|
|
SecureBox Pro
Secure shell application, terminal screens and auxiliary commands for Android OS
|
|
|
|
|
|
|
|
|
|
Documents </>
Manual pages "User Commands (1)" </>
SSH-KEYGEN(1) |
General Commands Manual |
SSH-KEYGEN(1) |
ssh-keygen —
Authentication key utility
ssh-keygen |
[-q ] [-a
rounds] [-b
bits] [-C
comment] [-f
output_keyfile] [-m
format] [-N
new_passphrase] [-t
ecdsa | ed25519 |
rsa ] [-Z
cipher] |
ssh-keygen |
-p [-a
rounds] [-f
keyfile] [-m
format] [-N
new_passphrase] [-P
old_passphrase] [-Z
cipher] |
ssh-keygen |
-i [-f
input_keyfile] [-m
format] |
ssh-keygen |
-e [-f
input_keyfile] [-m
format] |
ssh-keygen |
-y [-f
input_keyfile] |
ssh-keygen |
-c [-a
rounds] [-C
comment] [-f
keyfile] [-P
passphrase] |
ssh-keygen |
-l [-v ]
[-E fingerprint_hash]
[-f input_keyfile] |
ssh-keygen |
-B [-f
input_keyfile] |
ssh-keygen |
-D pkcs11
[-l ] [-v ] |
ssh-keygen |
-F hostname
[-lv ] [-f
known_hosts_file] |
ssh-keygen |
-H [-f
known_hosts_file] |
ssh-keygen |
-R hostname
[-f known_hosts_file] |
ssh-keygen |
-r hostname
[-g ] [-f
input_keyfile] |
ssh-keygen |
-M generate
[-O option]
output_file
|
ssh-keygen |
-M screen
[-f input_file]
[-O option]
output_file
|
ssh-keygen |
-I certificate_identity
-s ca_key
[-hU ] [-D
pkcs11_provider] [-n
principals] [-O
option] [-V
validity_interval] [-z
serial_number] file ...
|
ssh-keygen |
-L [-f
input_keyfile] |
ssh-keygen |
-A [-a
rounds] [-f
prefix_path] |
ssh-keygen |
-k -f
krl_file [-u ]
[-s ca_public]
[-z version_number]
file ...
|
ssh-keygen |
-Q [-l ]
-f krl_file
file ...
|
ssh-keygen generates, manages and converts
authentication keys for ssh(1).
ssh-keygen can create keys for use by SSH protocol
version 2.
The type of key to be generated is specified with the
-t option. If invoked without any arguments,
ssh-keygen will generate an Ed25519 key unless is
run FIPS mode. In FIPS mode the default is RSA key.
By default key is stored in PKCS#8 PEM format. For compatibility
with earlier versions programs read keys stored in traditional PEM format as
well. Option -p could be used to convert private key
between OpenSSH proprietary and more portable and widely used PKCS#8 PEM
format depending from option arguments: -m
PKCS8 or -m
OpenSSH. Note if requested proprietary format but key
contain X.509 certificate will be used PKCS#8 PEM format. Also in FIPS mode
could be used only PKCS#8 PEM format.
ssh-keygen is also used to generate groups
for use in Diffie-Hellman group exchange (DH-GEX). See the
MODULI GENERATION section for
details.
Finally, ssh-keygen can be used to
generate and update custom Key Revocation Lists, and to test whether given
keys have been revoked by one. See the
KEY REVOCATION LISTS section
for details.
Normally each user wishing to use SSH with public key
authentication runs this once to create the authentication key in
~/.ssh/id_ecdsa,
~/.ssh/id_ed25519 or
~/.ssh/id_rsa. Additionally, the system
administrator may use this to generate host keys, as seen in
/etc/rc.
