jcs.org / openbsd-src
jcs's openbsd hax
openbsd
fork atom
openbsd-src / usr.bin / ssh / ssh-keygen.1
at jcs 1352 lines 42 kB view raw
djm When certificate support was added to OpenSSH, certificates were originally specified to represent any principal if the principals list was empty.
f0c5ff0c
1.\" $OpenBSD: ssh-keygen.1,v 1.237 2025/12/22 01:49:03 djm Exp $ 2.\" 3.\" Author: Tatu Ylonen <ylo@cs.hut.fi> 4.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5.\" All rights reserved 6.\" 7.\" As far as I am concerned, the code I have written for this software 8.\" can be used freely for any purpose. Any derived versions of this 9.\" software must be clearly marked as such, and if the derived work is 10.\" incompatible with the protocol description in the RFC file, it must be 11.\" called by a name other than "ssh" or "Secure Shell". 12.\" 13.\" 14.\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 15.\" Copyright (c) 1999 Aaron Campbell. All rights reserved. 16.\" Copyright (c) 1999 Theo de Raadt. All rights reserved. 17.\" 18.\" Redistribution and use in source and binary forms, with or without 19.\" modification, are permitted provided that the following conditions 20.\" are met: 21.\" 1. Redistributions of source code must retain the above copyright 22.\" notice, this list of conditions and the following disclaimer. 23.\" 2. Redistributions in binary form must reproduce the above copyright 24.\" notice, this list of conditions and the following disclaimer in the 25.\" documentation and/or other materials provided with the distribution. 26.\" 27.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 28.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 29.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 30.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 31.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 32.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 33.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 34.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 35.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 36.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 37.\" 38.Dd $Mdocdate: December 22 2025 $ 39.Dt SSH-KEYGEN 1 40.Os 41.Sh NAME 42.Nm ssh-keygen 43.Nd OpenSSH authentication key utility 44.Sh SYNOPSIS 45.Nm ssh-keygen 46.Op Fl q 47.Op Fl a Ar rounds 48.Op Fl b Ar bits 49.Op Fl C Ar comment 50.Op Fl f Ar output_keyfile 51.Op Fl m Ar format 52.Op Fl N Ar new_passphrase 53.Op Fl O Ar option 54.Op Fl t Cm ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa 55.Op Fl w Ar provider 56.Op Fl Z Ar cipher 57.Nm ssh-keygen 58.Fl p 59.Op Fl a Ar rounds 60.Op Fl f Ar keyfile 61.Op Fl m Ar format 62.Op Fl N Ar new_passphrase 63.Op Fl P Ar old_passphrase 64.Op Fl Z Ar cipher 65.Nm ssh-keygen 66.Fl i 67.Op Fl f Ar input_keyfile 68.Op Fl m Ar key_format 69.Nm ssh-keygen 70.Fl e 71.Op Fl f Ar input_keyfile 72.Op Fl m Ar key_format 73.Nm ssh-keygen 74.Fl y 75.Op Fl f Ar input_keyfile 76.Nm ssh-keygen 77.Fl c 78.Op Fl a Ar rounds 79.Op Fl C Ar comment 80.Op Fl f Ar keyfile 81.Op Fl P Ar passphrase 82.Nm ssh-keygen 83.Fl l 84.Op Fl v 85.Op Fl E Ar fingerprint_hash 86.Op Fl f Ar input_keyfile 87.Nm ssh-keygen 88.Fl B 89.Op Fl f Ar input_keyfile 90.Nm ssh-keygen 91.Fl D Ar pkcs11 92.Nm ssh-keygen 93.Fl F Ar hostname 94.Op Fl lv 95.Op Fl f Ar known_hosts_file 96.Nm ssh-keygen 97.Fl H 98.Op Fl f Ar known_hosts_file 99.Nm ssh-keygen 100.Fl K 101.Op Fl a Ar rounds 102.Op Fl w Ar provider 103.Nm ssh-keygen 104.Fl R Ar hostname 105.Op Fl f Ar known_hosts_file 106.Nm ssh-keygen 107.Fl r Ar hostname 108.Op Fl g 109.Op Fl f Ar input_keyfile 110.Nm ssh-keygen 111.Fl M Cm generate 112.Op Fl O Ar option 113.Ar output_file 114.Nm ssh-keygen 115.Fl M Cm screen 116.Op Fl f Ar input_file 117.Op Fl O Ar option 118.Ar output_file 119.Nm ssh-keygen 120.Fl I Ar certificate_identity 121.Fl s Ar ca_key 122.Op Fl hU 123.Op Fl D Ar pkcs11_provider 124.Op Fl n Ar principals 125.Op Fl O Ar option 126.Op Fl V Ar validity_interval 127.Op Fl z Ar serial_number 128.Ar 129.Nm ssh-keygen 130.Fl L 131.Op Fl f Ar input_keyfile 132.Nm ssh-keygen 133.Fl A 134.Op Fl a Ar rounds 135.Op Fl f Ar prefix_path 136.Nm ssh-keygen 137.Fl k 138.Fl f Ar krl_file 139.Op Fl u 140.Op Fl s Ar ca_public 141.Op Fl z Ar version_number 142.Ar 143.Nm ssh-keygen 144.Fl Q 145.Op Fl l 146.Fl f Ar krl_file 147.Ar 148.Nm ssh-keygen 149.Fl Y Cm find-principals 150.Op Fl O Ar option 151.Fl s Ar signature_file 152.Fl f Ar allowed_signers_file 153.Nm ssh-keygen 154.Fl Y Cm match-principals 155.Fl I Ar signer_identity 156.Fl f Ar allowed_signers_file 157.Nm ssh-keygen 158.Fl Y Cm check-novalidate 159.Op Fl O Ar option 160.Fl n Ar namespace 161.Fl s Ar signature_file 162.Nm ssh-keygen 163.Fl Y Cm sign 164.Op Fl O Ar option 165.Fl f Ar key_file 166.Fl n Ar namespace 167.Ar 168.Nm ssh-keygen 169.Fl Y Cm verify 170.Op Fl O Ar option 171.Fl f Ar allowed_signers_file 172.Fl I Ar signer_identity 173.Fl n Ar namespace 174.Fl s Ar signature_file 175.Op Fl r Ar revocation_file 176.Sh DESCRIPTION 177.Nm 178generates, manages and converts authentication keys for 179.Xr ssh 1 . 180.Nm 181can create keys for use by SSH protocol version 2. 182.Pp 183The type of key to be generated is specified with the 184.Fl t 185option. 186If invoked without any arguments, 187.Nm 188will generate an Ed25519 key. 189.Pp 190.Nm 191is also used to generate groups for use in Diffie-Hellman group 192exchange (DH-GEX). 193See the 194.Sx MODULI GENERATION 195section for details. 196.Pp 197Finally, 198.Nm 199can be used to generate and update Key Revocation Lists, and to test whether 200given keys have been revoked by one. 201See the 202.Sx KEY REVOCATION LISTS 203section for details. 