-A For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys do not exist, generate the
host keys with the default key file path, an empty passphrase, default bits for the key type, and
default comment. This is used by system administration scripts to generate new host keys.
|
-a trials
Specifies the number of primality tests to perform when screening DH-GEX candidates using the -T
command.
|
-B Show the bubblebabble digest of specified private or public key file.
|
-b bits
Specifies the number of bits in the key to create. For RSA keys, the minimum size is 768 bits and
the default is 2048 bits. Generally, 2048 bits is considered sufficient. DSA keys must be exactly
1024 bits as specified by FIPS 186-2. For ECDSA keys, the -b flag determines they key length by
selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit
lengths other than these three values for ECDSA keys will fail.
|
-C comment
Provides a new comment.
|
-c Requests changing the comment in the private and public key files. This operation is only
supported for RSA1 keys. The program will prompt for the file containing the private keys, for the
passphrase if the key has one, and for the new comment.
|
-D pkcs11
Download the RSA public keys provided by the PKCS#11 shared library pkcs11. When used in
combination with -s, this option indicates that a CA key resides in a PKCS#11 token (see the
CERTIFICATES section for details).
|
-e This option will read a private or public OpenSSH key file and print to stdout the key in one of
the formats specified by the -m option. The default export format is “RFC4716”. This option
allows exporting OpenSSH keys for use by other programs, including several commercial SSH
implementations.
|
-F hostname
Search for the specified hostname in a known_hosts file, listing any occurrences found. This
option is useful to find hashed host names or addresses and may also be used in conjunction with
the -H option to print found keys in a hashed format.
|
-f filename
Specifies the filename of the key file.
|
-G output_file
Generate candidate primes for DH-GEX. These primes must be screened for safety (using the -T
option) before use.
|
-g Use generic DNS format when printing fingerprint resource records using the -r command.
|
-H Hash a known_hosts file. This replaces all hostnames and addresses with hashed representations
within the specified file; the original content is moved to a file with a .old suffix. These
hashes may be used normally by ssh and sshd, but they do not reveal identifying information should
the file's contents be disclosed. This option will not modify existing hashed hostnames and is
therefore safe to use on files that mix hashed and non-hashed names.
|
-h When signing a key, create a host certificate instead of a user certificate. Please see the
CERTIFICATES section for details.
|
-I certificate_identity
Specify the key identity when signing a public key. Please see the CERTIFICATES section for
details.
|
-i This option will read an unencrypted private (or public) key file in the format specified by the -m
option and print an OpenSSH compatible private (or public) key to stdout. This option allows
importing keys from other software, including several commercial SSH implementations. The default
import format is “RFC4716”.
|
-L Prints the contents of a certificate.
|
-l Show fingerprint of specified public key file. Private RSA1 keys are also supported. For RSA and
DSA keys ssh-keygen tries to find the matching public key file and prints its fingerprint. If
combined with -v, an ASCII art representation of the key is supplied with the fingerprint.
|
-M memory
Specify the amount of memory to use (in megabytes) when generating candidate moduli for DH-GEX.
|
-m key_format
Specify a key format for the -i (import) or -e (export) conversion options. The supported key
formats are: “RFC4716” (RFC 4716/SSH2 public or private key), “PKCS8” (PEM PKCS8 public key) or
“PEM” (PEM public key). The default conversion format is “RFC4716”.
|
-N new_passphrase
Provides the new passphrase.
|
-n principals
Specify one or more principals (user or host names) to be included in a certificate when signing a
key. Multiple principals may be specified, separated by commas. Please see the CERTIFICATES
section for details.
|
-O option
Specify a certificate option when signing a key. This option may be specified multiple times.
Please see the CERTIFICATES section for details. The options that are valid for user certificates
are:
clear Clear all enabled permissions. This is useful for clearing the default set of permissions
so permissions may be added individually.
|
-P passphrase
Provides the (old) passphrase.
|
-p Requests changing the passphrase of a private key file instead of creating a new private key. The
program will prompt for the file containing the private key, for the old passphrase, and twice for
the new passphrase.
|
-q Silence ssh-keygen.
|
-R hostname
Removes all keys belonging to hostname from a known_hosts file. This option is useful to delete
hashed hosts (see the -H option above).
|
-r hostname
Print the SSHFP fingerprint resource record named hostname for the specified public key file.
|
-S start
Specify start point (in hex) when generating candidate moduli for DH-GEX.
|
-s ca_key
Certify (sign) a public key using the specified CA key. Please see the CERTIFICATES section for
details.
|
-T output_file
Test DH group exchange candidate primes (generated using the -G option) for safety.
|
-t type
Specifies the type of key to create. The possible values are “rsa1” for protocol version 1 and
“dsa”, “ecdsa” or “rsa” for protocol version 2.
|
-V validity_interval
Specify a validity interval when signing a certificate. A validity interval may consist of a
single time, indicating that the certificate is valid beginning now and expiring at that time, or
may consist of two times separated by a colon to indicate an explicit time interval. The start
time may be specified as a date in YYYYMMDD format, a time in YYYYMMDDHHMMSS format or a relative
time (to the current time) consisting of a minus sign followed by a relative time in the format
described in the TIME FORMATS section of sshd_config(5). The end time may be specified as a
YYYYMMDD date, a YYYYMMDDHHMMSS time or a relative time starting with a plus character.
For example: “+52w1d” (valid from now to 52 weeks and one day from now), “-4w:+4w” (valid from four
weeks ago to four weeks from now), “20100101123000:20110101123000” (valid from 12:30 PM, January
1st, 2010 to 12:30 PM, January 1st, 2011), “-1d:20110101” (valid from yesterday to midnight,
January 1st, 2011).
|
-v Verbose mode. Causes ssh-keygen to print debugging messages about its progress. This is helpful
for debugging moduli generation. Multiple -v options increase the verbosity. The maximum is 3.
|
-W generator
Specify desired generator when testing candidate moduli for DH-GEX.
|
-y This option will read a private OpenSSH format file and print an OpenSSH public key to stdout.
|
-z serial_number
Specifies a serial number to be embedded in the certificate to distinguish this certificate from
others from the same CA. The default serial number is zero.
|