Normally this program generates the key and asks for a file in
which to store the private key. The public key is stored in a file with the
same name but “.pub” appended. The program also asks for a
passphrase. The passphrase may be empty to indicate no passphrase (host keys
must have an empty passphrase), or it may be a string of arbitrary length. A
passphrase is similar to a password, except it can be a phrase with a series
of words, punctuation, numbers, whitespace, or any string of characters you
want. Good passphrases are 10-30 characters long, are not simple sentences
or otherwise easily guessable (English prose has only 1-2 bits of entropy
per character, and provides very bad passphrases), and contain a mix of
upper and lowercase letters, numbers, and non-alphanumeric characters. The
passphrase can be changed later by using the -p
option.
There is no way to recover a lost passphrase. If the passphrase is
lost or forgotten, a new key must be generated and the corresponding public
key copied to other machines.
For private keys stored in the proprietary OpenSSH format, there
is also a comment field in the key file that is only for convenience to the
user to help identify the key. The comment can tell what the key is for, or
whatever is useful. The comment is initialized to “user@host”
when the key is created, but can be changed using the
-c option.
After a key is generated, ssh-keygen will
ask where the keys should be placed to be activated.
The options are as follows:
-A
- Generate host keys of all default key types (rsa, ecdsa, and ed25519) if
they do not already exist. The host keys are generated with the default
key file path, an empty passphrase, default bits for the key type, and
default comment. If
-f has also been specified,
its argument is used as a prefix to the default path for the resulting
host key files. This is used by /etc/rc to
generate new host keys.
-
-a
rounds
- When saving a private key in OpenSSH proprietary format, this option
specifies the number of KDF (key derivation function, currently
bcrypt_pbkdf(3)) rounds used. Higher numbers result in
slower passphrase verification and increased resistance to brute-force
password cracking (should the keys be stolen). The default is 16
rounds.
-B
- Show the bubblebabble digest of specified private or public key file.
-
-b
bits
- Specifies the number of bits in the key to create. For RSA keys, the
minimum size is 1024 bits and the default is 3072 bits. Generally, 3072
bits is considered sufficient. For ECDSA keys, the
-b flag determines the key length by selecting
from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting
to use bit lengths other than these three values for ECDSA keys will fail.
Ed25519 keys have a fixed length and the -b flag
will be ignored.
-
-C
comment
- Provides a new comment.
-c
- Requests changing the comment in the private and public key files. This
operation is only supported for keys stored in the proprietary OpenSSH
format. The program will prompt for the file containing the private keys,
for the passphrase if the key has one, and for the new comment.
-
-D
pkcs11
- Download the X.509 certificates or public keys provided by the PKCS#11
shared library pkcs11.
-
-E
fingerprint_hash
- Specifies the hash algorithm used when displaying key fingerprints. Valid
options are: “md5” and “sha256”. The default
is “sha256”.
-e
- This option will read a private or public key file and print to stdout a
public key in one of the formats specified by the
-m option. The default export format is
“RFC4716”. This option allows exporting keys for use by
other programs, including several commercial SSH implementations.
-
-F
hostname
- Search for the specified hostname in a
known_hosts file, listing any occurrences found.
Specified hostname could be a hostname or an address
optionally enclosed within ‘
[ ’ and
‘] ’ brackets then followed by
‘: ’ and a port number. The format of
known_hosts is documented in the
SSH_KNOWN_HOSTS section of sshd(8).
This option is useful to find hashed host names or addresses and may also
be used in conjunction with the -H option to print
found keys in a hashed format.
-
-f
filename
- Specifies the filename of the key file.
-g
- Use generic DNS format when printing fingerprint resource records using
the
-r command.
-H
- Hash a known_hosts file. This replaces all
hostnames and addresses with hashed representations within the specified
file; the original content is moved to a file with a .old suffix. These
hashes may be used normally by
ssh and
sshd , but they do not reveal identifying
information should the file's contents be disclosed. This option will not
modify existing hashed hostnames and is therefore safe to use on files
that mix hashed and non-hashed names.
-h
- When signing a key, create a host custom certificate instead of a user
custom certificate. See the
CERTIFICATES section for
details.
-
-I
certificate_identity
- Specify the key identity when signing a public key. See the
CERTIFICATES section for
details.