204.Pp 205Normally each user wishing to use SSH 206with public key authentication runs this once to create the authentication 207key in 208.Pa ~/.ssh/id_ecdsa , 209.Pa ~/.ssh/id_ecdsa_sk , 210.Pa ~/.ssh/id_ed25519 , 211.Pa ~/.ssh/id_ed25519_sk 212or 213.Pa ~/.ssh/id_rsa . 214Additionally, the system administrator may use this to generate host keys, 215as seen in 216.Pa /etc/rc . 217.Pp 218Normally this program generates the key and asks for a file in which 219to store the private key. 220The public key is stored in a file with the same name but 221.Dq .pub 222appended. 223The program also asks for a passphrase. 224The passphrase may be empty to indicate no passphrase 225(host keys must have an empty passphrase), or it may be a string of 226arbitrary length. 227A passphrase is similar to a password, except it can be a phrase with a 228series of words, punctuation, numbers, whitespace, or any string of 229characters you want. 230Good passphrases are 10-30 characters long, are 231not simple sentences or otherwise easily guessable (English 232prose has only 1-2 bits of entropy per character, and provides very bad 233passphrases), and contain a mix of upper and lowercase letters, 234numbers, and non-alphanumeric characters. 235The passphrase can be changed later by using the 236.Fl p 237option. 238.Pp 239There is no way to recover a lost passphrase. 240If the passphrase is lost or forgotten, a new key must be generated 241and the corresponding public key copied to other machines. 242.Pp 243.Nm 244will by default write keys in an OpenSSH-specific format. 245This format is preferred as it offers better protection for 246keys at rest as well as allowing storage of key comments within 247the private key file itself. 248The key comment may be useful to help identify the key. 249The comment is initialized to 250.Dq user@host 251when the key is created, but can be changed using the 252.Fl c 253option. 254.Pp 255It is still possible for 256.Nm 257to write the previously-used PEM format private keys using the 258.Fl m 259flag. 260This may be used when generating new keys, and existing new-format 261keys may be converted using this option in conjunction with the 262.Fl p 263(change passphrase) flag. 264.Pp 265After a key is generated, 266.Nm 267will ask where the keys 268should be placed to be activated. 269.Pp 270The options are as follows: 271.Bl -tag -width Ds 272.It Fl A 273Generate host keys of all default key types (rsa, ecdsa, and 274ed25519) if they do not already exist. 275The host keys are generated with the default key file path, 276an empty passphrase, default bits for the key type, and default comment. 277If 278.Fl f 279has also been specified, its argument is used as a prefix to the 280default path for the resulting host key files. 281This is used by 282.Pa /etc/rc 283to generate new host keys. 284.It Fl a Ar rounds 285When saving a private key, this option specifies the number of KDF 286(key derivation function, currently 287.Xr bcrypt_pbkdf 3 ) 288rounds used. 289Higher numbers result in slower passphrase verification and increased 290resistance to brute-force password cracking (should the keys be stolen). 291The default is 16 rounds. 292.It Fl B 293Show the bubblebabble digest of specified private or public key file. 294.It Fl b Ar bits 295Specifies the number of bits in the key to create. 296For RSA keys, the minimum size is 1024 bits and the default is 3072 bits. 297Generally, 3072 bits is considered sufficient. 298For ECDSA keys, the 299.Fl b 300flag determines the key length by selecting from one of three elliptic 301curve sizes: 256, 384 or 521 bits. 302Attempting to use bit lengths other than these three values for ECDSA keys 303will fail. 304ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length and the 305.Fl b 306flag will be ignored. 307.It Fl C Ar comment 308Provides a new comment. 309.It Fl c 310Requests changing the comment in the private and public key files. 311The program will prompt for the file containing the private keys, for 312the passphrase if the key has one, and for the new comment. 313.It Fl D Ar pkcs11 314Download the public keys provided by the PKCS#11 shared library 315.Ar pkcs11 . 316When used in combination with 317.Fl s , 318this option indicates that a CA key resides in a PKCS#11 token (see the 319.Sx CERTIFICATES 320section for details). 321.It Fl E Ar fingerprint_hash 322Specifies the hash algorithm used when displaying key fingerprints. 323Valid options are: 324.Dq md5 325and 326.Dq sha256 . 327The default is 328.Dq sha256 . 329.It Fl e 330This option will read a private or public OpenSSH key file and 331print to stdout a public key in one of the formats specified by the 332.Fl m 333option. 334The default export format is 335.Dq RFC4716 . 336This option allows exporting OpenSSH keys for use by other programs, including 337several commercial SSH implementations. 338.It Fl F Ar hostname | [hostname]:port 339Search for the specified 340.Ar hostname 341(with optional port number) 342in a 343.Pa known_hosts 344file, listing any occurrences found. 345This option is useful to find hashed host names or addresses and may also be 346used in conjunction with the 347.Fl H 348option to print found keys in a hashed format. 349.It Fl f Ar filename 350Specifies the filename of the key file. 351.It Fl g 352Use generic DNS format when printing fingerprint resource records using the 353.Fl r 354command. 355.It Fl H 356Hash a 357.Pa known_hosts 358file. 359This replaces all hostnames and addresses with hashed representations 360within the specified file; the original content is moved to a file with 361a .old suffix. 362These hashes may be used normally by 363.Nm ssh 364and 365.Nm sshd , 366but they do not reveal identifying information should the file's contents 367be disclosed. 