1SSH-KEYGEN(1) BSD General Commands Manual SSH-KEYGEN(1)
2
4 ssh-keygen — OpenSSH authentication key utility
5
7 ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile]
8 [-m format] [-N new_passphrase] [-O option]
9 [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
10 [-w provider] [-Z cipher]
11 ssh-keygen -p [-a rounds] [-f keyfile] [-m format] [-N new_passphrase]
12 [-P old_passphrase] [-Z cipher]
13 ssh-keygen -i [-f input_keyfile] [-m key_format]
14 ssh-keygen -e [-f input_keyfile] [-m key_format]
15 ssh-keygen -y [-f input_keyfile]
16 ssh-keygen -c [-a rounds] [-C comment] [-f keyfile] [-P passphrase]
17 ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
18 ssh-keygen -B [-f input_keyfile]
19 ssh-keygen -D pkcs11
20 ssh-keygen -F hostname [-lv] [-f known_hosts_file]
21 ssh-keygen -H [-f known_hosts_file]
22 ssh-keygen -K [-a rounds] [-w provider]
23 ssh-keygen -R hostname [-f known_hosts_file]
24 ssh-keygen -r hostname [-g] [-f input_keyfile]
25 ssh-keygen -M generate [-O option] output_file
26 ssh-keygen -M screen [-f input_file] [-O option] output_file
27 ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]
28 [-n principals] [-O option] [-V validity_interval]
29 [-z serial_number] file ...
30 ssh-keygen -L [-f input_keyfile]
31 ssh-keygen -A [-a rounds] [-f prefix_path]
32 ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
33 file ...
34 ssh-keygen -Q [-l] -f krl_file file ...
35 ssh-keygen -Y find-principals [-O option] -s signature_file -f
36 allowed_signers_file
37 ssh-keygen -Y match-principals -I signer_identity -f allowed_signers_file
38 ssh-keygen -Y check-novalidate [-O option] -n namespace -s signature_file
39 ssh-keygen -Y sign [-O option] -f key_file -n namespace file ...
40 ssh-keygen -Y verify [-O option] -f allowed_signers_file -I
41 signer_identity -n namespace -s signature_file
42 [-r revocation_file]
43
45 ssh-keygen generates, manages and converts authentication keys for
46 ssh(1). ssh-keygen can create keys for use by SSH protocol version 2.
47
48 The type of key to be generated is specified with the -t option. If in‐
49 voked without any arguments, ssh-keygen will generate an RSA key.
50
51 ssh-keygen is also used to generate groups for use in Diffie-Hellman
52 group exchange (DH-GEX). See the MODULI GENERATION section for details.
53
54 Finally, ssh-keygen can be used to generate and update Key Revocation
55 Lists, and to test whether given keys have been revoked by one. See the
56 KEY REVOCATION LISTS section for details.
57
58 Normally each user wishing to use SSH with public key authentication runs
59 this once to create the authentication key in ~/.ssh/id_dsa,
60 ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519,
61 ~/.ssh/id_ed25519_sk or ~/.ssh/id_rsa. Additionally, the system adminis‐
62 trator may use this to generate host keys, as seen in /etc/rc.
63
64 Normally this program generates the key and asks for a file in which to
65 store the private key. The public key is stored in a file with the same
66 name but “.pub” appended. The program also asks for a passphrase. The
67 passphrase may be empty to indicate no passphrase (host keys must have an
68 empty passphrase), or it may be a string of arbitrary length. A
69 passphrase is similar to a password, except it can be a phrase with a se‐
70 ries of words, punctuation, numbers, whitespace, or any string of charac‐
71 ters you want. Good passphrases are 10-30 characters long, are not sim‐
72 ple sentences or otherwise easily guessable (English prose has only 1-2
73 bits of entropy per character, and provides very bad passphrases), and
74 contain a mix of upper and lowercase letters, numbers, and non-alphanu‐
75 meric characters. The passphrase can be changed later by using the -p
76 option.
77
78 There is no way to recover a lost passphrase. If the passphrase is lost
79 or forgotten, a new key must be generated and the corresponding public
80 key copied to other machines.
81
82 ssh-keygen will by default write keys in an OpenSSH-specific format.
83 This format is preferred as it offers better protection for keys at rest
84 as well as allowing storage of key comments within the private key file
85 itself. The key comment may be useful to help identify the key. The
86 comment is initialized to “user@host” when the key is created, but can be
87 changed using the -c option.
