1SSH-KEYGEN(1) BSD General Commands Manual SSH-KEYGEN(1)
2
4 ssh-keygen — OpenSSH authentication key utility
5
7 ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile]
8 [-m format] [-N new_passphrase] [-O option]
9 [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
10 [-w provider] [-Z cipher]
11 ssh-keygen -p [-a rounds] [-f keyfile] [-m format] [-N new_passphrase]
12 [-P old_passphrase] [-Z cipher]
13 ssh-keygen -i [-f input_keyfile] [-m key_format]
14 ssh-keygen -e [-f input_keyfile] [-m key_format]
15 ssh-keygen -y [-f input_keyfile]
16 ssh-keygen -c [-a rounds] [-C comment] [-f keyfile] [-P passphrase]
17 ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
18 ssh-keygen -B [-f input_keyfile]
19 ssh-keygen -D pkcs11
20 ssh-keygen -F hostname [-lv] [-f known_hosts_file]
21 ssh-keygen -H [-f known_hosts_file]
22 ssh-keygen -K [-a rounds] [-w provider]
23 ssh-keygen -R hostname [-f known_hosts_file]
24 ssh-keygen -r hostname [-g] [-f input_keyfile]
25 ssh-keygen -M generate [-O option] output_file
26 ssh-keygen -M screen [-f input_file] [-O option] output_file
27 ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]
28 [-n principals] [-O option] [-V validity_interval]
29 [-z serial_number] file ...
30 ssh-keygen -L [-f input_keyfile]
31 ssh-keygen -A [-a rounds] [-f prefix_path]
32 ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
33 file ...
34 ssh-keygen -Q [-l] -f krl_file file ...
35 ssh-keygen -Y find-principals [-O option] -s signature_file -f
36 allowed_signers_file
37 ssh-keygen -Y match-principals -I signer_identity -f allowed_signers_file
38 ssh-keygen -Y check-novalidate [-O option] -n namespace -s signature_file
39 ssh-keygen -Y sign [-O option] -f key_file -n namespace file ...
40 ssh-keygen -Y verify [-O option] -f allowed_signers_file -I
41 signer_identity -n namespace -s signature_file
42 [-r revocation_file]
43
45 ssh-keygen generates, manages and converts authentication keys for
46 ssh(1). ssh-keygen can create keys for use by SSH protocol version 2.
47
48 The type of key to be generated is specified with the -t option. If in‐
49 voked without any arguments, ssh-keygen will generate an RSA key.
50
51 ssh-keygen is also used to generate groups for use in Diffie-Hellman
52 group exchange (DH-GEX). See the MODULI GENERATION section for details.
53
54 Finally, ssh-keygen can be used to generate and update Key Revocation
55 Lists, and to test whether given keys have been revoked by one. See the
56 KEY REVOCATION LISTS section for details.
57
58 Normally each user wishing to use SSH with public key authentication runs
59 this once to create the authentication key in ~/.ssh/id_dsa,
60 ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519,
61 ~/.ssh/id_ed25519_sk or ~/.ssh/id_rsa. Additionally, the system adminis‐
62 trator may use this to generate host keys, as seen in /etc/rc.
63
64 Normally this program generates the key and asks for a file in which to
65 store the private key. The public key is stored in a file with the same
66 name but “.pub” appended. The program also asks for a passphrase. The
67 passphrase may be empty to indicate no passphrase (host keys must have an
68 empty passphrase), or it may be a string of arbitrary length. A
69 passphrase is similar to a password, except it can be a phrase with a se‐
70 ries of words, punctuation, numbers, whitespace, or any string of charac‐
71 ters you want. Good passphrases are 10-30 characters long, are not sim‐
72 ple sentences or otherwise easily guessable (English prose has only 1-2
73 bits of entropy per character, and provides very bad passphrases), and
74 contain a mix of upper and lowercase letters, numbers, and non-alphanu‐
75 meric characters. The passphrase can be changed later by using the -p
76 option.
77
78 There is no way to recover a lost passphrase. If the passphrase is lost
79 or forgotten, a new key must be generated and the corresponding public
80 key copied to other machines.
81
82 ssh-keygen will by default write keys in an OpenSSH-specific format.
83 This format is preferred as it offers better protection for keys at rest
84 as well as allowing storage of key comments within the private key file
85 itself. The key comment may be useful to help identify the key. The
86 comment is initialized to “user@host” when the key is created, but can be
87 changed using the -c option.
88
89 It is still possible for ssh-keygen to write the previously-used PEM for‐
90 mat private keys using the -m flag. This may be used when generating new
91 keys, and existing new-format keys may be converted using this option in
92 conjunction with the -p (change passphrase) flag.