368This option will not modify existing hashed hostnames and is therefore safe 369to use on files that mix hashed and non-hashed names. 370.It Fl h 371When signing a key, create a host certificate instead of a user 372certificate. 373See the 374.Sx CERTIFICATES 375section for details. 376.It Fl I Ar certificate_identity 377Specify the key identity when signing a public key. 378See the 379.Sx CERTIFICATES 380section for details. 381.It Fl i 382This option will read an unencrypted private (or public) key file 383in the format specified by the 384.Fl m 385option and print an OpenSSH compatible private 386(or public) key to stdout. 387This option allows importing keys from other software, including several 388commercial SSH implementations. 389The default import format is 390.Dq RFC4716 . 391.It Fl K 392Download resident keys from a FIDO authenticator. 393Public and private key files will be written to the current directory for 394each downloaded key. 395If multiple FIDO authenticators are attached, keys will be downloaded from 396the first touched authenticator. 397See the 398.Sx FIDO AUTHENTICATOR 399section for more information. 400.It Fl k 401Generate a KRL file. 402In this mode, 403.Nm 404will generate a KRL file at the location specified via the 405.Fl f 406flag that revokes every key or certificate presented on the command line. 407Keys/certificates to be revoked may be specified by public key file or 408using the format described in the 409.Sx KEY REVOCATION LISTS 410section. 411.It Fl L 412Prints the contents of one or more certificates. 413.It Fl l 414Show fingerprint of specified public key file. 415.Nm 416will try to find the matching public key file and prints its fingerprint. 417If combined with 418.Fl v , 419a visual ASCII art representation of the key is supplied with the 420fingerprint. 421.It Fl M Cm generate 422Generate candidate Diffie-Hellman Group Exchange (DH-GEX) parameters for 423eventual use by the 424.Sq diffie-hellman-group-exchange-* 425key exchange methods. 426The numbers generated by this operation must be further screened before 427use. 428See the 429.Sx MODULI GENERATION 430section for more information. 431.It Fl M Cm screen 432Screen candidate parameters for Diffie-Hellman Group Exchange. 433This will accept a list of candidate numbers and test that they are 434safe (Sophie Germain) primes with acceptable group generators. 435The results of this operation may be added to the 436.Pa /etc/moduli 437file. 438See the 439.Sx MODULI GENERATION 440section for more information. 441.It Fl m Ar key_format 442Specify a key format for key generation, the 443.Fl i 444(import), 445.Fl e 446(export) conversion options, and the 447.Fl p 448change passphrase operation. 449The latter may be used to convert between OpenSSH private key and PEM 450private key formats. 451The supported key formats are: 452.Dq RFC4716 453(RFC 4716/SSH2 public or private key), 454.Dq PKCS8 455(PKCS8 public or private key) 456or 457.Dq PEM 458(PEM public key). 459By default OpenSSH will write newly-generated private keys in its own 460format, but when converting public keys for export the default format is 461.Dq RFC4716 . 462Setting a format of 463.Dq PEM 464when generating or updating a supported private key type will cause the 465key to be stored in the legacy PEM private key format. 466.It Fl N Ar new_passphrase 467Provides the new passphrase. 468.It Fl n Ar principals 469Specify one or more principals (user or host names) to be included in 470a certificate when signing a key. 471Multiple principals may be specified, separated by commas. 472See the 473.Sx CERTIFICATES 474section for details. 475.It Fl O Ar option 476Specify a key/value option. 477These are specific to the operation that 478.Nm 479has been requested to perform. 480.Pp 481When signing certificates, one of the options listed in the 482.Sx CERTIFICATES 483section may be specified here. 484.Pp 485When performing moduli generation or screening, one of the options 486listed in the 487.Sx MODULI GENERATION 488section may be specified. 489.Pp 490When generating FIDO authenticator-backed keys, the options listed in the 491.Sx FIDO AUTHENTICATOR 492section may be specified. 493.Pp 494When performing signature-related options using the 495.Fl Y 496flag, the following options are accepted: 497.Bl -tag -width Ds 498.It Cm hashalg Ns = Ns Ar algorithm 499Selects the hash algorithm to use for hashing the message to be signed. 500Valid algorithms are 501.Dq sha256 502and 503.Dq sha512. 504The default is 505.Dq sha512. 506.It Cm print-pubkey 507Print the full public key to standard output after signature verification. 508.It Cm verify-time Ns = Ns Ar timestamp 509Specifies a time to use when validating signatures instead of the current 510time. 511The time may be specified as a date or time in the YYYYMMDD[Z] or 512in YYYYMMDDHHMM[SS][Z] formats. 513Dates and times will be interpreted in the current system time zone unless 514suffixed with a Z character, which causes them to be interpreted in the 515UTC time zone. 516.El 517.Pp 518When generating SSHFP DNS records from public keys using the 519.Fl r 520flag, the following options are accepted: 521.Bl -tag -width Ds 522.It Cm hashalg Ns = Ns Ar algorithm 523Selects a hash algorithm to use when printing SSHFP records using the 524.Fl D 525flag. 526Valid algorithms are 527.Dq sha1 528and 529.Dq sha256 . 530The default is to print both. 531.El 532.Pp 533The 534.Fl O 535option may be specified multiple times. 536.It Fl P Ar passphrase 537Provides the (old) passphrase. 538.It Fl p 539Requests changing the passphrase of a private key file instead of 540creating a new private key. 541The program will prompt for the file 542containing the private key, for the old passphrase, and twice for the 543new passphrase. 