1ssh-keygen(1) User Commands ssh-keygen(1)
2
6 ssh-keygen - authentication key generation
7
9 ssh-keygen [-q] [-b bits ] -t type [-N new_passphrase]
10 [-C comment] [-f output_keyfile]
11 ssh-keygen -p [-P old_passphrase] [-N new_passphrase]
14 [-f keyfile]
15 ssh-keygen -i [-f input_keyfile]
18 ssh-keygen -e [-f input_keyfile]
21 ssh-keygen -y [-f input_keyfile]
24 ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
27 ssh-keygen -l [-f input_keyfile]
30 ssh-keygen -B [-f input_keyfile]
33 ssh-keygen -F hostname [-f known_hosts_file]
36 ssh-keygen -H [-f known_hosts_file]
39 ssh-keygen -R hostname [-f known_hosts_file]
42
45 The ssh-keygen utility generates, manages, and converts authentication
46 keys for ssh(1). ssh-keygen can create RSA keys for use by SSH protocol
47 version 1 and RSA or DSA keys for use by SSH protocol version 2. The
48 type of key to be generated is specified with the -t option.
49 Normally, each user wishing to use SSH with RSA or DSA authentication
52 runs this once to create the authentication key in $HOME/.ssh/identity,
53 $HOME/.ssh/id_dsa, or $HOME/.ssh/id_rsa. The system administrator can
54 also use this to generate host keys..
55 Ordinarily, this program generates the key and asks for a file in which
58 to store the private key. The public key is stored in a file with the
59 same name but with the ``.pub'' extension appended. The program also
60 asks for a passphrase. The passphrase can be empty to indicate no
61 passphrase (host keys must have empty passphrases), or it can be a
62 string of arbitrary length. Good passphrases are 10-30 characters long,
63 are not simple sentences or otherwise easy to guess, and contain a mix
64 of uppercase and lowercase letters, numbers, and non-alphanumeric char‐
65 acters. (English prose has only 1-2 bits of entropy per word and pro‐
66 vides very poor passphrases.) If a passphrase is set, it must be at
67 least 4 characters long.
68 The passphrase can be changed later by using the -p option.
71 There is no way to recover a lost passphrase. If the passphrase is lost
74 or forgotten, you have to generate a new key and copy the corresponding
75 public key to other machines.
76 For RSA, there is also a comment field in the key file that is only for
79 convenience to the user to help identify the key. The comment can tell
80 what the key is for, or whatever is useful. The comment is initialized
81 to ``user@host'' when the key is created, but can be changed using the
82 -c option.
83 After a key is generated, instructions below detail where to place the
86 keys to activate them.
87
89 The following options are supported:
90 -b bits Specifies the number of bits in the key to create.
92 The minimum number is 512 bits. Generally, 1024
93 bits is considered sufficient. Key sizes above
94 that no longer improve security but make things
95 slower. The default is 1024 bits.
96 -B Shows the bubblebabble digest of the specified
99 private or public key file.
100 -c Requests changing the comment in the private and
103 public key files. The program prompts for the file
104 containing the private keys, for the passphrase if
105 the key has one, and for the new comment.
106 This option only applies to rsa1 (SSHv1) keys.
108 -C comment Provides the new comment.
111 -e This option reads a private or public OpenSSH key
114 file and prints the key in a "SECSH" Public Key
115 File Format to stdout. This option allows export‐
116 ing keys for use by several other SSH implementa‐
117 tions.
118 -f Specifies the filename of the key file.
121 -F Search for the specified hostname in a known_hosts
124 file, listing any occurrences found. This option
125 is useful to find hashed host names or addresses
126 and can also be used in conjunction with the -H
127 option to print found keys in a hashed format.
128 -H Hash a known_hosts file. This replaces all host
131 names and addresses with hashed representations
132 within the specified file. The original content is
133 moved to a file with a .old suffix. These hashes
134 may be used normally by ssh and sshd, but they do
135 not reveal identifying information should the
136 file's contents be disclosed. This option does not
137 modify existing hashed host names and is therefore
138 safe to use on files that mix hashed and non-
139 hashed names.
140 -i This option reads an unencrypted private (or pub‐
143 lic) key file in SSH2-compatible format and prints
144 an OpenSSH compatible private (or public) key to
145 stdout. ssh-keygen also reads the "SECSH" Public
146 Key File Format. This option allows importing keys
147 from several other SSH implementations.
148 -l Shows the fingerprint of the specified private or
151 public key file.
152 -N new_passphrase Provides the new passphrase.
155 -p Requests changing the passphrase of a private key
158 file instead of creating a new private key. The
159 program prompts for the file containing the pri‐
160 vate key, for the old passphrase, and prompts
161 twice for the new passphrase.
162 -P passphrase Provides the (old) passphrase.
165 -q Silences ssh-keygen.
168 -t type Specifies the algorithm used for the key, where
171 type is one of rsa, dsa, and rsa1. Type rsa1 is
172 used only for the SSHv1 protocol.
173 -R hostname Removes all keys belonging to hostname from a
176 known_hosts file. This option is useful to delete
177 hashed hosts. See -H.
178 -x Obsolete. Replaced by the -e option.
181 -X Obsolete. Replaced by the -i option.
184 -y This option reads a private OpenSSH format file
187 and prints an OpenSSH public key to stdout.
188
191 The following exit values are returned:
192 0 Successful completion.
194 1 An error occurred.
197
200 $HOME/.ssh/identity This file contains the RSA private key for
201 the SSHv1 protocol. This file should not be
202 readable by anyone but the user. It is pos‐
203 sible to specify a passphrase when generat‐
204 ing the key; that passphrase is used to
205 encrypt the private part of this file using
206 3DES. This file is not automatically
207 accessed by ssh-keygen, but it is offered as
208 the default file for the private key.
209 sshd(1M) reads this file when a login
210 attempt is made.
211 $HOME/.ssh/identity.pub This file contains the RSA public key for
214 the SSHv1 protocol. The contents of this
215 file should be added to $HOME/.ssh/autho‐
216 rized_keys on all machines where you wish to
217 log in using RSA authentication. There is no
218 need to keep the contents of this file
219 secret.
220 $HOME/.ssh/id_dsa These files contain, respectively, the DSA
223 $HOME/.ssh/id_rsa or RSA private key for the SSHv2 protocol.
224 These files should not be readable by anyone
225 but the user. It is possible to specify a
226 passphrase when generating the key; that
227 passphrase is used to encrypt the private
228 part of the file using 3DES. Neither of
229 these files is automatically accessed by
230 ssh-keygen but is offered as the default
231 file for the private key. sshd(1M) reads
232 this file when a login attempt is made.
233 $HOME/.ssh/id_dsa.pub These files contain, respectively, the DSA
236 $HOME/.ssh/id_rsa.pub or RSA public key for the SSHv2 protocol.
237 The contents of these files should be added,
238 respectively, to $HOME/.ssh/authorized_keys
239 on all machines where you wish to log in
240 using DSA or RSA authentication. There is no
241 need to keep the contents of these files
242 secret.
243
246 See attributes(5) for descriptions of the following attributes:
247 ┌─────────────────────────────┬─────────────────────────────┐
252 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
253 ├─────────────────────────────┼─────────────────────────────┤
254 │Availability │SUNWsshcu │
255 ├─────────────────────────────┼─────────────────────────────┤
256 │Interface Stability │Committed │
257 └─────────────────────────────┴─────────────────────────────┘
258
260 ssh(1), ssh-add(1), ssh-agent(1), sshd(1M), attributes(5)
261SunOS 5.11 17 Feb 2009 ssh-keygen(1)