88
89 It is still possible for ssh-keygen to write the previously-used PEM for‐
90 mat private keys using the -m flag. This may be used when generating new
91 keys, and existing new-format keys may be converted using this option in
92 conjunction with the -p (change passphrase) flag.
93
94 After a key is generated, ssh-keygen will ask where the keys should be
95 placed to be activated.
96
97 The options are as follows:
98
99 -A For each of the key types (rsa, dsa, ecdsa and ed25519) for which
100 host keys do not exist, generate the host keys with the default
101 key file path, an empty passphrase, default bits for the key
102 type, and default comment. If -f has also been specified, its
103 argument is used as a prefix to the default path for the result‐
104 ing host key files. This is used by /etc/rc to generate new host
105 keys.
106
107 -a rounds
108 When saving a private key, this option specifies the number of
109 KDF (key derivation function, currently bcrypt_pbkdf(3)) rounds
110 used. Higher numbers result in slower passphrase verification
111 and increased resistance to brute-force password cracking (should
112 the keys be stolen). The default is 16 rounds.
113
114 -B Show the bubblebabble digest of specified private or public key
115 file.
116
117 -b bits
118 Specifies the number of bits in the key to create. For RSA keys,
119 the minimum size is 1024 bits and the default is 3072 bits. Gen‐
120 erally, 3072 bits is considered sufficient. DSA keys must be ex‐
121 actly 1024 bits as specified by FIPS 186-2. For ECDSA keys, the
122 -b flag determines the key length by selecting from one of three
123 elliptic curve sizes: 256, 384 or 521 bits. Attempting to use
124 bit lengths other than these three values for ECDSA keys will
125 fail. ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length
126 and the -b flag will be ignored.
127
128 -C comment
129 Provides a new comment.
130
131 -c Requests changing the comment in the private and public key
132 files. The program will prompt for the file containing the pri‐
133 vate keys, for the passphrase if the key has one, and for the new
134 comment.
135
136 -D pkcs11
137 Download the public keys provided by the PKCS#11 shared library
138 pkcs11. When used in combination with -s, this option indicates
139 that a CA key resides in a PKCS#11 token (see the CERTIFICATES
140 section for details).
141
142 -E fingerprint_hash
143 Specifies the hash algorithm used when displaying key finger‐
144 prints. Valid options are: “md5” and “sha256”. The default is
145 “sha256”.
146
147 -e This option will read a private or public OpenSSH key file and
148 print to stdout a public key in one of the formats specified by
149 the -m option. The default export format is “RFC4716”. This op‐
150 tion allows exporting OpenSSH keys for use by other programs, in‐
151 cluding several commercial SSH implementations.
152
153 -F hostname | [hostname]:port
154 Search for the specified hostname (with optional port number) in
155 a known_hosts file, listing any occurrences found. This option
156 is useful to find hashed host names or addresses and may also be
157 used in conjunction with the -H option to print found keys in a
158 hashed format.
159
160 -f filename
161 Specifies the filename of the key file.
162
163 -g Use generic DNS format when printing fingerprint resource records
164 using the -r command.
165
166 -H Hash a known_hosts file. This replaces all hostnames and ad‐
167 dresses with hashed representations within the specified file;
168 the original content is moved to a file with a .old suffix.
169 These hashes may be used normally by ssh and sshd, but they do
170 not reveal identifying information should the file's contents be
171 disclosed. This option will not modify existing hashed hostnames
172 and is therefore safe to use on files that mix hashed and non-
173 hashed names.
174
175 -h When signing a key, create a host certificate instead of a user
176 certificate. See the CERTIFICATES section for details.
177
178 -I certificate_identity
179 Specify the key identity when signing a public key. See the
180 CERTIFICATES section for details.
181
182 -i This option will read an unencrypted private (or public) key file
183 in the format specified by the -m option and print an OpenSSH
184 compatible private (or public) key to stdout. This option allows
185 importing keys from other software, including several commercial
186 SSH implementations. The default import format is “RFC4716”.
187
188 -K Download resident keys from a FIDO authenticator. Public and
189 private key files will be written to the current directory for
190 each downloaded key. If multiple FIDO authenticators are at‐
191 tached, keys will be downloaded from the first touched authenti‐
192 cator.