-i
- This option will read an unencrypted private (or public) key file in the
format specified by the
-m option and print an
compatible private (or public) key to stdout. This option allows importing
keys from other software, including several commercial SSH
implementations. The default import format is “RFC4716”.
Note PKCS8 format is usable only for public
keys.
-k
- Generate a KRL file. In this mode,
ssh-keygen will
generate a KRL file at the location specified via the
-f flag that revokes every key or custom
certificate presented on the command line. Keys/custom certificates to be
revoked may be specified by public key file or using the format described
in the KEY REVOCATION LISTS
section.
-L
- Prints the contents of one or more custom certificates.
-l
- Show fingerprint of public key read from specified file. For all key types
ssh-keygen will try to find file with the matching
public key and prints its fingerprint. When identity contain X.509
certificate public key is extracted from it and fingerprint is printed for
public key. If combined with -v , a visual ASCII
art representation of the key is supplied with the fingerprint.
-
-M
generate
- Generate candidate Diffie-Hellman Group Exchange (DH-GEX) parameters for
eventual use by the ‘diffie-hellman-group-exchange-*’ key
exchange methods. The numbers generated by this operation must be further
screened before use. See the
MODULI GENERATION section for
more information.
-
-M
screen
- Screen candidate parameters for Diffie-Hellman Group Exchange. This will
accept a list of candidate numbers and test that they are safe (Sophie
Germain) primes with acceptable group generators. The results of this
operation may be added to the [APPDATA]/etc/moduli
file. See the MODULI
GENERATION section for more information.
-
-m
format
- Specify a key format for key generation, the
-i
(import), -e (export) conversion options, and the
-p change passphrase operation. The latter may be
used to convert between proprietary OpenSSH private key and portable
PKCS#8 PEM private key formats. The supported formats are:
“RFC4716” (RFC 4716/SSH2 public), “PKCS8”
(PKCS#8 PEM public or private key), “PEM” (traditional PEM
public or private key) or “OpenSSH” (proprietary OpenSSH
public or private key). The default conversion format is
“RFC4716” for export/import of public keys and
“PKCS8” for private keys.
-
-N
new_passphrase
- Provides the new passphrase.
-
-n
principals
- Specify one or more principals (user or host names) to be included in a
custom certificate when signing a key. Multiple principals may be
specified, separated by commas. See the
CERTIFICATES section for
details.
-
-O
option
- Specify a key/value option. These are specific to the operation that
ssh-keygen has been requested to perform.
When signing custom certificates, one of the options listed in
the CERTIFICATES section may be
specified here.
When performing moduli generation or screening, one of the
options listed in the MODULI
GENERATION section may be specified.
When generating SSHFP DNS records from public keys using the
-r flag, the following options are accepted:
-
hashalg =algorithm
- Selects a hash algorithm to use when printing SSHFP records. Valid
algorithms are “sha1” and “sha256”. The
default is to print both.
The -O option may be specified
multiple times.
-o
- Obsolete option replaced by
-m
OpenSSH. Causes ssh-keygen
to save private keys using the proprietary OpenSSH format rather than the
more compatible PKCS#8 PEM format. Note Ed25519 keys will use the
proprietary key format if key is not supported by cryptographic
library.
-
-P
passphrase
- Provides the (old) passphrase.
-p
- Requests changing the passphrase of a private key file instead of creating
a new private key. The program will prompt for the file containing the
private key, for the old passphrase, and twice for the new passphrase.
Options
-m PKCS8,
-m PEM, or
-m OpenSSH could by used to
set explicitly format of stored key: either compatible PKCS#8 PEM,
traditional PEM, or proprietary OpenSSH format. Note by default is used
PKCS#8 PEM format.
-Q
- Test whether keys have been revoked in a KRL. If the
-l option is also specified then the contents of
the KRL will be printed.
-q
- Silence
ssh-keygen .
-
-R
hostname
- Removes all keys belonging to the specified hostname
from a known_hosts file. Specified
hostname could be a hostname or an address
optionally enclosed within ‘
[ ’ and
‘] ’ brackets then followed by
‘: ’ and a port number. The format of
known_hosts is documented in the
SSH_KNOWN_HOSTS section of sshd(8).