544.It Fl Q 545Test whether keys have been revoked in a KRL. 546If the 547.Fl l 548option is also specified then the contents of the KRL will be printed. 549.It Fl q 550Silence 551.Nm ssh-keygen . 552.It Fl R Ar hostname | [hostname]:port 553Removes all keys belonging to the specified 554.Ar hostname 555(with optional port number) 556from a 557.Pa known_hosts 558file. 559This option is useful to delete hashed hosts (see the 560.Fl H 561option above). 562.It Fl r Ar hostname 563Print the SSHFP fingerprint resource record named 564.Ar hostname 565for the specified public key file. 566.It Fl s Ar ca_key 567Certify (sign) a public key using the specified CA key. 568See the 569.Sx CERTIFICATES 570section for details. 571.Pp 572When generating a KRL, 573.Fl s 574specifies a path to a CA public key file used to revoke certificates directly 575by key ID or serial number. 576See the 577.Sx KEY REVOCATION LISTS 578section for details. 579.It Fl t Cm ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa 580Specifies the type of key to create. 581The possible values are 582.Dq ecdsa , 583.Dq ecdsa-sk , 584.Dq ed25519 (the default), 585.Dq ed25519-sk , 586or 587.Dq rsa . 588.Pp 589This flag may also be used to specify the desired signature type when 590signing certificates using an RSA CA key. 591The available RSA signature variants are 592.Dq ssh-rsa 593(SHA1 signatures, not recommended), 594.Dq rsa-sha2-256 , 595and 596.Dq rsa-sha2-512 597(the default for RSA keys). 598.It Fl U 599When used in combination with 600.Fl s 601or 602.Fl Y Cm sign , 603this option indicates that a CA key resides in an 604.Xr ssh-agent 1 . 605See the 606.Sx CERTIFICATES 607section for more information. 608.It Fl u 609Update a KRL. 610When specified with 611.Fl k , 612keys listed via the command line are added to the existing KRL rather than 613a new KRL being created. 614.It Fl V Ar validity_interval 615Specify a validity interval when signing a certificate. 616A validity interval may consist of a single time, indicating that the 617certificate is valid beginning now and expiring at that time, or may consist 618of two times separated by a colon to indicate an explicit time interval. 619.Pp 620The start time may be specified as: 621.Bl -bullet -compact 622.It 623The string 624.Dq always 625to indicate the certificate has no specified start time. 626.It 627A date or time in the system time zone formatted as YYYYMMDD or 628YYYYMMDDHHMM[SS]. 629.It 630A date or time in the UTC time zone as YYYYMMDDZ or YYYYMMDDHHMM[SS]Z. 631.It 632A relative time before the current system time consisting of a minus sign 633followed by an interval in the format described in the 634TIME FORMATS section of 635.Xr sshd_config 5 . 636.It 637A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a hexadecimal 638number beginning with 639.Dq 0x . 640.El 641.Pp 642The end time may be specified similarly to the start time: 643.Bl -bullet -compact 644.It 645The string 646.Dq forever 647to indicate the certificate has no specified end time. 648.It 649A date or time in the system time zone formatted as YYYYMMDD or 650YYYYMMDDHHMM[SS]. 651.It 652A date or time in the UTC time zone as YYYYMMDDZ or YYYYMMDDHHMM[SS]Z. 653.It 654A relative time after the current system time consisting of a plus sign 655followed by an interval in the format described in the 656TIME FORMATS section of 657.Xr sshd_config 5 . 658.It 659A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a hexadecimal 660number beginning with 661.Dq 0x . 662.El 663.Pp 664For example: 665.Bl -tag -width Ds 666.It +52w1d 667Valid from now to 52 weeks and one day from now. 668.It -4w:+4w 669Valid from four weeks ago to four weeks from now. 670.It 20100101123000:20110101123000 671Valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011. 672.It 20100101123000Z:20110101123000Z 673Similar, but interpreted in the UTC time zone rather than the system time zone. 674.It -1d:20110101 675Valid from yesterday to midnight, January 1st, 2011. 676.It 0x1:0x2000000000 677Valid from roughly early 1970 to May 2033. 678.It -1m:forever 679Valid from one minute ago and never expiring. 680.El 681.It Fl v 682Verbose mode. 683Causes 684.Nm 685to print debugging messages about its progress. 686This is helpful for debugging moduli generation. 687Multiple 688.Fl v 689options increase the verbosity. 690The maximum is 3. 691.It Fl w Ar provider 692Specifies a path to a library that will be used when creating 693FIDO authenticator-hosted keys, overriding the default of using 694the internal USB HID support. 695.It Fl Y Cm find-principals 696Find the principal(s) associated with the public key of a signature, 697provided using the 698.Fl s 699flag in an authorized signers file provided using the 700.Fl f 701flag. 702The format of the allowed signers file is documented in the 703.Sx ALLOWED SIGNERS 704section below. 705If one or more matching principals are found, they are returned on 706standard output. 707.It Fl Y Cm match-principals 708Find principal matching the principal name provided using the 709.Fl I 710flag in the authorized signers file specified using the 711.Fl f 712flag. 713If one or more matching principals are found, they are returned on 714standard output. 715.It Fl Y Cm check-novalidate 716Checks that a signature generated using 717.Nm 718.Fl Y Cm sign 719has a valid structure. 720This does not validate if a signature comes from an authorized signer. 721When testing a signature, 722.Nm 723accepts a message on standard input and a signature namespace using 724.Fl n . 725A file containing the corresponding signature must also be supplied using the 726.Fl s 727flag. 728Successful testing of the signature is signalled by 729.Nm 730returning a zero exit status. 