfile]
11 ssh-keygen -e [-m key_format] [-f input_keyfile]
12 ssh-keygen -y [-f input_keyfile]
13 ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
14 ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
15 ssh-keygen -B [-f input_keyfile]
16 ssh-keygen -D pkcs11
17 ssh-keygen -F hostname [-f known_hosts_file] [-l]
18 ssh-keygen -H [-f known_hosts_file]
19 ssh-keygen -R hostname [-f known_hosts_file]
20 ssh-keygen -r hostname [-f input_keyfile] [-g]
21 ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
22 ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]
23 [-j start_line] [-K checkpt] [-W generator]
24 ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]
25 [-O option] [-V validity_interval] [-z serial_number] file ...
26 ssh-keygen -L [-f input_keyfile]
27 ssh-keygen -A
28 ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
29 file ...
30 ssh-keygen -Q -f krl_file file ...
31
33 ssh-keygen generates, manages and converts authentication keys for
34 ssh(1). ssh-keygen can create keys for use by SSH protocol versions 1
35 and 2. Protocol 1 should not be used and is only offered to support
36 legacy devices. It suffers from a number of cryptographic weaknesses and
37 doesn't support many of the advanced features available for protocol 2.
38
39 The type of key to be generated is specified with the -t option. If
40 invoked without any arguments, ssh-keygen will generate an RSA key for
41 use in SSH protocol 2 connections.
42
43 ssh-keygen is also used to generate groups for use in Diffie-Hellman
44 group exchange (DH-GEX). See the MODULI GENERATION section for details.
45
46 Finally, ssh-keygen can be used to generate and update Key Revocation
47 Lists, and to test whether given keys have been revoked by one. See the
48 KEY REVOCATION LISTS section for details.
49
50 Normally each user wishing to use SSH with public key authentication runs
51 this once to create the authentication key in ~/.ssh/identity,
52 ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 or ~/.ssh/id_rsa.
53 Additionally, the system administrator may use this to generate host
54 keys, as seen in /etc/rc.
55
56 Normally this program generates the key and asks for a file in which to
57 store the private key. The public key is stored in a file with the same
58 name but “.pub” appended. The program also asks for a passphrase. The
59 passphrase may be empty to indicate no passphrase (host keys must have an
60 empty passphrase), or it may be a string of arbitrary length. A
61 passphrase is similar to a password, except it can be a phrase with a
62 series of words, punctuation, numbers, whitespace, or any string of char‐
63 acters you want. Good passphrases are 10-30 characters long, are not
64 simple sentences or otherwise easily guessable (English prose has only
65 1-2 bits of entropy per character, and provides very bad passphrases),
66 and contain a mix of upper and lowercase letters, numbers, and non-
67 alphanumeric characters. The passphrase can be changed later by using
68 the -p option.
69
70 There is no way to recover a lost passphrase. If the passphrase is lost
71 or forgotten, a new key must be generated and the corresponding public
72 key copied to other machines.
73
74 For RSA1 keys and keys stored in the newer OpenSSH format, there is also
75 a comment field in the key file that is only for convenience to the user
76 to help identify the key. The comment can tell what the key is for, or
77 whatever is useful. The comment is initialized to “user@host” when the
78 key is created, but can be changed using the -c option.
79
80 After a key is generated, instructions below detail where the keys should
81 be placed to be activated.
82
83 The options are as follows:
84
85 -A For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for
86 which host keys do not exist, generate the host keys with the
87 default key file path, an empty passphrase, default bits for the
88 key type, and default comment. This is used by /etc/rc to gener‐
89 ate new host keys.
90
91 -a rounds
92 When saving a new-format private key (i.e. an ed25519 key or any
93 SSH protocol 2 key when the -o flag is set), this option speci‐
94 fies the number of KDF (key derivation function) rounds used.
95 Higher numbers result in slower passphrase verification and
96 increased resistance to brute-force password cracking (should the
97 keys be stolen).
98
99 When screening DH-GEX candidates ( using the -T command). This
100 option specifies the number of primality tests to perform.
101
102 -B Show the bubblebabble digest of specified private or public key
103 file.
104
105 -b bits
106 Specifies the number of bits in the key to create. For RSA keys,
107 the minimum size is 1024 bits and the default is 2048 bits. Gen‐
108 erally, 2048 bits is considered sufficient. DSA keys must be
109 exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys,
110 the -b flag determines the key length by selecting from one of
111 three elliptic curve sizes: 256, 384 or 521 bits. Attempting to
112 use bit lengths other than these three values for ECDSA keys will
113 fail. Ed25519 keys have a fixed length and the -b flag will be
114 ignored.