This option is useful to delete hashed hosts (see the
-H option above).
-
-r
hostname
- Print the CERT or SSHFP resource record named
hostname for the specified public key file. Note
CERT is printed for X.509 certificate based key.
-
-s
ca_key
- Certify (sign) a public key using the specified CA key. See the
CERTIFICATES section for details.
When generating a KRL, -s specifies a
path to a CA public key file used to revoke custom certificates directly
by key ID or serial number. See the
KEY REVOCATION LISTS
section for details.
-
-t
ecdsa |
ed25519
|
rsa
- Specifies the type of key to create. The possible values are
“ecdsa”, “ed25519”, or “rsa”.
The default is “rsa” if FIPS mode is active otherwise
“ed25519”.
This flag may also be used to specify the desired signature
type when signing custom certificates using an RSA CA key. The available
RSA signature variants are “ssh-rsa” (SHA1 signatures, not
recommended), “rsa-sha2-256” (the default for RSA keys),
and “rsa-sha2-512”.
-U
- When used in combination with
-s , this option
indicates that a CA key resides in a ssh-agent(1). See
the CERTIFICATES section for more
information.
-u
- Update a KRL. When specified with
-k , keys listed
via the command line are added to the existing KRL rather than a new KRL
being created.
-
-V
validity_interval
- Specify a validity interval when signing a custom certificate. A validity
interval may consist of a single time, indicating that the custom
certificate is valid beginning now and expiring at that time, or may
consist of two times separated by a colon to indicate an explicit time
interval.
The start time may be specified as:
- The string “always” to indicate the custom certificate
has no specified start time.
- A date or time in the system time zone formatted as YYYYMMDD or
YYYYMMDDHHMM[SS].
- A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
- A relative time before the current system time consisting of a minus
sign followed by an interval in the format described in the TIME
FORMATS section of sshd_config(5).
- A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a hexadecimal
number beginning with “0x”.
The end time may be specified similarly to the start time:
- The string “forever” to indicate the custom certificate
has no specified end time.
- A date or time in the system time zone formatted as YYYYMMDD or
YYYYMMDDHHMM[SS].
- A date or time in the UTC time zone as YYYYMMDDZ or
YYYYMMDDHHMM[SS]Z.
- A relative time after the current system time consisting of a plus
sign followed by an interval in the format described in the TIME
FORMATS section of sshd_config(5).
- A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a hexadecimal
number beginning with “0x”.
For example:
- +52w1d
- Valid from now to 52 weeks and one day from now.
- -4w:+4w
- Valid from four weeks ago to four weeks from now.
- 20100101123000:20110101123000
- Valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st,
2011.
- 20100101123000Z:20110101123000Z
- Similar, but interpreted in the UTC time zone rather than the system
time zone.
- -1d:20110101
- Valid from yesterday to midnight, January 1st, 2011.
- 0x1:0x2000000000
- Valid from roughly early 1970 to May 2033.
- -1m:forever
- Valid from one minute ago and never expiring.
-v
- Verbose mode. Causes
ssh-keygen to print debugging
messages about its progress. This is helpful for debugging moduli
generation. Multiple -v options increase the
verbosity. The maximum is 3.
-y
- This option will read a private key file and print to stdout an public key
in OpenSSH format. For this option keyfile name could use prefixes
“engine:” or “store:” to load identifies using
engine or store functionality provided by cryptographic library. For more
details see configuration option
IdentityFile in
ssh_config(5).
-
-Z
cipher
- Specifies the cipher to use for encryption when saving a private key in
OpenSSH proprietary format. The list of available ciphers may be obtained
using "ssh -Q cipher". The default is
“aes256-ctr”.
-
-z
serial_number
- Specifies a serial number to be embedded in the custom certificate to
distinguish this custom certificate from others from the same CA. If the
serial_number is prefixed with a ‘+’
character, then the serial number will be incremented for each custom
certificate signed on a single command-line. The default serial number is
zero.
