SSH-KEYGEN(1) | General Commands Manual | SSH-KEYGEN(1) |
ssh-keygen
—
OpenSSH authentication key utility
ssh-keygen |
[-q ] [-a
rounds] [-b
bits] [-C
comment] [-f
output_keyfile] [-m
format] [-N
new_passphrase] [-O
option] [-t
ecdsa | ecdsa-sk |
ed25519 | ed25519-sk |
rsa ] [-w
provider] [-Z
cipher] |
ssh-keygen |
-p [-a
rounds] [-f
keyfile] [-m
format] [-N
new_passphrase] [-P
old_passphrase] [-Z
cipher] |
ssh-keygen |
-i [-f
input_keyfile] [-m
key_format] |
ssh-keygen |
-e [-f
input_keyfile] [-m
key_format] |
ssh-keygen |
-y [-f
input_keyfile] |
ssh-keygen |
-c [-a
rounds] [-C
comment] [-f
keyfile] [-P
passphrase] |
ssh-keygen |
-l [-v ]
[-E fingerprint_hash]
[-f input_keyfile] |
ssh-keygen |
-B [-f
input_keyfile] |
ssh-keygen |
-D pkcs11 |
ssh-keygen |
-F hostname
[-lv ] [-f
known_hosts_file] |
ssh-keygen |
-H [-f
known_hosts_file] |
ssh-keygen |
-K [-a
rounds] [-w
provider] |
ssh-keygen |
-R hostname
[-f known_hosts_file] |
ssh-keygen |
-r hostname
[-g ] [-f
input_keyfile] |
ssh-keygen |
-M generate
[-O option]
output_file |
ssh-keygen |
-M screen
[-f input_file]
[-O option]
output_file |
ssh-keygen |
-I certificate_identity
-s ca_key
[-hU ] [-D
pkcs11_provider] [-n
principals] [-O
option] [-V
validity_interval] [-z
serial_number] file ... |
ssh-keygen |
-L [-f
input_keyfile] |
ssh-keygen |
-A [-a
rounds] [-f
prefix_path] |
ssh-keygen |
-k -f
krl_file [-u ]
[-s ca_public]
[-z version_number]
file ... |
ssh-keygen |
-Q [-l ]
-f krl_file
file ... |
ssh-keygen |
-Y find-principals
[-O option]
-s signature_file
-f allowed_signers_file |
ssh-keygen |
-Y match-principals
-I signer_identity
-f allowed_signers_file |
ssh-keygen |
-Y check-novalidate
[-O option]
-n namespace
-s signature_file |
ssh-keygen |
-Y sign
[-O option]
-f key_file
-n namespace
file ... |
ssh-keygen |
-Y verify
[-O option]
-f allowed_signers_file
-I signer_identity
-n namespace
-s signature_file
[-r revocation_file] |
ssh-keygen
generates, manages and converts
authentication keys for ssh(1).
ssh-keygen
can create keys for use by SSH protocol
version 2.
The type of key to be generated is specified with the
-t
option. If invoked without any arguments,
ssh-keygen
will generate an Ed25519 key.
ssh-keygen
is also used to generate groups
for use in Diffie-Hellman group exchange (DH-GEX). See the
MODULI GENERATION section for
details.
Finally, ssh-keygen
can be used to
generate and update Key Revocation Lists, and to test whether given keys
have been revoked by one. See the
KEY REVOCATION LISTS section
for details.
Normally each user wishing to use SSH with public key authentication runs this once to create the authentication key in ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk or ~/.ssh/id_rsa. Additionally, the system administrator may use this to generate host keys, as seen in /etc/rc.
Normally this program generates the key and asks for a file in
which to store the private key. The public key is stored in a file with the
same name but “.pub” appended. The program also asks for a
passphrase. The passphrase may be empty to indicate no passphrase (host keys
must have an empty passphrase), or it may be a string of arbitrary length. A
passphrase is similar to a password, except it can be a phrase with a series
of words, punctuation, numbers, whitespace, or any string of characters you
want. Good passphrases are 10-30 characters long, are not simple sentences
or otherwise easily guessable (English prose has only 1-2 bits of entropy
per character, and provides very bad passphrases), and contain a mix of
upper and lowercase letters, numbers, and non-alphanumeric characters. The
passphrase can be changed later by using the -p
option.