731.It Fl Y Cm sign 732Cryptographically sign a file or some data using an SSH key. 733When signing, 734.Nm 735accepts zero or more files to sign on the command-line - if no files 736are specified then 737.Nm 738will sign data presented on standard input. 739Signatures are written to the path of the input file with 740.Dq .sig 741appended, or to standard output if the message to be signed was read from 742standard input. 743.Pp 744The key used for signing is specified using the 745.Fl f 746option and may refer to either a private key, or a public key with the private 747half available via 748.Xr ssh-agent 1 . 749An additional signature namespace, used to prevent signature confusion across 750different domains of use (e.g. file signing vs email signing) must be provided 751via the 752.Fl n 753flag. 754Namespaces are arbitrary strings, and may include: 755.Dq file 756for file signing, 757.Dq email 758for email signing. 759For custom uses, it is recommended to use names following a 760NAMESPACE@YOUR.DOMAIN pattern to generate unambiguous namespaces. 761.It Fl Y Cm verify 762Request to verify a signature generated using 763.Nm 764.Fl Y Cm sign 765as described above. 766When verifying a signature, 767.Nm 768accepts a message on standard input and a signature namespace using 769.Fl n . 770A file containing the corresponding signature must also be supplied using the 771.Fl s 772flag, along with the identity of the signer using 773.Fl I 774and a list of allowed signers via the 775.Fl f 776flag. 777The format of the allowed signers file is documented in the 778.Sx ALLOWED SIGNERS 779section below. 780A file containing revoked keys can be passed using the 781.Fl r 782flag. 783The revocation file may be a KRL or a one-per-line list of public keys. 784Successful verification by an authorized signer is signalled by 785.Nm 786returning a zero exit status. 787.It Fl y 788This option will read a private 789OpenSSH format file and print an OpenSSH public key to stdout. 790.It Fl Z Ar cipher 791Specifies the cipher to use for encryption when writing an OpenSSH-format 792private key file. 793The list of available ciphers may be obtained using 794.Qq ssh -Q cipher . 795The default is 796.Dq aes256-ctr . 797.It Fl z Ar serial_number 798Specifies a serial number to be embedded in the certificate to distinguish 799this certificate from others from the same CA. 800If the 801.Ar serial_number 802is prefixed with a 803.Sq + 804character, then the serial number will be incremented for each certificate 805signed on a single command-line. 806The default serial number is zero. 807.Pp 808When generating a KRL, the 809.Fl z 810flag is used to specify a KRL version number. 811.El 812.Sh MODULI GENERATION 813.Nm 814may be used to generate groups for the Diffie-Hellman Group Exchange 815(DH-GEX) protocol. 816Generating these groups is a two-step process: first, candidate 817primes are generated using a fast, but memory intensive process. 818These candidate primes are then tested for suitability (a CPU-intensive 819process). 820.Pp 821Generation of primes is performed using the 822.Fl M Cm generate 823option. 824The desired length of the primes may be specified by the 825.Fl O Cm bits 826option. 827For example: 828.Pp 829.Dl # ssh-keygen -M generate -O bits=2048 moduli-2048.candidates 830.Pp 831By default, the search for primes begins at a random point in the 832desired length range. 833This may be overridden using the 834.Fl O Cm start 835option, which specifies a different start point (in hex). 836.Pp 837Once a set of candidates have been generated, they must be screened for 838suitability. 839This may be performed using the 840.Fl M Cm screen 841option. 842In this mode 843.Nm 844will read candidates from standard input (or a file specified using the 845.Fl f 846option). 847For example: 848.Pp 849.Dl # ssh-keygen -M screen -f moduli-2048.candidates moduli-2048 850.Pp 851By default, each candidate will be subjected to 100 primality tests. 852This may be overridden using the 853.Fl O Cm prime-tests 854option. 855The DH generator value will be chosen automatically for the 856prime under consideration. 857If a specific generator is desired, it may be requested using the 858.Fl O Cm generator 859option. 860Valid generator values are 2, 3, and 5. 861.Pp 862Screened DH groups may be installed in 863.Pa /etc/moduli . 864It is important that this file contains moduli of a range of bit lengths. 865.Pp 866A number of options are available for moduli generation and screening via the 867.Fl O 868flag: 869.Bl -tag -width Ds 870.It Ic lines Ns = Ns Ar number 871Exit after screening the specified number of lines while performing DH 872candidate screening. 873.It Ic start-line Ns = Ns Ar line-number 874Start screening at the specified line number while performing DH candidate 875screening. 876.It Ic checkpoint Ns = Ns Ar filename 877Write the last line processed to the specified file while performing DH 878candidate screening. 879This will be used to skip lines in the input file that have already been 880processed if the job is restarted. 881.It Ic start Ns = Ns Ar hex-value 882Specify start point (in hex) when generating candidate moduli for DH-GEX. 883.It Ic generator Ns = Ns Ar value 884Specify desired generator (in decimal) when testing candidate moduli for DH-GEX. 885.El 886.Sh CERTIFICATES 887.Nm 888supports signing of keys to produce certificates that may be used for 889user or host authentication. 890Certificates consist of a public key, some identity information, zero or 891more principal (user or host) names and a set of options that 892are signed by a Certification Authority (CA) key. 893Clients or servers may then trust only the CA key and verify its signature 894on a certificate rather than trusting many user/host keys. 895Note that OpenSSH certificates are a different, and much simpler, format to 896the X.509 certificates used in 897.Xr ssl 8 . 