193
194 -k Generate a KRL file. In this mode, ssh-keygen will generate a
195 KRL file at the location specified via the -f flag that revokes
196 every key or certificate presented on the command line.
197 Keys/certificates to be revoked may be specified by public key
198 file or using the format described in the KEY REVOCATION LISTS
199 section.
200
201 -L Prints the contents of one or more certificates.
202
203 -l Show fingerprint of specified public key file. For RSA and DSA
204 keys ssh-keygen tries to find the matching public key file and
205 prints its fingerprint. If combined with -v, a visual ASCII art
206 representation of the key is supplied with the fingerprint.
207
208 -M generate
209 Generate candidate Diffie-Hellman Group Exchange (DH-GEX) parame‐
210 ters for eventual use by the ‘diffie-hellman-group-exchange-*’
211 key exchange methods. The numbers generated by this operation
212 must be further screened before use. See the MODULI GENERATION
213 section for more information.
214
215 -M screen
216 Screen candidate parameters for Diffie-Hellman Group Exchange.
217 This will accept a list of candidate numbers and test that they
218 are safe (Sophie Germain) primes with acceptable group genera‐
219 tors. The results of this operation may be added to the
220 /etc/ssh/moduli file. See the MODULI GENERATION section for more
221 information.
222
223 -m key_format
224 Specify a key format for key generation, the -i (import), -e (ex‐
225 port) conversion options, and the -p change passphrase operation.
226 The latter may be used to convert between OpenSSH private key and
227 PEM private key formats. The supported key formats are:
228 “RFC4716” (RFC 4716/SSH2 public or private key), “PKCS8” (PKCS8
229 public or private key) or “PEM” (PEM public key). By default
230 OpenSSH will write newly-generated private keys in its own for‐
231 mat, but when converting public keys for export the default for‐
232 mat is “RFC4716”. Setting a format of “PEM” when generating or
233 updating a supported private key type will cause the key to be
234 stored in the legacy PEM private key format.
235
236 -N new_passphrase
237 Provides the new passphrase.
238
239 -n principals
240 Specify one or more principals (user or host names) to be in‐
241 cluded in a certificate when signing a key. Multiple principals
242 may be specified, separated by commas. See the CERTIFICATES sec‐
243 tion for details.
244
245 -O option
246 Specify a key/value option. These are specific to the operation
247 that ssh-keygen has been requested to perform.
248
249 When signing certificates, one of the options listed in the
250 CERTIFICATES section may be specified here.
251
252 When performing moduli generation or screening, one of the op‐
253 tions listed in the MODULI GENERATION section may be specified.
254
255 When generating a key that will be hosted on a FIDO authentica‐
256 tor, this flag may be used to specify key-specific options.
257 Those supported at present are:
258
259 application
260 Override the default FIDO application/origin string of
261 “ssh:”. This may be useful when generating host or do‐
262 main-specific resident keys. The specified application
263 string must begin with “ssh:”.
264
265 challenge=path
266 Specifies a path to a challenge string that will be
267 passed to the FIDO token during key generation. The
268 challenge string may be used as part of an out-of-band
269 protocol for key enrollment (a random challenge is used
270 by default).
271
272 device Explicitly specify a fido(4) device to use, rather than
273 letting the token middleware select one.
274
275 no-touch-required
276 Indicate that the generated private key should not re‐
277 quire touch events (user presence) when making signa‐
278 tures. Note that sshd(8) will refuse such signatures by
279 default, unless overridden via an authorized_keys option.
280
281 resident
282 Indicate that the key should be stored on the FIDO au‐
283 thenticator itself. Resident keys may be supported on
284 FIDO2 tokens and typically require that a PIN be set on
285 the token prior to generation. Resident keys may be
286 loaded off the token using ssh-add(1).
287
288 user A username to be associated with a resident key, overrid‐
289 ing the empty default username. Specifying a username
290 may be useful when generating multiple resident keys for
291 the same application name.
292
293 verify-required
294 Indicate that this private key should require user veri‐
295 fication for each signature. Not all FIDO tokens support
296 this option. Currently PIN authentication is the only
297 supported verification method, but other methods may be
298 supported in the future.