There is no way to recover a lost passphrase. If the passphrase is lost or forgotten, a new key must be generated and the corresponding public key copied to other machines.
ssh-keygen
will by default write keys in
an OpenSSH-specific format. This format is preferred as it offers better
protection for keys at rest as well as allowing storage of key comments
within the private key file itself. The key comment may be useful to help
identify the key. The comment is initialized to “user@host”
when the key is created, but can be changed using the
-c
option.
It is still possible for ssh-keygen
to
write the previously-used PEM format private keys using the
-m
flag. This may be used when generating new keys,
and existing new-format keys may be converted using this option in
conjunction with the -p
(change passphrase)
flag.
After a key is generated, ssh-keygen
will
ask where the keys should be placed to be activated.
The options are as follows:
-A
-f
has also been specified,
its argument is used as a prefix to the default path for the resulting
host key files. This is used by /etc/rc to
generate new host keys.-a
rounds-B
-b
bits-b
flag determines the key length by selecting
from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting
to use bit lengths other than these three values for ECDSA keys will fail.
ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length and the
-b
flag will be ignored.-C
comment-c
-D
pkcs11-s
, this option indicates that a CA key resides in
a PKCS#11 token (see the
CERTIFICATES section for
details).-E
fingerprint_hash-e
-m
option. The default export format is
“RFC4716”. This option allows exporting OpenSSH keys for use
by other programs, including several commercial SSH implementations.-F
hostname | [hostname]:port-H
option to print found keys in a hashed
format.-f
filename-g
-r
command.-H
ssh
and
sshd
, but they do not reveal identifying
information should the file's contents be disclosed. This option will not
modify existing hashed hostnames and is therefore safe to use on files
that mix hashed and non-hashed names.-h
-I
certificate_identity-i
-m
option and print an
OpenSSH compatible private (or public) key to stdout. This option allows
importing keys from other software, including several commercial SSH
implementations. The default import format is
“RFC4716”.-K
-k
ssh-keygen
will
generate a KRL file at the location specified via the
-f
flag that revokes every key or certificate
presented on the command line. Keys/certificates to be revoked may be
specified by public key file or using the format described in the
KEY REVOCATION LISTS
section.-L
-l
ssh-keygen
will try to find the matching public
key file and prints its fingerprint. If combined with
-v
, a visual ASCII art representation of the key
is supplied with the fingerprint.-M
generate
-M
screen
-m
key_format-i
(import), -e
(export) conversion options, and the
-p
change passphrase operation. The latter may be
used to convert between OpenSSH private key and PEM private key formats.
The supported key formats are: “RFC4716” (RFC 4716/SSH2
public or private key), “PKCS8” (PKCS8 public or private
key) or “PEM” (PEM public key). By default OpenSSH will
write newly-generated private keys in its own format, but when converting
public keys for export the default format is “RFC4716”.
Setting a format of “PEM” when generating or updating a
supported private key type will cause the key to be stored in the legacy
PEM private key format.-N
new_passphrase-n
principals-O
optionssh-keygen
has been requested to perform.
When signing certificates, one of the options listed in the CERTIFICATES section may be specified here.
When performing moduli generation or screening, one of the options listed in the MODULI GENERATION section may be specified.
When generating FIDO authenticator-backed keys, the options listed in the FIDO AUTHENTICATOR section may be specified.
When performing signature-related options using the
-Y
flag, the following options are accepted:
hashalg
=algorithmprint-pubkey
verify-time
=timestampWhen generating SSHFP DNS records from public keys using the
-r
flag, the following options are accepted:
hashalg
=algorithm-D
flag. Valid algorithms are
“sha1” and “sha256”. The default is to
print both.The -O
option may be specified
multiple times.