93
94 After a key is generated, ssh-keygen will ask where the keys should be
95 placed to be activated.
96
97 The options are as follows:
98
99 -A Generate host keys of all default key types (rsa, ecdsa, and
100 ed25519) if they do not already exist. The host keys are gener‐
101 ated with the default key file path, an empty passphrase, default
102 bits for the key type, and default comment. If -f has also been
103 specified, its argument is used as a prefix to the default path
104 for the resulting host key files. This is used by /etc/rc to
105 generate new host keys.
106
107 -a rounds
108 When saving a private key, this option specifies the number of
109 KDF (key derivation function, currently bcrypt_pbkdf(3)) rounds
110 used. Higher numbers result in slower passphrase verification
111 and increased resistance to brute-force password cracking (should
112 the keys be stolen). The default is 16 rounds.
113
114 -B Show the bubblebabble digest of specified private or public key
115 file.
116
117 -b bits
118 Specifies the number of bits in the key to create. For RSA keys,
119 the minimum size is 1024 bits and the default is 3072 bits. Gen‐
120 erally, 3072 bits is considered sufficient. DSA keys must be ex‐
121 actly 1024 bits as specified by FIPS 186-2. For ECDSA keys, the
122 -b flag determines the key length by selecting from one of three
123 elliptic curve sizes: 256, 384 or 521 bits. Attempting to use
124 bit lengths other than these three values for ECDSA keys will
125 fail. ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length
126 and the -b flag will be ignored.
127
128 -C comment
129 Provides a new comment.
130
131 -c Requests changing the comment in the private and public key
132 files. The program will prompt for the file containing the pri‐
133 vate keys, for the passphrase if the key has one, and for the new
134 comment.
135
136 -D pkcs11
137 Download the public keys provided by the PKCS#11 shared library
138 pkcs11. When used in combination with -s, this option indicates
139 that a CA key resides in a PKCS#11 token (see the CERTIFICATES
140 section for details).
141
142 -E fingerprint_hash
143 Specifies the hash algorithm used when displaying key finger‐
144 prints. Valid options are: “md5” and “sha256”. The default is
145 “sha256”.
146
147 -e This option will read a private or public OpenSSH key file and
148 print to stdout a public key in one of the formats specified by
149 the -m option. The default export format is “RFC4716”. This op‐
150 tion allows exporting OpenSSH keys for use by other programs, in‐
151 cluding several commercial SSH implementations.
152
153 -F hostname | [hostname]:port
154 Search for the specified hostname (with optional port number) in
155 a known_hosts file, listing any occurrences found. This option
156 is useful to find hashed host names or addresses and may also be
157 used in conjunction with the -H option to print found keys in a
158 hashed format.
159
160 -f filename
161 Specifies the filename of the key file.
162
163 -g Use generic DNS format when printing fingerprint resource records
164 using the -r command.
165
166 -H Hash a known_hosts file. This replaces all hostnames and ad‐
167 dresses with hashed representations within the specified file;
168 the original content is moved to a file with a .old suffix.
169 These hashes may be used normally by ssh and sshd, but they do
170 not reveal identifying information should the file's contents be
171 disclosed. This option will not modify existing hashed hostnames
172 and is therefore safe to use on files that mix hashed and non-
173 hashed names.
174
175 -h When signing a key, create a host certificate instead of a user
176 certificate. See the CERTIFICATES section for details.
177
178 -I certificate_identity
179 Specify the key identity when signing a public key. See the
180 CERTIFICATES section for details.
181
182 -i This option will read an unencrypted private (or public) key file
183 in the format specified by the -m option and print an OpenSSH
184 compatible private (or public) key to stdout. This option allows
185 importing keys from other software, including several commercial
186 SSH implementations. The default import format is “RFC4716”.
187
188 -K Download resident keys from a FIDO authenticator. Public and
189 private key files will be written to the current directory for
190 each downloaded key. If multiple FIDO authenticators are at‐
191 tached, keys will be downloaded from the first touched authenti‐
192 cator. See the FIDO AUTHENTICATOR section for more information.
193
194 -k Generate a KRL file. In this mode, ssh-keygen will generate a
195 KRL file at the location specified via the -f flag that revokes
196 every key or certificate presented on the command line.
197 Keys/certificates to be revoked may be specified by public key
198 file or using the format described in the KEY REVOCATION LISTS
199 section.
200
201 -L Prints the contents of one or more certificates.
202
203 -l Show fingerprint of specified public key file. For RSA and DSA
204 keys ssh-keygen tries to find the matching public key file and
205 prints its fingerprint. If combined with -v, a visual ASCII art
206 representation of the key is supplied with the fingerprint.