299
300 write-attestation=path
301 May be used at key generation time to record the attesta‐
302 tion data returned from FIDO tokens during key genera‐
303 tion. This information is potentially sensitive. By de‐
304 fault, this information is discarded.
305
306 When performing signature-related options using the -Y flag, the
307 following options are accepted:
308
309 hashalg=algorithm
310 Selects the hash algorithm to use for hashing the message
311 to be signed. Valid algorithms are “sha256” and
312 “sha512.” The default is “sha512.”
313
314 print-pubkey
315 Print the full public key to standard output after signa‐
316 ture verification.
317
318 verify-time=timestamp
319 Specifies a time to use when validating signatures in‐
320 stead of the current time. The time may be specified as
321 a date in YYYYMMDD format or a time in YYYYMMDDHHMM[SS]
322 format.
323
324 The -O option may be specified multiple times.
325
326 -P passphrase
327 Provides the (old) passphrase.
328
329 -p Requests changing the passphrase of a private key file instead of
330 creating a new private key. The program will prompt for the file
331 containing the private key, for the old passphrase, and twice for
332 the new passphrase.
333
334 -Q Test whether keys have been revoked in a KRL. If the -l option
335 is also specified then the contents of the KRL will be printed.
336
337 -q Silence ssh-keygen.
338
339 -R hostname | [hostname]:port
340 Removes all keys belonging to the specified hostname (with op‐
341 tional port number) from a known_hosts file. This option is use‐
342 ful to delete hashed hosts (see the -H option above).
343
344 -r hostname
345 Print the SSHFP fingerprint resource record named hostname for
346 the specified public key file.
347
348 -s ca_key
349 Certify (sign) a public key using the specified CA key. See the
350 CERTIFICATES section for details.
351
352 When generating a KRL, -s specifies a path to a CA public key
353 file used to revoke certificates directly by key ID or serial
354 number. See the KEY REVOCATION LISTS section for details.
355
356 -t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
357 Specifies the type of key to create. The possible values are
358 “dsa”, “ecdsa”, “ecdsa-sk”, “ed25519”, “ed25519-sk”, or “rsa”.
359
360 This flag may also be used to specify the desired signature type
361 when signing certificates using an RSA CA key. The available RSA
362 signature variants are “ssh-rsa” (SHA1 signatures, not recom‐
363 mended), “rsa-sha2-256”, and “rsa-sha2-512” (the default).
364
365 -U When used in combination with -s, this option indicates that a CA
366 key resides in a ssh-agent(1). See the CERTIFICATES section for
367 more information.
368
369 -u Update a KRL. When specified with -k, keys listed via the com‐
370 mand line are added to the existing KRL rather than a new KRL be‐
371 ing created.
372
373 -V validity_interval
374 Specify a validity interval when signing a certificate. A valid‐
375 ity interval may consist of a single time, indicating that the
376 certificate is valid beginning now and expiring at that time, or
377 may consist of two times separated by a colon to indicate an ex‐
378 plicit time interval.
379
380 The start time may be specified as the string “always” to indi‐
381 cate the certificate has no specified start time, a date in
382 YYYYMMDD format, a time in YYYYMMDDHHMM[SS] format, a relative
383 time (to the current time) consisting of a minus sign followed by
384 an interval in the format described in the TIME FORMATS section
385 of sshd_config(5).
386
387 The end time may be specified as a YYYYMMDD date, a YYYYMMD‐
388 DHHMM[SS] time, a relative time starting with a plus character or
389 the string “forever” to indicate that the certificate has no ex‐
390 piry date.
391
392 For example: “+52w1d” (valid from now to 52 weeks and one day
393 from now), “-4w:+4w” (valid from four weeks ago to four weeks
394 from now), “20100101123000:20110101123000” (valid from 12:30 PM,
395 January 1st, 2010 to 12:30 PM, January 1st, 2011), “-1d:20110101”
396 (valid from yesterday to midnight, January 1st, 2011),
397 “-1m:forever” (valid from one minute ago and never expiring).
398
399 -v Verbose mode. Causes ssh-keygen to print debugging messages
400 about its progress. This is helpful for debugging moduli genera‐
401 tion. Multiple -v options increase the verbosity. The maximum
402 is 3.
403
404 -w provider
405 Specifies a path to a library that will be used when creating
406 FIDO authenticator-hosted keys, overriding the default of using
407 the internal USB HID support.