-P
passphrase-p
-Q
-l
option is also specified then the contents of
the KRL will be printed.-q
ssh-keygen
.-R
hostname | [hostname]:port-H
option above).-r
hostname-s
ca_keyWhen generating a KRL, -s
specifies a
path to a CA public key file used to revoke certificates directly by key
ID or serial number. See the
KEY REVOCATION LISTS
section for details.
-t
ecdsa
|
ecdsa-sk
|
ed25519
|
ed25519-sk
|
rsa
This flag may also be used to specify the desired signature type when signing certificates using an RSA CA key. The available RSA signature variants are “ssh-rsa” (SHA1 signatures, not recommended), “rsa-sha2-256”, and “rsa-sha2-512” (the default).
-U
-s
or
-Y
sign
, this option
indicates that a CA key resides in a
ssh-agent(1). See the
CERTIFICATES section for more
information.-u
-k
, keys listed
via the command line are added to the existing KRL rather than a new KRL
being created.-V
validity_intervalThe start time may be specified as:
The end time may be specified similarly to the start time:
For example:
-v
ssh-keygen
to print debugging
messages about its progress. This is helpful for debugging moduli
generation. Multiple -v
options increase the
verbosity. The maximum is 3.-w
provider-Y
find-principals
-s
flag in an authorized
signers file provided using the -f
flag. The
format of the allowed signers file is documented in the
ALLOWED SIGNERS section below.
If one or more matching principals are found, they are returned on
standard output.-Y
match-principals
-I
flag in the authorized signers file specified
using the -f
flag. If one or more matching
principals are found, they are returned on standard output.-Y
check-novalidate
ssh-keygen
-Y
sign
has a valid
structure. This does not validate if a signature comes from an authorized
signer. When testing a signature, ssh-keygen
accepts a message on standard input and a signature namespace using
-n
. A file containing the corresponding signature
must also be supplied using the -s
flag.
Successful testing of the signature is signalled by
ssh-keygen
returning a zero exit status.-Y
sign
ssh-keygen
accepts zero or more files to sign on
the command-line - if no files are specified then
ssh-keygen
will sign data presented on standard
input. Signatures are written to the path of the input file with
“.sig” appended, or to standard output if the message to be
signed was read from standard input.
The key used for signing is specified using the
-f
option and may refer to either a private key,
or a public key with the private half available via
ssh-agent(1). An additional
signature namespace, used to prevent signature confusion across
different domains of use (e.g. file signing vs email signing) must be
provided via the -n
flag. Namespaces are
arbitrary strings, and may include: “file” for file
signing, “email” for email signing. For custom uses, it is
recommended to use names following a NAMESPACE@YOUR.DOMAIN pattern to
generate unambiguous namespaces.
-Y
verify
ssh-keygen
-Y
sign
as described above. When verifying a
signature, ssh-keygen
accepts a message on
standard input and a signature namespace using -n
.
A file containing the corresponding signature must also be supplied using
the -s
flag, along with the identity of the signer
using -I
and a list of allowed signers via the
-f
flag. The format of the allowed signers file is
documented in the ALLOWED
SIGNERS section below. A file containing revoked keys can be passed
using the -r
flag. The revocation file may be a
KRL or a one-per-line list of public keys. Successful verification by an
authorized signer is signalled by ssh-keygen
returning a zero exit status.-y
-Z
cipher-z
serial_numberWhen generating a KRL, the -z
flag is
used to specify a KRL version number.
ssh-keygen
may be used to generate groups
for the Diffie-Hellman Group Exchange (DH-GEX) protocol. Generating these
groups is a two-step process: first, candidate primes are generated using a
fast, but memory intensive process. These candidate primes are then tested
for suitability (a CPU-intensive process).
Generation of primes is performed using the
-M
generate
option. The
desired length of the primes may be specified by the
-O
bits
option. For
example:
# ssh-keygen -M generate -O bits=2048
moduli-2048.candidates
By default, the search for primes begins at a random point in the
desired length range. This may be overridden using the
-O
start
option, which
specifies a different start point (in hex).