207
208 -M generate
209 Generate candidate Diffie-Hellman Group Exchange (DH-GEX) parame‐
210 ters for eventual use by the ‘diffie-hellman-group-exchange-*’
211 key exchange methods. The numbers generated by this operation
212 must be further screened before use. See the MODULI GENERATION
213 section for more information.
214
215 -M screen
216 Screen candidate parameters for Diffie-Hellman Group Exchange.
217 This will accept a list of candidate numbers and test that they
218 are safe (Sophie Germain) primes with acceptable group genera‐
219 tors. The results of this operation may be added to the
220 /etc/gsissh/moduli file. See the MODULI GENERATION section for
221 more information.
222
223 -m key_format
224 Specify a key format for key generation, the -i (import), -e (ex‐
225 port) conversion options, and the -p change passphrase operation.
226 The latter may be used to convert between OpenSSH private key and
227 PEM private key formats. The supported key formats are:
228 “RFC4716” (RFC 4716/SSH2 public or private key), “PKCS8” (PKCS8
229 public or private key) or “PEM” (PEM public key). By default
230 OpenSSH will write newly-generated private keys in its own for‐
231 mat, but when converting public keys for export the default for‐
232 mat is “RFC4716”. Setting a format of “PEM” when generating or
233 updating a supported private key type will cause the key to be
234 stored in the legacy PEM private key format.
235
236 -N new_passphrase
237 Provides the new passphrase.
238
239 -n principals
240 Specify one or more principals (user or host names) to be in‐
241 cluded in a certificate when signing a key. Multiple principals
242 may be specified, separated by commas. See the CERTIFICATES sec‐
243 tion for details.
244
245 -O option
246 Specify a key/value option. These are specific to the operation
247 that ssh-keygen has been requested to perform.
248
249 When signing certificates, one of the options listed in the
250 CERTIFICATES section may be specified here.
251
252 When performing moduli generation or screening, one of the op‐
253 tions listed in the MODULI GENERATION section may be specified.
254
255 When generating FIDO authenticator-backed keys, the options
256 listed in the FIDO AUTHENTICATOR section may be specified.
257
258 When performing signature-related options using the -Y flag, the
259 following options are accepted:
260
261 hashalg=algorithm
262 Selects the hash algorithm to use for hashing the message
263 to be signed. Valid algorithms are “sha256” and
264 “sha512.” The default is “sha512.”
265
266 print-pubkey
267 Print the full public key to standard output after signa‐
268 ture verification.
269
270 verify-time=timestamp
271 Specifies a time to use when validating signatures in‐
272 stead of the current time. The time may be specified as
273 a date or time in the YYYYMMDD[Z] or in YYYYMMD‐
274 DHHMM[SS][Z] formats. Dates and times will be inter‐
275 preted in the current system time zone unless suffixed
276 with a Z character, which causes them to be interpreted
277 in the UTC time zone.
278
279 When generating SSHFP DNS records from public keys using the -r
280 flag, the following options are accepted:
281
282 hashalg=algorithm
283 Selects a hash algorithm to use when printing SSHFP
284 records using the -D flag. Valid algorithms are “sha1”
285 and “sha256”. The default is to print both.
286
287 The -O option may be specified multiple times.
288
289 -P passphrase
290 Provides the (old) passphrase.
291
292 -p Requests changing the passphrase of a private key file instead of
293 creating a new private key. The program will prompt for the file
294 containing the private key, for the old passphrase, and twice for
295 the new passphrase.
296
297 -Q Test whether keys have been revoked in a KRL. If the -l option
298 is also specified then the contents of the KRL will be printed.
299
300 -q Silence ssh-keygen.
301
302 -R hostname | [hostname]:port
303 Removes all keys belonging to the specified hostname (with op‐
304 tional port number) from a known_hosts file. This option is use‐
305 ful to delete hashed hosts (see the -H option above).
306
307 -r hostname
308 Print the SSHFP fingerprint resource record named hostname for
309 the specified public key file.
310
311 -s ca_key
312 Certify (sign) a public key using the specified CA key. See the
313 CERTIFICATES section for details.
314
315 When generating a KRL, -s specifies a path to a CA public key
316 file used to revoke certificates directly by key ID or serial
317 number. See the KEY REVOCATION LISTS section for details.
318
319 -t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
320 Specifies the type of key to create. The possible values are
321 “dsa”, “ecdsa”, “ecdsa-sk”, “ed25519”, “ed25519-sk”, or “rsa”.