898.Pp 899.Nm 900supports two types of certificates: user and host. 901User certificates authenticate users to servers, whereas host certificates 902authenticate server hosts to users. 903To generate a user certificate: 904.Pp 905.Dl $ ssh-keygen -s /path/to/ca_key -I id -n user \e 906.Dl \ \ \ \ \ \ /path/to/user_key.pub 907.Pp 908The resultant certificate will be placed in 909.Pa /path/to/user_key-cert.pub . 910The argument to 911.Fl I 912is a key identifier that will be used in logs and may be used to revoke 913keys. 914The argument to 915.Fl n 916is one or more (comma-separated) principals, typically usernames, that 917the certificate represents. 918A host certificate requires the 919.Fl h 920option: 921.Pp 922.Dl $ ssh-keygen -s /path/to/ca_key -I id -h -n foo.example.org \e 923.Dl \ \ \ \ \ \ /path/to/host_key.pub 924.Pp 925For host certificates, the principals specified using the 926.Fl n 927argument are hostnames and may contain wildcard characters. 928.Pp 929The host certificate will be output to 930.Pa /path/to/host_key-cert.pub . 931.Pp 932It is possible to sign using a CA key stored in a PKCS#11 token by 933providing the token library using 934.Fl D 935and identifying the CA key by providing its public half as an argument 936to 937.Fl s : 938.Pp 939.Dl $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I id -n user \e 940.Dl \ \ \ \ \ \ user_key.pub 941.Pp 942Similarly, it is possible for the CA key to be hosted in an 943.Xr ssh-agent 1 . 944This is indicated by the 945.Fl U 946flag and, again, the CA key must be identified by its public half. 947.Pp 948.Dl $ ssh-keygen -Us ca_key.pub -I id -n user user_key.pub 949.Pp 950In all cases, 951.Ar key_id 952is a "key identifier" that is logged by the server when the certificate 953is used for authentication. 954.Pp 955Certificates are limited to be valid for a set of principal (user/host) 956names. 957To generate a certificate for a specified set of principals: 958.Pp 959.Dl $ ssh-keygen -s ca_key -I id -n user1,user2 user_key.pub 960.Dl $ ssh-keygen -s ca_key -I id -h -n host.domain host_key.pub 961.Pp 962Additional limitations on the validity and use of user certificates may 963be specified through certificate options. 964A certificate option may disable features of the SSH session, may be 965valid only when presented from particular source addresses or may 966force the use of a specific command. 967.Pp 968The options that are valid for user certificates are: 969.Pp 970.Bl -tag -width Ds -compact 971.It Ic clear 972Clear all enabled permissions. 973This is useful for clearing the default set of permissions so permissions may 974be added individually. 975.Pp 976.It Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents 977.It Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents 978Includes an arbitrary certificate critical option or extension. 979The specified 980.Ar name 981should include a domain suffix, e.g.\& 982.Dq name@example.com . 983If 984.Ar contents 985is specified then it is included as the contents of the extension/option 986encoded as a string, otherwise the extension/option is created with no 987contents (usually indicating a flag). 988Extensions may be ignored by a client or server that does not recognise them, 989whereas unknown critical options will cause the certificate to be refused. 990.Pp 991.It Ic force-command Ns = Ns Ar command 992Forces the execution of 993.Ar command 994instead of any shell or command specified by the user when 995the certificate is used for authentication. 996.Pp 997.It Ic no-agent-forwarding 998Disable 999.Xr ssh-agent 1 1000forwarding (permitted by default). 1001.Pp 1002.It Ic no-port-forwarding 1003Disable port forwarding (permitted by default). 1004.Pp 1005.It Ic no-pty 1006Disable PTY allocation (permitted by default). 1007.Pp 1008.It Ic no-user-rc 1009Disable execution of 1010.Pa ~/.ssh/rc 1011by 1012.Xr sshd 8 1013(permitted by default). 1014.Pp 1015.It Ic no-x11-forwarding 1016Disable X11 forwarding (permitted by default). 1017.Pp 1018.It Ic permit-agent-forwarding 1019Allows 1020.Xr ssh-agent 1 1021forwarding. 1022.Pp 1023.It Ic permit-port-forwarding 1024Allows port forwarding. 1025.Pp 1026.It Ic permit-pty 1027Allows PTY allocation. 1028.Pp 1029.It Ic permit-user-rc 1030Allows execution of 1031.Pa ~/.ssh/rc 1032by 1033.Xr sshd 8 . 1034.Pp 1035.It Ic permit-X11-forwarding 1036Allows X11 forwarding. 1037.Pp 1038.It Ic no-touch-required 1039Do not require signatures made using this key include demonstration 1040of user presence (e.g. by having the user touch the authenticator). 1041This option only makes sense for the FIDO authenticator algorithms 1042.Cm ecdsa-sk 1043and 1044.Cm ed25519-sk . 1045.Pp 1046.It Ic source-address Ns = Ns Ar address_list 1047Restrict the source addresses from which the certificate is considered valid. 1048The 1049.Ar address_list 1050is a comma-separated list of one or more address/netmask pairs in CIDR 1051format. 1052.Pp 1053.It Ic verify-required 1054Require signatures made using this key indicate that the user was first 1055verified, e.g. by PIN or on-token biometrics. 1056This option only makes sense for the FIDO authenticator algorithms 1057.Cm ecdsa-sk 1058and 1059.Cm ed25519-sk . 1060.El 1061.Pp 1062At present, no standard options are valid for host keys. 1063.Pp 1064Finally, certificates may be defined with a validity lifetime. 1065The 1066.Fl V 1067option allows specification of certificate start and end times. 1068A certificate that is presented at a time outside this range will not be 1069considered valid. 1070By default, certificates are valid from the 1071.Ux 1072Epoch to the distant future. 1073.Pp 1074For certificates to be used for user or host authentication, the CA 1075public key must be trusted by 1076.Xr sshd 8 1077or 1078.Xr ssh 1 . 