Once a set of candidates have been generated, they must be
screened for suitability. This may be performed using the
-M
screen
option. In this
mode ssh-keygen
will read candidates from standard
input (or a file specified using the -f
option). For
example:
# ssh-keygen -M screen -f
moduli-2048.candidates moduli-2048
By default, each candidate will be subjected to 100 primality
tests. This may be overridden using the -O
prime-tests
option. The DH generator value will be
chosen automatically for the prime under consideration. If a specific
generator is desired, it may be requested using the
-O
generator
option. Valid
generator values are 2, 3, and 5.
Screened DH groups may be installed in /etc/moduli. It is important that this file contains moduli of a range of bit lengths.
A number of options are available for moduli generation and
screening via the -O
flag:
lines
=numberstart-line
=line-numbercheckpoint
=filenamememory
=mbytesstart
=hex-valuegenerator
=valuessh-keygen
supports signing of keys to
produce certificates that may be used for user or host authentication.
Certificates consist of a public key, some identity information, zero or
more principal (user or host) names and a set of options that are signed by
a Certification Authority (CA) key. Clients or servers may then trust only
the CA key and verify its signature on a certificate rather than trusting
many user/host keys. Note that OpenSSH certificates are a different, and
much simpler, format to the X.509 certificates used in
ssl(8).
ssh-keygen
supports two types of
certificates: user and host. User certificates authenticate users to
servers, whereas host certificates authenticate server hosts to users. To
generate a user certificate:
$ ssh-keygen -s /path/to/ca_key -I
key_id /path/to/user_key.pub
The resultant certificate will be placed in
/path/to/user_key-cert.pub. A host certificate
requires the -h
option:
$ ssh-keygen -s /path/to/ca_key -I
key_id -h /path/to/host_key.pub
The host certificate will be output to /path/to/host_key-cert.pub.
It is possible to sign using a CA key stored in a PKCS#11 token by
providing the token library using -D
and identifying
the CA key by providing its public half as an argument to
-s
:
$ ssh-keygen -s ca_key.pub -D
libpkcs11.so -I key_id user_key.pub
Similarly, it is possible for the CA key to be hosted in a
ssh-agent(1). This is indicated by
the -U
flag and, again, the CA key must be
identified by its public half.
$ ssh-keygen -Us ca_key.pub -I key_id
user_key.pub
In all cases, key_id is a "key identifier" that is logged by the server when the certificate is used for authentication.
Certificates may be limited to be valid for a set of principal (user/host) names. By default, generated certificates are valid for all users or hosts. To generate a certificate for a specified set of principals:
$ ssh-keygen -s ca_key -I key_id -n
user1,user2 user_key.pub
$ ssh-keygen -s ca_key -I key_id -h
-n host.domain host_key.pub
Additional limitations on the validity and use of user certificates may be specified through certificate options. A certificate option may disable features of the SSH session, may be valid only when presented from particular source addresses or may force the use of a specific command.
The options that are valid for user certificates are:
clear
critical
:name[=contents]extension
:name[=contents]force-command
=commandno-agent-forwarding
no-port-forwarding
no-pty
no-user-rc
no-x11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
permit-X11-forwarding
no-touch-required
ecdsa-sk
and ed25519-sk
.
source-address
=address_listverify-required
ecdsa-sk
and
ed25519-sk
. Currently PIN authentication is the
only supported verification method, but other methods may be supported in
the future.At present, no standard options are valid for host keys.
Finally, certificates may be defined with a validity lifetime. The
-V
option allows specification of certificate start
and end times. A certificate that is presented at a time outside this range
will not be considered valid. By default, certificates are valid from the
UNIX Epoch to the distant future.