322
323 This flag may also be used to specify the desired signature type
324 when signing certificates using an RSA CA key. The available RSA
325 signature variants are “ssh-rsa” (SHA1 signatures, not recom‐
326 mended), “rsa-sha2-256”, and “rsa-sha2-512” (the default).
327
328 -U When used in combination with -s or -Y sign, this option indi‐
329 cates that a CA key resides in a ssh-agent(1). See the
330 CERTIFICATES section for more information.
331
332 -u Update a KRL. When specified with -k, keys listed via the com‐
333 mand line are added to the existing KRL rather than a new KRL be‐
334 ing created.
335
336 -V validity_interval
337 Specify a validity interval when signing a certificate. A valid‐
338 ity interval may consist of a single time, indicating that the
339 certificate is valid beginning now and expiring at that time, or
340 may consist of two times separated by a colon to indicate an ex‐
341 plicit time interval.
342
343 The start time may be specified as:
344 • The string “always” to indicate the certificate has no speci‐
345 fied start time.
346 • A date or time in the system time zone formatted as YYYYMMDD
347 or YYYYMMDDHHMM[SS].
348 • A date or time in the UTC time zone as YYYYMMDDZ or YYYYMMD‐
349 DHHMM[SS]Z.
350 • A relative time before the current system time consisting of
351 a minus sign followed by an interval in the format described
352 in the TIME FORMATS section of sshd_config(5).
353 • A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a
354 hexadecimal number beginning with “0x”.
355
356 The end time may be specified similarly to the start time:
357 • The string “forever” to indicate the certificate has no spec‐
358 ified end time.
359 • A date or time in the system time zone formatted as YYYYMMDD
360 or YYYYMMDDHHMM[SS].
361 • A date or time in the UTC time zone as YYYYMMDDZ or YYYYMMD‐
362 DHHMM[SS]Z.
363 • A relative time after the current system time consisting of a
364 plus sign followed by an interval in the format described in
365 the TIME FORMATS section of sshd_config(5).
366 • A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a
367 hexadecimal number beginning with “0x”.
368
369 For example:
370
371 +52w1d Valid from now to 52 weeks and one day from now.
372
373 -4w:+4w
374 Valid from four weeks ago to four weeks from now.
375
376 20100101123000:20110101123000
377 Valid from 12:30 PM, January 1st, 2010 to 12:30 PM, Janu‐
378 ary 1st, 2011.
379
380 20100101123000Z:20110101123000Z
381 Similar, but interpreted in the UTC time zone rather than
382 the system time zone.
383
384 -1d:20110101
385 Valid from yesterday to midnight, January 1st, 2011.
386
387 0x1:0x2000000000
388 Valid from roughly early 1970 to May 2033.
389
390 -1m:forever
391 Valid from one minute ago and never expiring.
392
393 -v Verbose mode. Causes ssh-keygen to print debugging messages
394 about its progress. This is helpful for debugging moduli genera‐
395 tion. Multiple -v options increase the verbosity. The maximum
396 is 3.
397
398 -w provider
399 Specifies a path to a library that will be used when creating
400 FIDO authenticator-hosted keys, overriding the default of using
401 the internal USB HID support.
402
403 -Y find-principals
404 Find the principal(s) associated with the public key of a signa‐
405 ture, provided using the -s flag in an authorized signers file
406 provided using the -f flag. The format of the allowed signers
407 file is documented in the ALLOWED SIGNERS section below. If one
408 or more matching principals are found, they are returned on stan‐
409 dard output.
410
411 -Y match-principals
412 Find principal matching the principal name provided using the -I
413 flag in the authorized signers file specified using the -f flag.
414 If one or more matching principals are found, they are returned
415 on standard output.
416
417 -Y check-novalidate
418 Checks that a signature generated using ssh-keygen -Y sign has a
419 valid structure. This does not validate if a signature comes
420 from an authorized signer. When testing a signature, ssh-keygen
421 accepts a message on standard input and a signature namespace us‐
422 ing -n. A file containing the corresponding signature must also
423 be supplied using the -s flag. Successful testing of the signa‐
424 ture is signalled by ssh-keygen returning a zero exit status.
425
426 -Y sign
427 Cryptographically sign a file or some data using a SSH key. When
428 signing, ssh-keygen accepts zero or more files to sign on the
429 command-line - if no files are specified then ssh-keygen will
430 sign data presented on standard input. Signatures are written to
431 the path of the input file with “.sig” appended, or to standard
432 output if the message to be signed was read from standard input.