When generating a KRL, the -z flag is
used to specify a KRL version number.
ssh-keygen may be used to generate groups
for the Diffie-Hellman Group Exchange (DH-GEX) protocol. Generating these
groups is a two-step process: first, candidate primes are generated using a
fast, but memory intensive process. These candidate primes are then tested
for suitability (a CPU-intensive process).
Generation of primes is performed using the
-M generate option. The
desired length of the primes may be specified by the
-O bits option. For
example:
# ssh-keygen -M generate -O bits=2048
moduli-2048.candidates
By default, the search for primes begins at a random point in the
desired length range. This may be overridden using the
-O start option, which
specifies a different start point (in hex).
Once a set of candidates have been generated, they must be
screened for suitability. This may be performed using the
-M screen option. In this
mode ssh-keygen will read candidates from standard
input (or a file specified using the -f option). For
example:
# ssh-keygen -M screen -f
moduli-2048.candidates moduli-2048
By default, each candidate will be subjected to 100 primality
tests. This may be overridden using the -O
prime-tests option. The DH generator value will be
chosen automatically for the prime under consideration. If a specific
generator is desired, it may be requested using the
-O generator option. Valid
generator values are 2, 3, and 5.
Screened DH groups may be installed in
[APPDATA]/etc/moduli. It is important that this file
contains moduli of a range of bit lengths.
A number of options are available for moduli generation and
screening via the -O flag:
-
lines =number
- Exit after screening the specified number of lines while performing DH
candidate screening.
-
start-line =line-number
- Start screening at the specified line number while performing DH candidate
screening.
-
checkpoint =filename
- Write the last line processed to the specified file while performing DH
candidate screening. This will be used to skip lines in the input file
that have already been processed if the job is restarted.
-
memory =mbytes
- Specify the amount of memory to use (in megabytes) when generating
candidate moduli for DH-GEX.
-
start =hex-value
- Specify start point (in hex) when generating candidate moduli for
DH-GEX.
-
generator =value
- Specify desired generator (in decimal) when testing candidate moduli for
DH-GEX.
ssh-keygen supports signing of keys to
produce custom certificates that may be used for user or host
authentication. Custom certificates consist of a public key, some identity
information, zero or more principal (user or host) names and a set of
options that are signed by a custom Certification Authority (CA) key.
Clients or servers may then trust only the CA key and verify its signature
on a custom certificate rather than trusting many user/host keys. Note that
OpenSSH custom certificates are a different, and much limited, format to the
X.509 certificates used in TLS.
ssh-keygen supports two types of custom
certificates: user and host. User custom certificates authenticate users to
servers, whereas host custom certificates authenticate server hosts to
users. To generate a user custom certificate:
$ ssh-keygen -s /path/to/ca_key -I
key_id /path/to/user_key.pub
The resultant custom certificate will be placed in
/path/to/user_key-cert.pub. A host custom
certificate requires the -h option:
$ ssh-keygen -s /path/to/ca_key -I
key_id -h /path/to/host_key.pub
The host custom certificate will be output to
/path/to/host_key-cert.pub.
In all cases, key_id is a "key
identifier" that is logged by the server when the custom certificate is
used for authentication.
Custom certificates may be limited to be valid for a set of
principal (user/host) names. By default, generated custom certificates are
valid for all users or hosts. To generate a custom certificate for a
specified set of principals:
$ ssh-keygen -s ca_key -I key_id -n
user1,user2 user_key.pub
$ ssh-keygen -s ca_key -I key_id -h
-n host.domain host_key.pub
Additional limitations on the validity and use of user custom
certificates may be specified through custom certificate options. A custom
certificate option may disable features of the SSH session, may be valid
only when presented from particular source addresses or may force the use of
a specific command.
The options that are valid for user custom certificates are:
clear
- Clear all enabled permissions. This is useful for clearing the default set
of permissions so permissions may be added individually.
-
critical :name[=contents]
-
-
extension :name[=contents]
- Includes an arbitrary custom certificate critical option or extension. The
specified name should include a domain suffix, e.g.