408
409 -Y find-principals
410 Find the principal(s) associated with the public key of a signa‐
411 ture, provided using the -s flag in an authorized signers file
412 provided using the -f flag. The format of the allowed signers
413 file is documented in the ALLOWED SIGNERS section below. If one
414 or more matching principals are found, they are returned on stan‐
415 dard output.
416
417 -Y match-principals
418 Find principal matching the principal name provided using the -I
419 flag in the authorized signers file specified using the -f flag.
420 If one or more matching principals are found, they are returned
421 on standard output.
422
423 -Y check-novalidate
424 Checks that a signature generated using ssh-keygen -Y sign has a
425 valid structure. This does not validate if a signature comes
426 from an authorized signer. When testing a signature, ssh-keygen
427 accepts a message on standard input and a signature namespace us‐
428 ing -n. A file containing the corresponding signature must also
429 be supplied using the -s flag. Successful testing of the signa‐
430 ture is signalled by ssh-keygen returning a zero exit status.
431
432 -Y sign
433 Cryptographically sign a file or some data using a SSH key. When
434 signing, ssh-keygen accepts zero or more files to sign on the
435 command-line - if no files are specified then ssh-keygen will
436 sign data presented on standard input. Signatures are written to
437 the path of the input file with “.sig” appended, or to standard
438 output if the message to be signed was read from standard input.
439
440 The key used for signing is specified using the -f option and may
441 refer to either a private key, or a public key with the private
442 half available via ssh-agent(1). An additional signature name‐
443 space, used to prevent signature confusion across different do‐
444 mains of use (e.g. file signing vs email signing) must be pro‐
445 vided via the -n flag. Namespaces are arbitrary strings, and may
446 include: “file” for file signing, “email” for email signing. For
447 custom uses, it is recommended to use names following a NAME‐
448 SPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces.
449
450 -Y verify
451 Request to verify a signature generated using ssh-keygen -Y sign
452 as described above. When verifying a signature, ssh-keygen ac‐
453 cepts a message on standard input and a signature namespace using
454 -n. A file containing the corresponding signature must also be
455 supplied using the -s flag, along with the identity of the signer
456 using -I and a list of allowed signers via the -f flag. The for‐
457 mat of the allowed signers file is documented in the ALLOWED
458 SIGNERS section below. A file containing revoked keys can be
459 passed using the -r flag. The revocation file may be a KRL or a
460 one-per-line list of public keys. Successful verification by an
461 authorized signer is signalled by ssh-keygen returning a zero
462 exit status.
463
464 -y This option will read a private OpenSSH format file and print an
465 OpenSSH public key to stdout.
466
467 -Z cipher
468 Specifies the cipher to use for encryption when writing an
469 OpenSSH-format private key file. The list of available ciphers
470 may be obtained using "ssh -Q cipher". The default is
471 “aes256-ctr”.
472
473 -z serial_number
474 Specifies a serial number to be embedded in the certificate to
475 distinguish this certificate from others from the same CA. If
476 the serial_number is prefixed with a ‘+’ character, then the se‐
477 rial number will be incremented for each certificate signed on a
478 single command-line. The default serial number is zero.
479
480 When generating a KRL, the -z flag is used to specify a KRL ver‐
481 sion number.
482
484 ssh-keygen may be used to generate groups for the Diffie-Hellman Group
485 Exchange (DH-GEX) protocol. Generating these groups is a two-step
486 process: first, candidate primes are generated using a fast, but memory
487 intensive process. These candidate primes are then tested for suitabil‐
488 ity (a CPU-intensive process).
489
490 Generation of primes is performed using the -M generate option. The de‐
491 sired length of the primes may be specified by the -O bits option. For
492 example:
493
494 # ssh-keygen -M generate -O bits=2048 moduli-2048.candidates
495
496 By default, the search for primes begins at a random point in the desired
497 length range. This may be overridden using the -O start option, which
498 specifies a different start point (in hex).
499
500 Once a set of candidates have been generated, they must be screened for
501 suitability. This may be performed using the -M screen option. In this
502 mode ssh-keygen will read candidates from standard input (or a file spec‐
503 ified using the -f option). For example:
504
505 # ssh-keygen -M screen -f moduli-2048.candidates moduli-2048
506
507 By default, each candidate will be subjected to 100 primality tests.
508 This may be overridden using the -O prime-tests option. The DH generator
509 value will be chosen automatically for the prime under consideration. If
510 a specific generator is desired, it may be requested using the -O
511 generator option. Valid generator values are 2, 3, and 5.