433
434 The key used for signing is specified using the -f option and may
435 refer to either a private key, or a public key with the private
436 half available via ssh-agent(1). An additional signature name‐
437 space, used to prevent signature confusion across different do‐
438 mains of use (e.g. file signing vs email signing) must be pro‐
439 vided via the -n flag. Namespaces are arbitrary strings, and may
440 include: “file” for file signing, “email” for email signing. For
441 custom uses, it is recommended to use names following a NAME‐
442 SPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces.
443
444 -Y verify
445 Request to verify a signature generated using ssh-keygen -Y sign
446 as described above. When verifying a signature, ssh-keygen ac‐
447 cepts a message on standard input and a signature namespace using
448 -n. A file containing the corresponding signature must also be
449 supplied using the -s flag, along with the identity of the signer
450 using -I and a list of allowed signers via the -f flag. The for‐
451 mat of the allowed signers file is documented in the ALLOWED
452 SIGNERS section below. A file containing revoked keys can be
453 passed using the -r flag. The revocation file may be a KRL or a
454 one-per-line list of public keys. Successful verification by an
455 authorized signer is signalled by ssh-keygen returning a zero
456 exit status.
457
458 -y This option will read a private OpenSSH format file and print an
459 OpenSSH public key to stdout.
460
461 -Z cipher
462 Specifies the cipher to use for encryption when writing an
463 OpenSSH-format private key file. The list of available ciphers
464 may be obtained using "ssh -Q cipher". The default is
465 “aes256-ctr”.
466
467 -z serial_number
468 Specifies a serial number to be embedded in the certificate to
469 distinguish this certificate from others from the same CA. If
470 the serial_number is prefixed with a ‘+’ character, then the se‐
471 rial number will be incremented for each certificate signed on a
472 single command-line. The default serial number is zero.
473
474 When generating a KRL, the -z flag is used to specify a KRL ver‐
475 sion number.
476
478 ssh-keygen may be used to generate groups for the Diffie-Hellman Group
479 Exchange (DH-GEX) protocol. Generating these groups is a two-step
480 process: first, candidate primes are generated using a fast, but memory
481 intensive process. These candidate primes are then tested for suitabil‐
482 ity (a CPU-intensive process).
483
484 Generation of primes is performed using the -M generate option. The de‐
485 sired length of the primes may be specified by the -O bits option. For
486 example:
487
488 # ssh-keygen -M generate -O bits=2048 moduli-2048.candidates
489
490 By default, the search for primes begins at a random point in the desired
491 length range. This may be overridden using the -O start option, which
492 specifies a different start point (in hex).
493
494 Once a set of candidates have been generated, they must be screened for
495 suitability. This may be performed using the -M screen option. In this
496 mode ssh-keygen will read candidates from standard input (or a file spec‐
497 ified using the -f option). For example:
498
499 # ssh-keygen -M screen -f moduli-2048.candidates moduli-2048
500
501 By default, each candidate will be subjected to 100 primality tests.
502 This may be overridden using the -O prime-tests option. The DH generator
503 value will be chosen automatically for the prime under consideration. If
504 a specific generator is desired, it may be requested using the -O
505 generator option. Valid generator values are 2, 3, and 5.
506
507 Screened DH groups may be installed in /etc/gsissh/moduli. It is impor‐
508 tant that this file contains moduli of a range of bit lengths.
509
510 A number of options are available for moduli generation and screening via
511 the -O flag:
512
513 lines=number
514 Exit after screening the specified number of lines while perform‐
515 ing DH candidate screening.
516
517 start-line=line-number
518 Start screening at the specified line number while performing DH
519 candidate screening.
520
521 checkpoint=filename
522 Write the last line processed to the specified file while per‐
523 forming DH candidate screening. This will be used to skip lines
524 in the input file that have already been processed if the job is
525 restarted.
526
527 memory=mbytes
528 Specify the amount of memory to use (in megabytes) when generat‐
529 ing candidate moduli for DH-GEX.
530
531 start=hex-value
532 Specify start point (in hex) when generating candidate moduli for
533 DH-GEX.
534
535 generator=value
536 Specify desired generator (in decimal) when testing candidate
537 moduli for DH-GEX.
538
540 ssh-keygen supports signing of keys to produce certificates that may be
541 used for user or host authentication. Certificates consist of a public
542 key, some identity information, zero or more principal (user or host)
543 names and a set of options that are signed by a Certification Authority
544 (CA) key. Clients or servers may then trust only the CA key and verify
545 its signature on a certificate rather than trusting many user/host keys.
546 Note that OpenSSH certificates are a different, and much simpler, format
547 to the X.509 certificates used in ssl(8).