1079Refer to those manual pages for details. 1080.Sh FIDO AUTHENTICATOR 1081.Nm 1082is able to generate FIDO authenticator-backed keys, after which 1083they may be used much like any other key type supported by OpenSSH, so 1084long as the hardware authenticator is attached when the keys are used. 1085FIDO authenticators generally require the user to explicitly authorise 1086operations by touching or tapping them. 1087FIDO keys consist of two parts: a key handle part stored in the 1088private key file on disk, and a per-device private key that is unique 1089to each FIDO authenticator and that cannot be exported from the 1090authenticator hardware. 1091These are combined by the hardware at authentication time to derive 1092the real key that is used to sign authentication challenges. 1093Supported key types are 1094.Cm ecdsa-sk 1095and 1096.Cm ed25519-sk . 1097.Pp 1098The options that are valid for FIDO keys are: 1099.Bl -tag -width Ds 1100.It Cm application 1101Override the default FIDO application/origin string of 1102.Dq ssh: . 1103This may be useful when generating host or domain-specific resident keys. 1104The specified application string must begin with 1105.Dq ssh: . 1106.It Cm challenge Ns = Ns Ar path 1107Specifies a path to a challenge string that will be passed to the 1108FIDO authenticator during key generation. 1109The challenge string may be used as part of an out-of-band 1110protocol for key enrollment 1111(a random challenge is used by default). 1112.It Cm device 1113Explicitly specify a 1114.Xr fido 4 1115device to use, rather than letting the authenticator middleware select one. 1116.It Cm no-touch-required 1117Indicate that the generated private key should not require touch 1118events (user presence) when making signatures. 1119Note that 1120.Xr sshd 8 1121will refuse such signatures by default, unless overridden via 1122an authorized_keys option. 1123.It Cm resident 1124Indicate that the key handle should be stored on the FIDO 1125authenticator itself. 1126This makes it easier to use the authenticator on multiple computers. 1127Resident keys may be supported on FIDO2 authenticators and typically 1128require that a PIN be set on the authenticator prior to generation. 1129Resident keys may be loaded off the authenticator using 1130.Xr ssh-add 1 . 1131Storing both parts of a key on a FIDO authenticator increases the likelihood 1132of an attacker being able to use a stolen authenticator device. 1133.It Cm user 1134A username to be associated with a resident key, 1135overriding the empty default username. 1136Specifying a username may be useful when generating multiple resident keys 1137for the same application name. 1138.It Cm verify-required 1139Indicate that this private key should require user verification for 1140each signature. 1141Not all FIDO authenticators support this option. 1142Currently PIN authentication is the only supported verification method, 1143but other methods may be supported in the future. 1144.It Cm write-attestation Ns = Ns Ar path 1145May be used at key generation time to record the attestation data 1146returned from FIDO authenticators during key generation. 1147This information is potentially sensitive. 1148By default, this information is discarded. 1149.El 1150.Sh KEY REVOCATION LISTS 1151.Nm 1152is able to manage OpenSSH format Key Revocation Lists (KRLs). 1153These binary files specify keys or certificates to be revoked using a 1154compact format, taking as little as one bit per certificate if they are being 1155revoked by serial number. 1156.Pp 1157KRLs may be generated using the 1158.Fl k 1159flag. 1160This option reads one or more files from the command line and generates a new 1161KRL. 1162The files may either contain a KRL specification (see below) or public keys, 1163listed one per line. 1164Plain public keys are revoked by listing their hash or contents in the KRL and 1165certificates revoked by serial number or key ID (if the serial is zero or 1166not available). 1167.Pp 1168Revoking keys using a KRL specification offers explicit control over the 1169types of record used to revoke keys and may be used to directly revoke 1170certificates by serial number or key ID without having the complete original 1171certificate on hand. 1172A KRL specification consists of lines containing one of the following directives 1173followed by a colon and some directive-specific information. 1174.Bl -tag -width Ds 1175.It Cm serial : Ar serial_number Ns Op - Ns Ar serial_number 1176Revokes a certificate with the specified serial number. 1177Serial numbers are 64-bit values, not including zero and may be expressed 1178in decimal, hex or octal. 1179If two serial numbers are specified separated by a hyphen, then the range 1180of serial numbers including and between each is revoked. 1181The CA key must have been specified on the 1182.Nm 1183command line using the 1184.Fl s 1185option. 1186.It Cm id : Ar key_id 1187Revokes a certificate with the specified key ID string. 1188The CA key must have been specified on the 1189.Nm 1190command line using the 1191.Fl s 1192option. 1193.It Cm key : Ar public_key 1194Revokes the specified key. 1195If a certificate is listed, then it is revoked as a plain public key. 1196.It Cm sha1 : Ar public_key 1197Revokes the specified key by including its SHA1 hash in the KRL. 1198.It Cm sha256 : Ar public_key 1199Revokes the specified key by including its SHA256 hash in the KRL. 1200KRLs that revoke keys by SHA256 hash are not supported by OpenSSH versions 1201prior to 7.9. 1202.It Cm hash : Ar fingerprint 1203Revokes a key using a fingerprint hash, as obtained from an 1204.Xr sshd 8 1205authentication log message or the 1206.Nm 1207.Fl l 1208flag. 1209Only SHA256 fingerprints are supported here and resultant KRLs are 1210not supported by OpenSSH versions prior to 7.9. 