“name@example.com”. If contents is
specified then it is included as the contents of the extension/option
encoded as a string, otherwise the extension/option is created with no
contents (usually indicating a flag). Extensions may be ignored by a
client or server that does not recognise them, whereas unknown critical
options will cause the custom certificate to be refused.
-
force-command =command
- Forces the execution of command instead of any shell
or command specified by the user when the custom certificate is used for
authentication.
no-agent-forwarding
- Disable ssh-agent(1) forwarding (permitted by default).
no-port-forwarding
- Disable port forwarding (permitted by default).
no-pty
- Disable PTY allocation (permitted by default).
no-user-rc
- Disable execution of ~/.ssh/rc by
sshd(8) (permitted by default).
no-x11-forwarding
- Disable X11 forwarding (permitted by default).
permit-agent-forwarding
- Allows ssh-agent(1) forwarding.
permit-port-forwarding
- Allows port forwarding.
permit-pty
- Allows PTY allocation.
permit-user-rc
- Allows execution of ~/.ssh/rc by
sshd(8).
permit-X11-forwarding
- Allows X11 forwarding.
-
source-address =address_list
- Restrict the source addresses from which the custom certificate is
considered valid. The address_list is a
comma-separated list of one or more address/netmask pairs in CIDR
format.
At present, no standard options are valid for host keys.
Finally, custom certificates may be defined with a validity
lifetime. The -V option allows specification of
custom certificate start and end times. A custom certificate that is
presented at a time outside this range will not be considered valid. By
default, custom certificates are valid from the UNIX
Epoch to the distant future.
For custom certificates to be used for user or host
authentication, the CA public key must be trusted by
sshd(8) or ssh(1). Refer to those manual
pages for details.
ssh-keygen is able to manage OpenSSH
format custom Key Revocation Lists (KRLs). These binary files specify keys
or custom certificates to be revoked using a compact format, taking as
little as one bit per custom certificate if they are being revoked by serial
number.
KRLs may be generated using the -k flag.
This option reads one or more files from the command line and generates a
new KRL. The files may either contain a KRL specification (see below) or
public keys, listed one per line. Plain public keys are revoked by listing
their hash or contents in the KRL and custom certificates revoked by serial
number or key ID (if the serial is zero or not available).
Revoking keys using a KRL specification offers explicit control
over the types of record used to revoke keys and may be used to directly
revoke custom certificates by serial number or key ID without having the
complete original custom certificate on hand. A KRL specification consists
of lines containing one of the following directives followed by a colon and
some directive-specific information.
-
serial :
serial_number[-serial_number]
- Revokes a custom certificate with the specified serial number. Serial
numbers are 64-bit values, not including zero and may be expressed in
decimal, hex or octal. If two serial numbers are specified separated by a
hyphen, then the range of serial numbers including and between each is
revoked. The CA key must have been specified on the
ssh-keygen command line using the
-s option.
-
id :
key_id
- Revokes a custom certificate with the specified key ID string. The CA key
must have been specified on the
ssh-keygen command
line using the -s option.
-
key :
public_key
- Revokes the specified key. If a custom certificate is listed, then it is
revoked as a plain public key.
-
sha1 :
public_key
- Revokes the specified key by including its SHA1 hash in the KRL.
-
sha256 :
public_key
- Revokes the specified key by including its SHA256 hash in the KRL. KRLs
that revoke keys by SHA256 hash are not supported by OpenSSH versions
prior to 7.9.
-
hash :
fingerprint
- Revokes a key using a fingerprint hash, as obtained from a
sshd(8) authentication log message or the
ssh-keygen -l flag. Only
SHA256 fingerprints are supported here and resultant KRLs are not
supported by OpenSSH versions prior to 7.9.
KRLs may be updated using the -u flag in
addition to -k . When this option is specified, keys
listed via the command line are merged into the KRL, adding to those already
there.
It is also possible, given a KRL, to test whether it revokes a
particular key (or keys). The -Q flag will query an
existing KRL, testing each key specified on the command line. If any key
listed on the command line has been revoked (or an error encountered) then
ssh-keygen will exit with a non-zero exit status. A
zero exit status will only be returned if no key was revoked.