548
549 ssh-keygen supports two types of certificates: user and host. User cer‐
550 tificates authenticate users to servers, whereas host certificates au‐
551 thenticate server hosts to users. To generate a user certificate:
552
553 $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
554
555 The resultant certificate will be placed in /path/to/user_key-cert.pub.
556 A host certificate requires the -h option:
557
558 $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
559
560 The host certificate will be output to /path/to/host_key-cert.pub.
561
562 It is possible to sign using a CA key stored in a PKCS#11 token by pro‐
563 viding the token library using -D and identifying the CA key by providing
564 its public half as an argument to -s:
565
566 $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub
567
568 Similarly, it is possible for the CA key to be hosted in a ssh-agent(1).
569 This is indicated by the -U flag and, again, the CA key must be identi‐
570 fied by its public half.
571
572 $ ssh-keygen -Us ca_key.pub -I key_id user_key.pub
573
574 In all cases, key_id is a "key identifier" that is logged by the server
575 when the certificate is used for authentication.
576
577 Certificates may be limited to be valid for a set of principal
578 (user/host) names. By default, generated certificates are valid for all
579 users or hosts. To generate a certificate for a specified set of princi‐
580 pals:
581
582 $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
583 $ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub
584
585 Additional limitations on the validity and use of user certificates may
586 be specified through certificate options. A certificate option may dis‐
587 able features of the SSH session, may be valid only when presented from
588 particular source addresses or may force the use of a specific command.
589
590 The options that are valid for user certificates are:
591
592 clear Clear all enabled permissions. This is useful for clearing the
593 default set of permissions so permissions may be added individu‐
594 ally.
595
596 critical:name[=contents]
597 extension:name[=contents]
598 Includes an arbitrary certificate critical option or extension.
599 The specified name should include a domain suffix, e.g.
600 “name@example.com”. If contents is specified then it is included
601 as the contents of the extension/option encoded as a string, oth‐
602 erwise the extension/option is created with no contents (usually
603 indicating a flag). Extensions may be ignored by a client or
604 server that does not recognise them, whereas unknown critical op‐
605 tions will cause the certificate to be refused.
606
607 force-command=command
608 Forces the execution of command instead of any shell or command
609 specified by the user when the certificate is used for authenti‐
610 cation.
611
612 no-agent-forwarding
613 Disable ssh-agent(1) forwarding (permitted by default).
614
615 no-port-forwarding
616 Disable port forwarding (permitted by default).
617
618 no-pty Disable PTY allocation (permitted by default).
619
620 no-user-rc
621 Disable execution of ~/.ssh/rc by sshd(8) (permitted by default).
622
623 no-x11-forwarding
624 Disable X11 forwarding (permitted by default).
625
626 permit-agent-forwarding
627 Allows ssh-agent(1) forwarding.
628
629 permit-port-forwarding
630 Allows port forwarding.
631
632 permit-pty
633 Allows PTY allocation.
634
635 permit-user-rc
636 Allows execution of ~/.ssh/rc by sshd(8).
637
638 permit-X11-forwarding
639 Allows X11 forwarding.
640
641 no-touch-required
642 Do not require signatures made using this key include demonstra‐
643 tion of user presence (e.g. by having the user touch the authen‐
644 ticator). This option only makes sense for the FIDO authentica‐
645 tor algorithms ecdsa-sk and ed25519-sk.
646
647 source-address=address_list
648 Restrict the source addresses from which the certificate is con‐
649 sidered valid. The address_list is a comma-separated list of one
650 or more address/netmask pairs in CIDR format.
651
652 verify-required
653 Require signatures made using this key indicate that the user was
654 first verified. This option only makes sense for the FIDO au‐
655 thenticator algorithms ecdsa-sk and ed25519-sk. Currently PIN
656 authentication is the only supported verification method, but
657 other methods may be supported in the future.
658
659 At present, no standard options are valid for host keys.
660
661 Finally, certificates may be defined with a validity lifetime. The -V
662 option allows specification of certificate start and end times. A cer‐
663 tificate that is presented at a time outside this range will not be con‐
664 sidered valid. By default, certificates are valid from the UNIX Epoch to
665 the distant future.
666
667 For certificates to be used for user or host authentication, the CA pub‐
668 lic key must be trusted by sshd(8) or ssh(1). Refer to those manual
669 pages for details.
670
672 ssh-keygen is able to generate FIDO authenticator-backed keys, after
673 which they may be used much like any other key type supported by OpenSSH,
674 so long as the hardware authenticator is attached when the keys are used.
675 FIDO authenticators generally require the user to explicitly authorise
676 operations by touching or tapping them. FIDO keys consist of two parts:
677 a key handle part stored in the private key file on disk, and a per-de‐
678 vice private key that is unique to each FIDO authenticator and that can‐
679 not be exported from the authenticator hardware. These are combined by
680 the hardware at authentication time to derive the real key that is used
681 to sign authentication challenges. Supported key types are ecdsa-sk and
682 ed25519-sk.