115
116 -C comment
117 Provides a new comment.
118
119 -c Requests changing the comment in the private and public key
120 files. This operation is only supported for RSA1 keys and keys
121 stored in the newer OpenSSH format. The program will prompt for
122 the file containing the private keys, for the passphrase if the
123 key has one, and for the new comment.
124
125 -D pkcs11
126 Download the RSA public keys provided by the PKCS#11 shared
127 library pkcs11. When used in combination with -s, this option
128 indicates that a CA key resides in a PKCS#11 token (see the
129 CERTIFICATES section for details).
130
131 -E fingerprint_hash
132 Specifies the hash algorithm used when displaying key finger‐
133 prints. Valid options are: “md5” and “sha256”. The default is
134 “sha256”.
135
136 -e This option will read a private or public OpenSSH key file and
137 print to stdout the key in one of the formats specified by the -m
138 option. The default export format is “RFC4716”. This option
139 allows exporting OpenSSH keys for use by other programs, includ‐
140 ing several commercial SSH implementations.
141
142 -F hostname
143 Search for the specified hostname in a known_hosts file, listing
144 any occurrences found. This option is useful to find hashed host
145 names or addresses and may also be used in conjunction with the
146 -H option to print found keys in a hashed format.
147
148 -f filename
149 Specifies the filename of the key file.
150
151 -G output_file
152 Generate candidate primes for DH-GEX. These primes must be
153 screened for safety (using the -T option) before use.
154
155 -g Use generic DNS format when printing fingerprint resource records
156 using the -r command.
157
158 -H Hash a known_hosts file. This replaces all hostnames and
159 addresses with hashed representations within the specified file;
160 the original content is moved to a file with a .old suffix.
161 These hashes may be used normally by ssh and sshd, but they do
162 not reveal identifying information should the file's contents be
163 disclosed. This option will not modify existing hashed hostnames
164 and is therefore safe to use on files that mix hashed and non-
165 hashed names.
166
167 -h When signing a key, create a host certificate instead of a user
168 certificate. Please see the CERTIFICATES section for details.
169
170 -I certificate_identity
171 Specify the key identity when signing a public key. Please see
172 the CERTIFICATES section for details.
173
174 -i This option will read an unencrypted private (or public) key file
175 in the format specified by the -m option and print an OpenSSH
176 compatible private (or public) key to stdout. This option allows
177 importing keys from other software, including several commercial
178 SSH implementations. The default import format is “RFC4716”.
179
180 -J num_lines
181 Exit after screening the specified number of lines while perform‐
182 ing DH candidate screening using the -T option.
183
184 -j start_line
185 Start screening at the specified line number while performing DH
186 candidate screening using the -T option.
187
188 -K checkpt
189 Write the last line processed to the file checkpt while perform‐
190 ing DH candidate screening using the -T option. This will be
191 used to skip lines in the input file that have already been pro‐
192 cessed if the job is restarted.
193
194 -k Generate a KRL file. In this mode, ssh-keygen will generate a
195 KRL file at the location specified via the -f flag that revokes
196 every key or certificate presented on the command line.
197 Keys/certificates to be revoked may be specified by public key
198 file or using the format described in the KEY REVOCATION LISTS
199 section.
200
201 -L Prints the contents of one or more certificates.
202
203 -l Show fingerprint of specified public key file. Private RSA1 keys
204 are also supported. For RSA and DSA keys ssh-keygen tries to
205 find the matching public key file and prints its fingerprint. If
206 combined with -v, a visual ASCII art representation of the key is
207 supplied with the fingerprint.
208
209 -M memory
210 Specify the amount of memory to use (in megabytes) when generat‐
211 ing candidate moduli for DH-GEX.
212
213 -m key_format
214 Specify a key format for the -i (import) or -e (export) conver‐
215 sion options. The supported key formats are: “RFC4716” (RFC
216 4716/SSH2 public or private key), “PKCS8” (PEM PKCS8 public key)
217 or “PEM” (PEM public key). The default conversion format is
218 “RFC4716”.
219
220 -N new_passphrase
221 Provides the new passphrase.
222
223 -n principals
224 Specify one or more principals (user or host names) to be
225 included in a certificate when signing a key. Multiple princi‐
226 pals may be specified, separated by commas. Please see the
227 CERTIFICATES section for details.
228
229 -O option
230 Specify a certificate option when signing a key. This option may
231 be specified multiple times. Please see the CERTIFICATES section
232 for details. The options that are valid for user certificates
233 are:
234
235 clear Clear all enabled permissions. This is useful for clear‐
236 ing the default set of permissions so permissions may be
237 added individually.