For certificates to be used for user or host authentication, the CA public key must be trusted by sshd(8) or ssh(1). Refer to those manual pages for details.
ssh-keygen
is able to generate FIDO
authenticator-backed keys, after which they may be used much like any other
key type supported by OpenSSH, so long as the hardware authenticator is
attached when the keys are used. FIDO authenticators generally require the
user to explicitly authorise operations by touching or tapping them. FIDO
keys consist of two parts: a key handle part stored in the private key file
on disk, and a per-device private key that is unique to each FIDO
authenticator and that cannot be exported from the authenticator hardware.
These are combined by the hardware at authentication time to derive the real
key that is used to sign authentication challenges. Supported key types are
ecdsa-sk
and ed25519-sk
.
The options that are valid for FIDO keys are:
application
challenge
=pathdevice
no-touch-required
resident
user
verify-required
write-attestation
=pathssh-keygen
is able to manage OpenSSH
format Key Revocation Lists (KRLs). These binary files specify keys or
certificates to be revoked using a compact format, taking as little as one
bit per certificate if they are being revoked by serial number.
KRLs may be generated using the -k
flag.
This option reads one or more files from the command line and generates a
new KRL. The files may either contain a KRL specification (see below) or
public keys, listed one per line. Plain public keys are revoked by listing
their hash or contents in the KRL and certificates revoked by serial number
or key ID (if the serial is zero or not available).
Revoking keys using a KRL specification offers explicit control over the types of record used to revoke keys and may be used to directly revoke certificates by serial number or key ID without having the complete original certificate on hand. A KRL specification consists of lines containing one of the following directives followed by a colon and some directive-specific information.
serial
:
serial_number[-serial_number]ssh-keygen
command
line using the -s
option.id
:
key_idssh-keygen
command line
using the -s
option.key
:
public_keysha1
:
public_keysha256
:
public_keyhash
:
fingerprintssh-keygen
-l
flag.
Only SHA256 fingerprints are supported here and resultant KRLs are not
supported by OpenSSH versions prior to 7.9.KRLs may be updated using the -u
flag in
addition to -k
. When this option is specified, keys
listed via the command line are merged into the KRL, adding to those already
there.
It is also possible, given a KRL, to test whether it revokes a
particular key (or keys). The -Q
flag will query an
existing KRL, testing each key specified on the command line. If any key
listed on the command line has been revoked (or an error encountered) then
ssh-keygen
will exit with a non-zero exit status. A
zero exit status will only be returned if no key was revoked.
When verifying signatures, ssh-keygen
uses
a simple list of identities and keys to determine whether a signature comes
from an authorized source. This "allowed signers" file uses a
format patterned after the AUTHORIZED_KEYS FILE FORMAT described in
sshd(8). Each line of the file contains
the following space-separated fields: principals, options, keytype,
base64-encoded key. Empty lines and lines starting with a
‘#
’ are ignored as comments.
The principals field is a pattern-list (see PATTERNS in
ssh_config(5)) consisting of one or
more comma-separated USER@DOMAIN identity patterns that are accepted for
signing. When verifying, the identity presented via the
-I
option must match a principals pattern in order
for the corresponding key to be considered acceptable for verification.
The options (if present) consist of comma-separated option specifications. No spaces are permitted, except within double quotes. The following option specifications are supported (note that option keywords are case-insensitive):
namespaces
=namespace-listvalid-after
=timestampvalid-before
=timestampWhen verifying signatures made by certificates, the expected principal name must match both the principals pattern in the allowed signers file and the principals embedded in the certificate itself.
An example allowed signers file:
# Comments allowed at start of line user1@example.com,user2@example.com ssh-rsa AAAAX1... # A certificate authority, trusted for all principals in a domain. *@example.com cert-authority ssh-ed25519 AAAB4... # A key that is accepted only for file signing. user2@example.com namespaces="file" ssh-ed25519 AAA41...
SSH_SK_PROVIDER
ssh-keygen
but it is
offered as the default file for the private key.
ssh(1) will read this file when a login
attempt is made.
ssh(1), ssh-add(1), ssh-agent(1), moduli(5), sshd(8)
The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.
OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer features and created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0.
June 17, 2024 | macOS 15.0 |