path: root/ssh-keygen.1
diff options
Diffstat (limited to 'ssh-keygen.1')
1 files changed, 155 insertions, 0 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1
new file mode 100644
index 00000000..2cbcfae1
--- /dev/null
+++ b/ssh-keygen.1
@@ -0,0 +1,155 @@
+.\" -*- nroff -*-
+.\" ssh-keygen.1
+.\" Author: Tatu Ylonen <>
+.\" Copyright (c) 1995 Tatu Ylonen <>, Espoo, Finland
+.\" All rights reserved
+.\" Created: Sat Apr 22 23:55:14 1995 ylo
+.\" $Id: ssh-keygen.1,v 1.3 1999/10/28 23:15:49 damien Exp $
+.Dd September 25, 1999
+.Nm ssh-keygen
+.Nd authentication key generation
+.Nm ssh-keygen
+.Op Fl q
+.Op Fl b Ar bits
+.Op Fl N Ar new_passphrase
+.Op Fl C Ar comment
+.Nm ssh-keygen
+.Fl p
+.Op Fl P Ar old_passphrase
+.Op Fl N Ar new_passphrase
+.Nm ssh-keygen
+.Fl c
+.Op Fl P Ar passphrase
+.Op Fl C Ar comment
+generates and manages authentication keys for
+.Xr ssh 1 .
+Normally each user wishing to use SSH
+with RSA authentication runs this once to create the authentication
+key in
+.Pa $HOME/.ssh/identity .
+Additionally, the system administrator may use this to generate host keys.
+Normally this program generates the key and asks for a file in which
+to store the private key. The public key is stored in a file with the
+same name but
+.Dq .pub
+appended. The program also asks for a
+passphrase. The passphrase may be empty to indicate no passphrase
+(host keys must have empty passphrase), or it may be a string of
+arbitrary length. Good passphrases are 10-30 characters long and are
+not simple sentences or otherwise easily guessable (English
+prose has only 1-2 bits of entropy per word, and provides very bad
+passphrases). The passphrase can be changed later by using the
+.Fl p
+There is no way to recover a lost passphrase. If the passphrase is
+lost or forgotten, you will have to generate a new key and copy the
+corresponding public key to other machines.
+There is also a comment field in the key file that is only for
+convenience to the user to help identify the key. The comment can
+tell what the key is for, or whatever is useful. The comment is
+initialized to
+.Dq user@host
+when the key is created, but can be changed using the
+.Fl c
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl b Ar bits
+Specifies the number of bits in the key to create. Minimum is 512
+bits. Generally 1024 bits is considered sufficient, and key sizes
+above that no longer improve security but make things slower. The
+default is 1024 bits.
+.It Fl c
+Requests changing the comment in the private and public key files.
+The program will prompt for the file containing the private keys, for
+passphrase if the key has one, and for the new comment.
+.It Fl p
+Requests changing the passphrase of a private key file instead of
+creating a new private key. The program will prompt for the file
+containing the private key, for the old passphrase, and twice for the
+new passphrase.
+.It Fl q
+.Nm ssh-keygen .
+Used by
+.Pa /etc/rc
+when creating a new key.
+.It Fl C Ar comment
+Provides the new comment.
+.It Fl N Ar new_passphrase
+Provides the new passphrase.
+.It Fl P Ar passphrase
+Provides the (old) passphrase.
+.Bl -tag -width Ds
+.It Pa $HOME/.ssh/random_seed
+Used for seeding the random number generator. This file should not be
+readable by anyone but the user. This file is created the first time
+the program is run, and is updated every time.
+.It Pa $HOME/.ssh/identity
+Contains the RSA authentication identity of the user. This file
+should not be readable by anyone but the user. It is possible to
+specify a passphrase when generating the key; that passphrase will be
+used to encrypt the private part of this file using 3DES. This file
+is not automatically accessed by
+but it is offered as the default file for the private key.
+.It Pa $HOME/.ssh/
+Contains the public key for authentication. The contents of this file
+should be added to
+.Pa $HOME/.ssh/authorized_keys
+on all machines
+where you wish to log in using RSA authentication. There is no
+need to keep the contents of this file secret.
+Tatu Ylonen <>
+is a derivative of the original (free) ssh 1.2.12 release, but with bugs
+removed and newer features re-added. Rapidly after the 1.2.12 release,
+newer versions bore successively more restrictive licenses. This version
+of OpenSSH
+.Bl -bullet
+has all components of a restrictive nature (ie. patents, see
+.Xr ssl 8 )
+directly removed from the source code; any licensed or patented components
+are chosen from
+external libraries.
+has been updated to support ssh protocol 1.5.
+contains added support for
+.Xr kerberos 8
+authentication and ticket passing.
+supports one-time password authentication with
+.Xr skey 1 .
+The libraries described in
+.Xr ssl 8
+are required for proper operation.
+.Xr ssh 1 ,
+.Xr ssh-add 1 ,
+.Xr ssh-agent 1,
+.Xr sshd 8 ,
+.Xr ssl 8