238
239 force-command=command
240 Forces the execution of command instead of any shell or
241 command specified by the user when the certificate is
242 used for authentication.
243
244 no-agent-forwarding
245 Disable ssh-agent(1) forwarding (permitted by default).
246
247 no-port-forwarding
248 Disable port forwarding (permitted by default).
249
250 no-pty Disable PTY allocation (permitted by default).
251
252 no-user-rc
253 Disable execution of ~/.ssh/rc by sshd(8) (permitted by
254 default).
255
256 no-x11-forwarding
257 Disable X11 forwarding (permitted by default).
258
259 permit-agent-forwarding
260 Allows ssh-agent(1) forwarding.
261
262 permit-port-forwarding
263 Allows port forwarding.
264
265 permit-pty
266 Allows PTY allocation.
267
268 permit-user-rc
269 Allows execution of ~/.ssh/rc by sshd(8).
270
271 permit-x11-forwarding
272 Allows X11 forwarding.
273
274 source-address=address_list
275 Restrict the source addresses from which the certificate
276 is considered valid. The address_list is a comma-sepa‐
277 rated list of one or more address/netmask pairs in CIDR
278 format.
279
280 At present, no options are valid for host keys.
281
282 -o Causes ssh-keygen to save private keys using the new OpenSSH for‐
283 mat rather than the more compatible PEM format. The new format
284 has increased resistance to brute-force password cracking but is
285 not supported by versions of OpenSSH prior to 6.5. Ed25519 keys
286 always use the new private key format.
287
288 -P passphrase
289 Provides the (old) passphrase.
290
291 -p Requests changing the passphrase of a private key file instead of
292 creating a new private key. The program will prompt for the file
293 containing the private key, for the old passphrase, and twice for
294 the new passphrase.
295
296 -Q Test whether keys have been revoked in a KRL.
297
298 -q Silence ssh-keygen.
299
300 -R hostname
301 Removes all keys belonging to hostname from a known_hosts file.
302 This option is useful to delete hashed hosts (see the -H option
303 above).
304
305 -r hostname
306 Print the SSHFP fingerprint resource record named hostname for
307 the specified public key file.
308
309 -S start
310 Specify start point (in hex) when generating candidate moduli for
311 DH-GEX.
312
313 -s ca_key
314 Certify (sign) a public key using the specified CA key. Please
315 see the CERTIFICATES section for details.
316
317 When generating a KRL, -s specifies a path to a CA public key
318 file used to revoke certificates directly by key ID or serial
319 number. See the KEY REVOCATION LISTS section for details.
320
321 -T output_file
322 Test DH group exchange candidate primes (generated using the -G
323 option) for safety.
324
325 -t dsa | ecdsa | ed25519 | rsa | rsa1
326 Specifies the type of key to create. The possible values are
327 “rsa1” for protocol version 1 and “dsa”, “ecdsa”, “ed25519”, or
328 “rsa” for protocol version 2.
329
330 -u Update a KRL. When specified with -k, keys listed via the com‐
331 mand line are added to the existing KRL rather than a new KRL
332 being created.
333
334 -V validity_interval
335 Specify a validity interval when signing a certificate. A valid‐
336 ity interval may consist of a single time, indicating that the
337 certificate is valid beginning now and expiring at that time, or
338 may consist of two times separated by a colon to indicate an
339 explicit time interval. The start time may be specified as a
340 date in YYYYMMDD format, a time in YYYYMMDDHHMMSS format or a
341 relative time (to the current time) consisting of a minus sign
342 followed by a relative time in the format described in the TIME
343 FORMATS section of sshd_config(5). The end time may be specified
344 as a YYYYMMDD date, a YYYYMMDDHHMMSS time or a relative time
345 starting with a plus character.
346
347 For example: “+52w1d” (valid from now to 52 weeks and one day
348 from now), “-4w:+4w” (valid from four weeks ago to four weeks
349 from now), “20100101123000:20110101123000” (valid from 12:30 PM,
350 January 1st, 2010 to 12:30 PM, January 1st, 2011), “-1d:20110101”
351 (valid from yesterday to midnight, January 1st, 2011).
352
353 -v Verbose mode. Causes ssh-keygen to print debugging messages
354 about its progress. This is helpful for debugging moduli genera‐
355 tion. Multiple -v options increase the verbosity. The maximum
356 is 3.