512
513 Screened DH groups may be installed in /etc/ssh/moduli. It is important
514 that this file contains moduli of a range of bit lengths.
515
516 A number of options are available for moduli generation and screening via
517 the -O flag:
518
519 lines=number
520 Exit after screening the specified number of lines while perform‐
521 ing DH candidate screening.
522
523 start-line=line-number
524 Start screening at the specified line number while performing DH
525 candidate screening.
526
527 checkpoint=filename
528 Write the last line processed to the specified file while per‐
529 forming DH candidate screening. This will be used to skip lines
530 in the input file that have already been processed if the job is
531 restarted.
532
533 memory=mbytes
534 Specify the amount of memory to use (in megabytes) when generat‐
535 ing candidate moduli for DH-GEX.
536
537 start=hex-value
538 Specify start point (in hex) when generating candidate moduli for
539 DH-GEX.
540
541 generator=value
542 Specify desired generator (in decimal) when testing candidate
543 moduli for DH-GEX.
544
546 ssh-keygen supports signing of keys to produce certificates that may be
547 used for user or host authentication. Certificates consist of a public
548 key, some identity information, zero or more principal (user or host)
549 names and a set of options that are signed by a Certification Authority
550 (CA) key. Clients or servers may then trust only the CA key and verify
551 its signature on a certificate rather than trusting many user/host keys.
552 Note that OpenSSH certificates are a different, and much simpler, format
553 to the X.509 certificates used in ssl(8).
554
555 ssh-keygen supports two types of certificates: user and host. User cer‐
556 tificates authenticate users to servers, whereas host certificates au‐
557 thenticate server hosts to users. To generate a user certificate:
558
559 $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
560
561 The resultant certificate will be placed in /path/to/user_key-cert.pub.
562 A host certificate requires the -h option:
563
564 $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
565
566 The host certificate will be output to /path/to/host_key-cert.pub.
567
568 It is possible to sign using a CA key stored in a PKCS#11 token by pro‐
569 viding the token library using -D and identifying the CA key by providing
570 its public half as an argument to -s:
571
572 $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
573
574 Similarly, it is possible for the CA key to be hosted in a ssh-agent(1).
575 This is indicated by the -U flag and, again, the CA key must be identi‐
576 fied by its public half.
577
578 $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub
579
580 In all cases, key_id is a "key identifier" that is logged by the server
581 when the certificate is used for authentication.
582
583 Certificates may be limited to be valid for a set of principal
584 (user/host) names. By default, generated certificates are valid for all
585 users or hosts. To generate a certificate for a specified set of princi‐
586 pals:
587
588 $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
589 $ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub
590
591 Additional limitations on the validity and use of user certificates may
592 be specified through certificate options. A certificate option may dis‐
593 able features of the SSH session, may be valid only when presented from
594 particular source addresses or may force the use of a specific command.
595
596 The options that are valid for user certificates are:
597
598 clear Clear all enabled permissions. This is useful for clearing the
599 default set of permissions so permissions may be added individu‐
600 ally.
601
602 critical:name[=contents]
603 extension:name[=contents]
604 Includes an arbitrary certificate critical option or extension.
605 The specified name should include a domain suffix, e.g.
606 “name@example.com”. If contents is specified then it is included
607 as the contents of the extension/option encoded as a string, oth‐
608 erwise the extension/option is created with no contents (usually
609 indicating a flag). Extensions may be ignored by a client or
610 server that does not recognise them, whereas unknown critical op‐
611 tions will cause the certificate to be refused.
612
613 force-command=command
614 Forces the execution of command instead of any shell or command
615 specified by the user when the certificate is used for authenti‐
616 cation.
617
618 no-agent-forwarding
619 Disable ssh-agent(1) forwarding (permitted by default).
620
621 no-port-forwarding
622 Disable port forwarding (permitted by default).
623
624 no-pty Disable PTY allocation (permitted by default).