683
684 The options that are valid for FIDO keys are:
685
686 application
687 Override the default FIDO application/origin string of “ssh:”.
688 This may be useful when generating host or domain-specific resi‐
689 dent keys. The specified application string must begin with
690 “ssh:”.
691
692 challenge=path
693 Specifies a path to a challenge string that will be passed to the
694 FIDO authenticator during key generation. The challenge string
695 may be used as part of an out-of-band protocol for key enrollment
696 (a random challenge is used by default).
697
698 device Explicitly specify a fido(4) device to use, rather than letting
699 the authenticator middleware select one.
700
701 no-touch-required
702 Indicate that the generated private key should not require touch
703 events (user presence) when making signatures. Note that sshd(8)
704 will refuse such signatures by default, unless overridden via an
705 authorized_keys option.
706
707 resident
708 Indicate that the key handle should be stored on the FIDO authen‐
709 ticator itself. This makes it easier to use the authenticator on
710 multiple computers. Resident keys may be supported on FIDO2 au‐
711 thenticators and typically require that a PIN be set on the au‐
712 thenticator prior to generation. Resident keys may be loaded off
713 the authenticator using ssh-add(1). Storing both parts of a key
714 on a FIDO authenticator increases the likelihood of an attacker
715 being able to use a stolen authenticator device.
716
717 user A username to be associated with a resident key, overriding the
718 empty default username. Specifying a username may be useful when
719 generating multiple resident keys for the same application name.
720
721 verify-required
722 Indicate that this private key should require user verification
723 for each signature. Not all FIDO authenticators support this op‐
724 tion. Currently PIN authentication is the only supported verifi‐
725 cation method, but other methods may be supported in the future.
726
727 write-attestation=path
728 May be used at key generation time to record the attestation data
729 returned from FIDO authenticators during key generation. This
730 information is potentially sensitive. By default, this informa‐
731 tion is discarded.
732
734 ssh-keygen is able to manage OpenSSH format Key Revocation Lists (KRLs).
735 These binary files specify keys or certificates to be revoked using a
736 compact format, taking as little as one bit per certificate if they are
737 being revoked by serial number.
738
739 KRLs may be generated using the -k flag. This option reads one or more
740 files from the command line and generates a new KRL. The files may ei‐
741 ther contain a KRL specification (see below) or public keys, listed one
742 per line. Plain public keys are revoked by listing their hash or con‐
743 tents in the KRL and certificates revoked by serial number or key ID (if
744 the serial is zero or not available).
745
746 Revoking keys using a KRL specification offers explicit control over the
747 types of record used to revoke keys and may be used to directly revoke
748 certificates by serial number or key ID without having the complete orig‐
749 inal certificate on hand. A KRL specification consists of lines contain‐
750 ing one of the following directives followed by a colon and some direc‐
751 tive-specific information.
752
753 serial: serial_number[-serial_number]
754 Revokes a certificate with the specified serial number. Serial
755 numbers are 64-bit values, not including zero and may be ex‐
756 pressed in decimal, hex or octal. If two serial numbers are
757 specified separated by a hyphen, then the range of serial numbers
758 including and between each is revoked. The CA key must have been
759 specified on the ssh-keygen command line using the -s option.
760
761 id: key_id
762 Revokes a certificate with the specified key ID string. The CA
763 key must have been specified on the ssh-keygen command line using
764 the -s option.
765
766 key: public_key
767 Revokes the specified key. If a certificate is listed, then it
768 is revoked as a plain public key.
769
770 sha1: public_key
771 Revokes the specified key by including its SHA1 hash in the KRL.
772
773 sha256: public_key
774 Revokes the specified key by including its SHA256 hash in the
775 KRL. KRLs that revoke keys by SHA256 hash are not supported by
776 OpenSSH versions prior to 7.9.
777
778 hash: fingerprint
779 Revokes a key using a fingerprint hash, as obtained from a
780 sshd(8) authentication log message or the ssh-keygen -l flag.
781 Only SHA256 fingerprints are supported here and resultant KRLs
782 are not supported by OpenSSH versions prior to 7.9.
783
784 KRLs may be updated using the -u flag in addition to -k. When this op‐
785 tion is specified, keys listed via the command line are merged into the
786 KRL, adding to those already there.
787
788 It is also possible, given a KRL, to test whether it revokes a particular
789 key (or keys). The -Q flag will query an existing KRL, testing each key
790 specified on the command line. If any key listed on the command line has
791 been revoked (or an error encountered) then ssh-keygen will exit with a
792 non-zero exit status. A zero exit status will only be returned if no key
793 was revoked.