357
358 -W generator
359 Specify desired generator when testing candidate moduli for DH-
360 GEX.
361
362 -y This option will read a private OpenSSH format file and print an
363 OpenSSH public key to stdout.
364
365 -z serial_number
366 Specifies a serial number to be embedded in the certificate to
367 distinguish this certificate from others from the same CA. The
368 default serial number is zero.
369
370 When generating a KRL, the -z flag is used to specify a KRL ver‐
371 sion number.
372
374 ssh-keygen may be used to generate groups for the Diffie-Hellman Group
375 Exchange (DH-GEX) protocol. Generating these groups is a two-step
376 process: first, candidate primes are generated using a fast, but memory
377 intensive process. These candidate primes are then tested for suitabil‐
378 ity (a CPU-intensive process).
379
380 Generation of primes is performed using the -G option. The desired
381 length of the primes may be specified by the -b option. For example:
382
383 # ssh-keygen -G moduli-2048.candidates -b 2048
384
385 By default, the search for primes begins at a random point in the desired
386 length range. This may be overridden using the -S option, which speci‐
387 fies a different start point (in hex).
388
389 Once a set of candidates have been generated, they must be screened for
390 suitability. This may be performed using the -T option. In this mode
391 ssh-keygen will read candidates from standard input (or a file specified
392 using the -f option). For example:
393
394 # ssh-keygen -T moduli-2048 -f moduli-2048.candidates
395
396 By default, each candidate will be subjected to 100 primality tests.
397 This may be overridden using the -a option. The DH generator value will
398 be chosen automatically for the prime under consideration. If a specific
399 generator is desired, it may be requested using the -W option. Valid
400 generator values are 2, 3, and 5.
401
402 Screened DH groups may be installed in /etc/ssh/moduli. It is important
403 that this file contains moduli of a range of bit lengths and that both
404 ends of a connection share common moduli.
405
407 ssh-keygen supports signing of keys to produce certificates that may be
408 used for user or host authentication. Certificates consist of a public
409 key, some identity information, zero or more principal (user or host)
410 names and a set of options that are signed by a Certification Authority
411 (CA) key. Clients or servers may then trust only the CA key and verify
412 its signature on a certificate rather than trusting many user/host keys.
413 Note that OpenSSH certificates are a different, and much simpler, format
414 to the X.509 certificates used in ssl(8).
415
416 ssh-keygen supports two types of certificates: user and host. User cer‐
417 tificates authenticate users to servers, whereas host certificates
418 authenticate server hosts to users. To generate a user certificate:
419
420 $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
421
422 The resultant certificate will be placed in /path/to/user_key-cert.pub.
423 A host certificate requires the -h option:
424
425 $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
426
427 The host certificate will be output to /path/to/host_key-cert.pub.
428
429 It is possible to sign using a CA key stored in a PKCS#11 token by pro‐
430 viding the token library using -D and identifying the CA key by providing
431 its public half as an argument to -s:
432
433 $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
434
435 In all cases, key_id is a "key identifier" that is logged by the server
436 when the certificate is used for authentication.
437
438 Certificates may be limited to be valid for a set of principal
439 (user/host) names. By default, generated certificates are valid for all
440 users or hosts. To generate a certificate for a specified set of princi‐
441 pals:
442
443 $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
444 $ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub
445
446 Additional limitations on the validity and use of user certificates may
447 be specified through certificate options. A certificate option may dis‐
448 able features of the SSH session, may be valid only when presented from
449 particular source addresses or may force the use of a specific command.
450 For a list of valid certificate options, see the documentation for the -O
451 option above.
452
453 Finally, certificates may be defined with a validity lifetime. The -V
454 option allows specification of certificate start and end times. A cer‐
455 tificate that is presented at a time outside this range will not be con‐
456 sidered valid. By default, certificates are valid from UNIX Epoch to the
457 distant future.
458
459 For certificates to be used for user or host authentication, the CA pub‐
460 lic key must be trusted by sshd(8) or ssh(1). Please refer to those man‐
461 ual pages for details.
462
464 ssh-keygen is able to manage OpenSSH format Key Revocation Lists (KRLs).
465 These binary files specify keys or certificates to be revoked using a
466 compact format, taking as little as one bit per certificate if they are
467 being revoked by serial number.
468
469 KRLs may be generated using the -k flag. This option reads one or more
470 files from the command line and generates a new KRL. The files may
471 either contain a KRL specification (see below) or public keys, listed one
472 per line. Plain public keys are revoked by listing their hash or con‐
473 tents in the KRL and certificates revoked by serial number or key ID (if
474 the serial is zero or not available).