625
626 no-user-rc
627 Disable execution of ~/.ssh/rc by sshd(8) (permitted by default).
628
629 no-x11-forwarding
630 Disable X11 forwarding (permitted by default).
631
632 permit-agent-forwarding
633 Allows ssh-agent(1) forwarding.
634
635 permit-port-forwarding
636 Allows port forwarding.
637
638 permit-pty
639 Allows PTY allocation.
640
641 permit-user-rc
642 Allows execution of ~/.ssh/rc by sshd(8).
643
644 permit-X11-forwarding
645 Allows X11 forwarding.
646
647 no-touch-required
648 Do not require signatures made using this key include demonstra‐
649 tion of user presence (e.g. by having the user touch the authen‐
650 ticator). This option only makes sense for the FIDO authentica‐
651 tor algorithms ecdsa-sk and ed25519-sk.
652
653 source-address=address_list
654 Restrict the source addresses from which the certificate is con‐
655 sidered valid. The address_list is a comma-separated list of one
656 or more address/netmask pairs in CIDR format.
657
658 verify-required
659 Require signatures made using this key indicate that the user was
660 first verified. This option only makes sense for the FIDO au‐
661 thenticator algorithms ecdsa-sk and ed25519-sk. Currently PIN
662 authentication is the only supported verification method, but
663 other methods may be supported in the future.
664
665 At present, no standard options are valid for host keys.
666
667 Finally, certificates may be defined with a validity lifetime. The -V
668 option allows specification of certificate start and end times. A cer‐
669 tificate that is presented at a time outside this range will not be con‐
670 sidered valid. By default, certificates are valid from the UNIX Epoch to
671 the distant future.
672
673 For certificates to be used for user or host authentication, the CA pub‐
674 lic key must be trusted by sshd(8) or ssh(1). Refer to those manual
675 pages for details.
676
678 ssh-keygen is able to manage OpenSSH format Key Revocation Lists (KRLs).
679 These binary files specify keys or certificates to be revoked using a
680 compact format, taking as little as one bit per certificate if they are
681 being revoked by serial number.
682
683 KRLs may be generated using the -k flag. This option reads one or more
684 files from the command line and generates a new KRL. The files may ei‐
685 ther contain a KRL specification (see below) or public keys, listed one
686 per line. Plain public keys are revoked by listing their hash or con‐
687 tents in the KRL and certificates revoked by serial number or key ID (if
688 the serial is zero or not available).
689
690 Revoking keys using a KRL specification offers explicit control over the
691 types of record used to revoke keys and may be used to directly revoke
692 certificates by serial number or key ID without having the complete orig‐
693 inal certificate on hand. A KRL specification consists of lines contain‐
694 ing one of the following directives followed by a colon and some direc‐
695 tive-specific information.
696
697 serial: serial_number[-serial_number]
698 Revokes a certificate with the specified serial number. Serial
699 numbers are 64-bit values, not including zero and may be ex‐
700 pressed in decimal, hex or octal. If two serial numbers are
701 specified separated by a hyphen, then the range of serial numbers
702 including and between each is revoked. The CA key must have been
703 specified on the ssh-keygen command line using the -s option.
704
705 id: key_id
706 Revokes a certificate with the specified key ID string. The CA
707 key must have been specified on the ssh-keygen command line using
708 the -s option.
709
710 key: public_key
711 Revokes the specified key. If a certificate is listed, then it
712 is revoked as a plain public key.
713
714 sha1: public_key
715 Revokes the specified key by including its SHA1 hash in the KRL.
716
717 sha256: public_key
718 Revokes the specified key by including its SHA256 hash in the
719 KRL. KRLs that revoke keys by SHA256 hash are not supported by
720 OpenSSH versions prior to 7.9.
721
722 hash: fingerprint
723 Revokes a key using a fingerprint hash, as obtained from a
724 sshd(8) authentication log message or the ssh-keygen -l flag.
725 Only SHA256 fingerprints are supported here and resultant KRLs
726 are not supported by OpenSSH versions prior to 7.9.
727
728 KRLs may be updated using the -u flag in addition to -k. When this op‐
729 tion is specified, keys listed via the command line are merged into the
730 KRL, adding to those already there.
731
732 It is also possible, given a KRL, to test whether it revokes a particular
733 key (or keys). The -Q flag will query an existing KRL, testing each key
734 specified on the command line. If any key listed on the command line has
735 been revoked (or an error encountered) then ssh-keygen will exit with a
736 non-zero exit status. A zero exit status will only be returned if no key
737 was revoked.