794
796 When verifying signatures, ssh-keygen uses a simple list of identities
797 and keys to determine whether a signature comes from an authorized
798 source. This "allowed signers" file uses a format patterned after the
799 AUTHORIZED_KEYS FILE FORMAT described in sshd(8). Each line of the file
800 contains the following space-separated fields: principals, options, key‐
801 type, base64-encoded key. Empty lines and lines starting with a ‘#’ are
802 ignored as comments.
803
804 The principals field is a pattern-list (see PATTERNS in ssh_config(5))
805 consisting of one or more comma-separated USER@DOMAIN identity patterns
806 that are accepted for signing. When verifying, the identity presented
807 via the -I option must match a principals pattern in order for the corre‐
808 sponding key to be considered acceptable for verification.
809
810 The options (if present) consist of comma-separated option specifica‐
811 tions. No spaces are permitted, except within double quotes. The fol‐
812 lowing option specifications are supported (note that option keywords are
813 case-insensitive):
814
815 cert-authority
816 Indicates that this key is accepted as a certificate authority
817 (CA) and that certificates signed by this CA may be accepted for
818 verification.
819
820 namespaces=namespace-list
821 Specifies a pattern-list of namespaces that are accepted for this
822 key. If this option is present, the signature namespace embedded
823 in the signature object and presented on the verification com‐
824 mand-line must match the specified list before the key will be
825 considered acceptable.
826
827 valid-after=timestamp
828 Indicates that the key is valid for use at or after the specified
829 timestamp, which may be a date or time in the YYYYMMDD[Z] or
830 YYYYMMDDHHMM[SS][Z] formats. Dates and times will be interpreted
831 in the current system time zone unless suffixed with a Z charac‐
832 ter, which causes them to be interpreted in the UTC time zone.
833
834 valid-before=timestamp
835 Indicates that the key is valid for use at or before the speci‐
836 fied timestamp.
837
838 When verifying signatures made by certificates, the expected principal
839 name must match both the principals pattern in the allowed signers file
840 and the principals embedded in the certificate itself.
841
842 An example allowed signers file:
843
844 # Comments allowed at start of line
845 user1@example.com,user2@example.com ssh-rsa AAAAX1...
846 # A certificate authority, trusted for all principals in a domain.
847 *@example.com cert-authority ssh-ed25519 AAAB4...
848 # A key that is accepted only for file signing.
849 user2@example.com namespaces="file" ssh-ed25519 AAA41...
850
852 SSH_SK_PROVIDER
853 Specifies a path to a library that will be used when loading any
854 FIDO authenticator-hosted keys, overriding the default of using
855 the built-in USB HID support.
856
858 ~/.ssh/id_dsa
859 ~/.ssh/id_ecdsa
860 ~/.ssh/id_ecdsa_sk
861 ~/.ssh/id_ed25519
862 ~/.ssh/id_ed25519_sk
863 ~/.ssh/id_rsa
864 Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, au‐
865 thenticator-hosted Ed25519 or RSA authentication identity of the
866 user. This file should not be readable by anyone but the user.
867 It is possible to specify a passphrase when generating the key;
868 that passphrase will be used to encrypt the private part of this
869 file using 128-bit AES. This file is not automatically accessed
870 by ssh-keygen but it is offered as the default file for the pri‐
871 vate key. ssh(1) will read this file when a login attempt is
872 made.
873
874 ~/.ssh/id_dsa.pub
875 ~/.ssh/id_ecdsa.pub
876 ~/.ssh/id_ecdsa_sk.pub
877 ~/.ssh/id_ed25519.pub
878 ~/.ssh/id_ed25519_sk.pub
879 ~/.ssh/id_rsa.pub
880 Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, au‐
881 thenticator-hosted Ed25519 or RSA public key for authentication.
882 The contents of this file should be added to
883 ~/.ssh/authorized_keys on all machines where the user wishes to
884 log in using public key authentication. There is no need to keep
885 the contents of this file secret.
886
887 /etc/gsissh/moduli
888 Contains Diffie-Hellman groups used for DH-GEX. The file format
889 is described in moduli(5).
890
892 ssh(1), ssh-add(1), ssh-agent(1), moduli(5), sshd(8)
893
894 The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.
895
897 OpenSSH is a derivative of the original and free ssh 1.2.12 release by
898 Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo
899 de Raadt and Dug Song removed many bugs, re-added newer features and cre‐
900 ated OpenSSH. Markus Friedl contributed the support for SSH protocol
901 versions 1.5 and 2.0.
902
903BSD February 10, 2023 BSD