SSH_ASKPASS
- If
ssh-keygen needs a passphrase, it will read the
passphrase from the current terminal if it was run from a terminal. If
ssh-keygen does not have a terminal associated
with it but DISPLAY and SSH_ASKPASS are set, it
will execute the program specified by SSH_ASKPASS
that may open a X11 window to read the passphrase. For keys from
“engine” or “store”
SSH_ASKPASS is preferred over associated terminal.
Note if SSH_ASKPASS is not set will be executed
program ssh-askpass located in
“libexec” directory. (Note that on some machines it may be
necessary to redirect the input from /dev/null to
make this work.)
Remark: On Android DISPLAY is ignored
and SSH_ASKPASS is preferred over associated
terminal.
SSH_ENGINE_CONF
- Overrides default location of engine configuration file.
- ~/.ssh/id_ecdsa
-
- ~/.ssh/id_ed25519
-
- ~/.ssh/id_rsa
- Contains the ECDSA, Ed25519, or RSA authentication identity of the user.
This file should not be readable by anyone but the user.
For RSA, ECDSA, or Ed25519 identity file may contain X.509
certificate that match it. In addition file may contain extra X.509
certificates. Extra certificates along with certificates from X.509
store are used to build chain of certificates leading to a trusted
certificate authority if required by public key algorithm format.
It is possible to specify a passphrase when generating the
key; that passphrase will be used to encrypt the private part of this
file using 256-bit AES. This file is not automatically accessed by
ssh-keygen but it is offered as the default file
for the private key. ssh(1) will read this file when a
login attempt is made.
- ~/.ssh/id_ecdsa.pub
-
- ~/.ssh/id_ed25519.pub
-
- ~/.ssh/id_rsa.pub
- Contains the ECDSA, Ed25519 or RSA public key for authentication. The
contents of this file should be added to
~/.ssh/authorized_keys on all machines where the
user wishes to log in using public key authentication. There is no need to
keep the contents of this file secret. If file
~/.ssh/id_rsa,
~/.ssh/id_ecdsa, or
~/.ssh/id_ed25519 contain RSA/ECDSA/Ed25519
private key and X.509 certificates public key file must contain
certificate that match private key! Use
ssh-keygen
with option -y to regenerate its content. Note in case with X.509
certificate you can append content to
~/.ssh/authorized_keys or to add certificate
“Distinguished Name” / “Subject” in
corresponding format to “authorized keys” file. See
sshd(8). Using distinguished name is preferred as X.509
certificate could be renewed and after renewal there is no need to update
“authorized keys” file.
- [APPDATA]/etc/moduli
- Contains Diffie-Hellman groups used for DH-GEX. The file format is
described in moduli(5).
- D. Eastlake,
Domain Name System Security Extensions,
RFC 2535, March
1999.
- D. Eastlake,
RSA/MD5 KEYs and SIGs in the Domain Name System
(DNS), RFC 2537, March
1999.
- D. Eastlake and
O. Gudmundsson, Storing
Certificates in the Domain Name System (DNS), RFC
2538, March 1999.
- D. Eastlake 3rd,
RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System
(DNS), RFC 3110, May
2001.
- J. Schlyter and
W. Griffin, Using DNS to
Securely Publish Secure Shell (SSH) Key Fingerprints,
RFC 4255, January
2006.
- J. Galbraith and
R. Thayer, The Secure Shell
(SSH) Public Key File Format, RFC 4716,
November 2006.
PKIX-SSH is a derivative of the original and free ssh 1.2.12
release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels
Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer
features and created OpenSSH. Markus Friedl contributed the support for SSH
protocol versions 1.5 and 2.0. Roumen Petrov contributed support for X.509
certificates.
|
|
|
|
|
|
|
Please report site issues to < webmaster AT termoneplus DOT com >
|
Copyright © 2018-2024 |
, Roumen Petrov |
Авторско право 2018-2024 |
, Румен Петров |
|
|
|
|
|
|