1211.El 1212.Pp 1213KRLs may be updated using the 1214.Fl u 1215flag in addition to 1216.Fl k . 1217When this option is specified, keys listed via the command line are merged into 1218the KRL, adding to those already there. 1219.Pp 1220It is also possible, given a KRL, to test whether it revokes a particular key 1221(or keys). 1222The 1223.Fl Q 1224flag will query an existing KRL, testing each key specified on the command line. 1225If any key listed on the command line has been revoked (or an error encountered) 1226then 1227.Nm 1228will exit with a non-zero exit status. 1229A zero exit status will only be returned if no key was revoked. 1230.Sh ALLOWED SIGNERS 1231When verifying signatures, 1232.Nm 1233uses a simple list of identities and keys to determine whether a signature 1234comes from an authorized source. 1235This "allowed signers" file uses a format patterned after the 1236AUTHORIZED_KEYS FILE FORMAT described in 1237.Xr sshd 8 . 1238Each line of the file contains the following space-separated fields: 1239principals, options, keytype, base64-encoded key. 1240Empty lines and lines starting with a 1241.Ql # 1242are ignored as comments. 1243.Pp 1244The principals field is a pattern-list (see PATTERNS in 1245.Xr ssh_config 5 ) 1246consisting of one or more comma-separated USER@DOMAIN identity patterns 1247that are accepted for signing. 1248When verifying, the identity presented via the 1249.Fl I 1250option must match a principals pattern in order for the corresponding key to be 1251considered acceptable for verification. 1252.Pp 1253The options (if present) consist of comma-separated option specifications. 1254No spaces are permitted, except within double quotes. 1255The following option specifications are supported (note that option keywords 1256are case-insensitive): 1257.Bl -tag -width Ds 1258.It Cm cert-authority 1259Indicates that this key is accepted as a certificate authority (CA) and 1260that certificates signed by this CA may be accepted for verification. 1261.It Cm namespaces Ns = Ns "namespace-list" 1262Specifies a pattern-list of namespaces that are accepted for this key. 1263If this option is present, the signature namespace embedded in the 1264signature object and presented on the verification command-line must 1265match the specified list before the key will be considered acceptable. 1266.It Cm valid-after Ns = Ns "timestamp" 1267Indicates that the key is valid for use at or after the specified timestamp, 1268which may be a date or time in the YYYYMMDD[Z] or YYYYMMDDHHMM[SS][Z] formats. 1269Dates and times will be interpreted in the current system time zone unless 1270suffixed with a Z character, which causes them to be interpreted in the UTC 1271time zone. 1272.It Cm valid-before Ns = Ns "timestamp" 1273Indicates that the key is valid for use at or before the specified timestamp. 1274.El 1275.Pp 1276When verifying signatures made by certificates, the expected principal 1277name must match both the principals pattern in the allowed signers file and 1278the principals embedded in the certificate itself. 1279.Pp 1280An example allowed signers file: 1281.Bd -literal -offset 3n 1282# Comments allowed at start of line 1283user1@example.com,user2@example.com ssh-rsa AAAAX1... 1284# A certificate authority, trusted for all principals in a domain. 1285*@example.com cert-authority ssh-ed25519 AAAB4... 1286# A key that is accepted only for file signing. 1287user2@example.com namespaces="file" ssh-ed25519 AAA41... 1288.Ed 1289.Sh ENVIRONMENT 1290.Bl -tag -width Ds 1291.It Ev SSH_SK_PROVIDER 1292Specifies a path to a library that will be used when loading any 1293FIDO authenticator-hosted keys, overriding the default of using 1294the built-in USB HID support. 1295.El 1296.Sh FILES 1297.Bl -tag -width Ds -compact 1298.It Pa ~/.ssh/id_ecdsa 1299.It Pa ~/.ssh/id_ecdsa_sk 1300.It Pa ~/.ssh/id_ed25519 1301.It Pa ~/.ssh/id_ed25519_sk 1302.It Pa ~/.ssh/id_rsa 1303Contains the ECDSA, authenticator-hosted ECDSA, Ed25519, 1304authenticator-hosted Ed25519 or RSA authentication identity of the user. 1305This file should not be readable by anyone but the user. 1306It is possible to 1307specify a passphrase when generating the key; that passphrase will be 1308used to encrypt the private part of this file using 128-bit AES. 1309This file is not automatically accessed by 1310.Nm 1311but it is offered as the default file for the private key. 1312.Xr ssh 1 1313will read this file when a login attempt is made. 1314.Pp 1315.It Pa ~/.ssh/id_ecdsa.pub 1316.It Pa ~/.ssh/id_ecdsa_sk.pub 1317.It Pa ~/.ssh/id_ed25519.pub 1318.It Pa ~/.ssh/id_ed25519_sk.pub 1319.It Pa ~/.ssh/id_rsa.pub 1320Contains the ECDSA, authenticator-hosted ECDSA, Ed25519, 1321authenticator-hosted Ed25519 or RSA public key for authentication. 1322The contents of this file should be added to 1323.Pa ~/.ssh/authorized_keys 1324on all machines 1325where the user wishes to log in using public key authentication. 1326There is no need to keep the contents of this file secret. 1327.Pp 1328.It Pa /etc/moduli 1329Contains Diffie-Hellman groups used for DH-GEX. 1330The file format is described in 1331.Xr moduli 5 . 1332.El 1333.Sh SEE ALSO 1334.Xr ssh 1 , 1335.Xr ssh-add 1 , 1336.Xr ssh-agent 1 , 1337.Xr moduli 5 , 1338.Xr sshd 8 1339.Rs 1340.%R RFC 4716 1341.%T "The Secure Shell (SSH) Public Key File Format" 1342.%D 2006 1343.Re 1344.Sh AUTHORS 1345OpenSSH is a derivative of the original and free 1346ssh 1.2.12 release by Tatu Ylonen. 1347Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, 1348Theo de Raadt and Dug Song 1349removed many bugs, re-added newer features and 1350created OpenSSH. 1351Markus Friedl contributed the support for SSH 1352protocol versions 1.5 and 2.0.