738
740 When verifying signatures, ssh-keygen uses a simple list of identities
741 and keys to determine whether a signature comes from an authorized
742 source. This "allowed signers" file uses a format patterned after the
743 AUTHORIZED_KEYS FILE FORMAT described in sshd(8). Each line of the file
744 contains the following space-separated fields: principals, options, key‐
745 type, base64-encoded key. Empty lines and lines starting with a ‘#’ are
746 ignored as comments.
747
748 The principals field is a pattern-list (see PATTERNS in ssh_config(5))
749 consisting of one or more comma-separated USER@DOMAIN identity patterns
750 that are accepted for signing. When verifying, the identity presented
751 via the -I option must match a principals pattern in order for the corre‐
752 sponding key to be considered acceptable for verification.
753
754 The options (if present) consist of comma-separated option specifica‐
755 tions. No spaces are permitted, except within double quotes. The fol‐
756 lowing option specifications are supported (note that option keywords are
757 case-insensitive):
758
759 cert-authority
760 Indicates that this key is accepted as a certificate authority
761 (CA) and that certificates signed by this CA may be accepted for
762 verification.
763
764 namespaces=namespace-list
765 Specifies a pattern-list of namespaces that are accepted for this
766 key. If this option is present, the signature namespace embedded
767 in the signature object and presented on the verification com‐
768 mand-line must match the specified list before the key will be
769 considered acceptable.
770
771 valid-after=timestamp
772 Indicates that the key is valid for use at or after the specified
773 timestamp, which may be a date in YYYYMMDD format or a time in
774 YYYYMMDDHHMM[SS] format.
775
776 valid-before=timestamp
777 Indicates that the key is valid for use at or before the speci‐
778 fied timestamp.
779
780 When verifying signatures made by certificates, the expected principal
781 name must match both the principals pattern in the allowed signers file
782 and the principals embedded in the certificate itself.
783
784 An example allowed signers file:
785
786 # Comments allowed at start of line
787 user1@example.com,user2@example.com ssh-rsa AAAAX1...
788 # A certificate authority, trusted for all principals in a domain.
789 *@example.com cert-authority ssh-ed25519 AAAB4...
790 # A key that is accepted only for file signing.
791 user2@example.com namespaces="file" ssh-ed25519 AAA41...
792
794 SSH_SK_PROVIDER
795 Specifies a path to a library that will be used when loading any
796 FIDO authenticator-hosted keys, overriding the default of using
797 the built-in USB HID support.
798
800 ~/.ssh/id_dsa
801 ~/.ssh/id_ecdsa
802 ~/.ssh/id_ecdsa_sk
803 ~/.ssh/id_ed25519
804 ~/.ssh/id_ed25519_sk
805 ~/.ssh/id_rsa
806 Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, au‐
807 thenticator-hosted Ed25519 or RSA authentication identity of the
808 user. This file should not be readable by anyone but the user.
809 It is possible to specify a passphrase when generating the key;
810 that passphrase will be used to encrypt the private part of this
811 file using 128-bit AES. This file is not automatically accessed
812 by ssh-keygen but it is offered as the default file for the pri‐
813 vate key. ssh(1) will read this file when a login attempt is
814 made.
815
816 ~/.ssh/id_dsa.pub
817 ~/.ssh/id_ecdsa.pub
818 ~/.ssh/id_ecdsa_sk.pub
819 ~/.ssh/id_ed25519.pub
820 ~/.ssh/id_ed25519_sk.pub
821 ~/.ssh/id_rsa.pub
822 Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, au‐
823 thenticator-hosted Ed25519 or RSA public key for authentication.
824 The contents of this file should be added to
825 ~/.ssh/authorized_keys on all machines where the user wishes to
826 log in using public key authentication. There is no need to keep
827 the contents of this file secret.
828
829 /etc/ssh/moduli
830 Contains Diffie-Hellman groups used for DH-GEX. The file format
831 is described in moduli(5).
832
834 ssh(1), ssh-add(1), ssh-agent(1), moduli(5), sshd(8)
835
836 The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.
837
839 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
840 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
841 de Raadt and Dug Song removed many bugs, re-added newer features and cre‐
842 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
843 versions 1.5 and 2.0.
844
845BSD February 6, 2022 BSD