ssh-keygen Command Line Utility

ssh-keygen - Creation, management, and conversion of keys used for client and server authentication.

Synopsis

ssh-keygen [-b bits] -t type [-N [passphrase]] [-C comment] [-f output_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
ssh-keygen -e [-f input_keyfile]
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
ssh-keygen -i [-f input_keyfile]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -l [-f input_keyfile]

Description

You can use the ssh-keygen command line utility to create RSA and DSA keys for public key authentication, to edit properties of existing keys, and to convert file formats. When no options are specified, ssh-keygen generates a 2048-bit RSA key pair and queries you for a key name and a passphrase to protect the private key. Public keys are created using the same base name as the private key, with an added .pub extension. The key location is displayed when key generation is complete.

Options

-b bits

Specifies the key size. Up to a point, a larger key size improves security. Increasing key size slows down the initial connection, but has no effect on the speed of encryption or decryption of the data stream after a successful connection has been made. The length of key you should use depends on many factors, including: the key type, the lifetime of the key, the value of the data being protected, the resources available to a potential attacker, and the size of the symmetric key you use in conjunction with this asymmetric key. To ensure the best choice for your needs, we recommend that you contact your security officer. Key sizes are rounded up to the next value evenly divisible by 64 bits. The default for DSA keys is 1024 bits; for RSA it is 2048 bits.

-B

Shows the fingerprint of the specified key in SHA-1 Bubble Babble format. You can specify the key file using -f. If you don't specify a file, you are queried for a filename. You can specify the private or public key name, but in either case, the public key must be available.

-c

Requests a change of the comment in the private and public key files. This operation is only supported for RSA1 keys. The program will prompt for the file containing the private keys, for the passphrase if the key has one, and for the new comment.

-C comment

Specifies information for the comment field within the key file. Use quotation marks if the string includes spaces. If you do not specify a comment when you create a key, a default comment is created that includes the key type, creator, date, and time.

-e

Uses the specified OpenSSH public or private key to generate a public key in Reflection format. You can specify the key file using -f. If you don't specify a file, you are queried for a filename.

-f filename

Specifies the filename for the generated private key. (A public key is also created and is always given the same name as the private key plus a .pub file extension.) This option can also be used in combination with -e, -i, -l, -p, -y, and -B to specify the input filename.

-i

Converts the specified Reflection public key to OpenSSH format. You can specify the key file using -f. If you don't specify a file, you are queried for a filename.

-h

Displays a summary of command line options.

-l

Show fingerprint of specified public key file using the MD5 hash. You can specify the key file using -f. If you don't specify a file, you are queried for a filename. If you specify a private key, ssh-keygen tries to find the matching public key file and prints its fingerprint.

-N passphrase

Sets the passphrase. For example, to specify the passphrase for a new key:

ssh-keygen -N mypassphrase -f keyfile

To create a new key that is not passphrase protected:

ssh-keygen -N -f keyfile

You can also use -N in combination with -p and -P to change the passphrase of an existing key.

-p

Use this option to change the passphrase of an existing private key. If you use this option alone, the program prompts for the file containing the private key, for the old passphrase, and twice for the new passphrase. You can use it in combination with -f, -P, and -N to change the passphrase non-interactively. For example:

ssh-keygen -p -f keyfile -P oldpassphrase -N newpassphrase
-P passphrase

Provides the (old) passphrase.

-q

Silence ssh-keygen.

-t type

Specifies the algorithm used for key generation. The possible values are "rsa" or "dsa" for protocol version 2.

-y

Uses the specified private key to derive a new copy of the public key. You can specify the key file using -f. If you don't specify a file, you are queried for a filename.

Return values

ssh-keygen returns 0 (zero) if the command completes successfully. Any non-zero value indicates a failure.