475
476 Revoking keys using a KRL specification offers explicit control over the
477 types of record used to revoke keys and may be used to directly revoke
478 certificates by serial number or key ID without having the complete orig‐
479 inal certificate on hand. A KRL specification consists of lines contain‐
480 ing one of the following directives followed by a colon and some direc‐
481 tive-specific information.
482
483 serial: serial_number[-serial_number]
484 Revokes a certificate with the specified serial number. Serial
485 numbers are 64-bit values, not including zero and may be
486 expressed in decimal, hex or octal. If two serial numbers are
487 specified separated by a hyphen, then the range of serial numbers
488 including and between each is revoked. The CA key must have been
489 specified on the ssh-keygen command line using the -s option.
490
491 id: key_id
492 Revokes a certificate with the specified key ID string. The CA
493 key must have been specified on the ssh-keygen command line using
494 the -s option.
495
496 key: public_key
497 Revokes the specified key. If a certificate is listed, then it
498 is revoked as a plain public key.
499
500 sha1: public_key
501 Revokes the specified key by its SHA1 hash.
502
503 KRLs may be updated using the -u flag in addition to -k. When this
504 option is specified, keys listed via the command line are merged into the
505 KRL, adding to those already there.
506
507 It is also possible, given a KRL, to test whether it revokes a particular
508 key (or keys). The -Q flag will query an existing KRL, testing each key
509 specified on the command line. If any key listed on the command line has
510 been revoked (or an error encountered) then ssh-keygen will exit with a
511 non-zero exit status. A zero exit status will only be returned if no key
512 was revoked.
513
515 ~/.ssh/identity
516 Contains the protocol version 1 RSA authentication identity of
517 the user. This file should not be readable by anyone but the
518 user. It is possible to specify a passphrase when generating the
519 key; that passphrase will be used to encrypt the private part of
520 this file using 3DES. This file is not automatically accessed by
521 ssh-keygen but it is offered as the default file for the private
522 key. ssh(1) will read this file when a login attempt is made.
523
524 ~/.ssh/identity.pub
525 Contains the protocol version 1 RSA public key for authentica‐
526 tion. The contents of this file should be added to
527 ~/.ssh/authorized_keys on all machines where the user wishes to
528 log in using RSA authentication. There is no need to keep the
529 contents of this file secret.
530
531 ~/.ssh/id_dsa
532 ~/.ssh/id_ecdsa
533 ~/.ssh/id_ed25519
534 ~/.ssh/id_rsa
535 Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA
536 authentication identity of the user. This file should not be
537 readable by anyone but the user. It is possible to specify a
538 passphrase when generating the key; that passphrase will be used
539 to encrypt the private part of this file using 128-bit AES. This
540 file is not automatically accessed by ssh-keygen but it is
541 offered as the default file for the private key. ssh(1) will
542 read this file when a login attempt is made.
543
544 ~/.ssh/id_dsa.pub
545 ~/.ssh/id_ecdsa.pub
546 ~/.ssh/id_ed25519.pub
547 ~/.ssh/id_rsa.pub
548 Contains the protocol version 2 DSA, ECDSA, Ed25519 or RSA public
549 key for authentication. The contents of this file should be
550 added to ~/.ssh/authorized_keys on all machines where the user
551 wishes to log in using public key authentication. There is no
552 need to keep the contents of this file secret.
553
554 /etc/ssh/moduli
555 Contains Diffie-Hellman groups used for DH-GEX. The file format
556 is described in moduli(5).
557
559 SSH_USE_STRONG_RNG
560 The reseeding of the OpenSSL random generator is usually done
561 from /dev/urandom. If the SSH_USE_STRONG_RNG environment vari‐
562 able is set to value other than 0 the OpenSSL random generator is
563 reseeded from /dev/random. The number of bytes read is defined
564 by the SSH_USE_STRONG_RNG value. Minimum is 14 bytes. This set‐
565 ting is not recommended on the computers without the hardware
566 random generator because insufficient entropy causes the connec‐
567 tion to be blocked until enough entropy is available.
568
570 ssh(1), ssh-add(1), ssh-agent(1), moduli(5), sshd(8)
571
572 The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.
573
575 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
576 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
577 de Raadt and Dug Song removed many bugs, re-added newer features and cre‐
578 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
579 versions 1.5 and 2.0.
580
581BSD June 21, 2019 BSD