


SSH-KEYGEN(1)                  SSH                  SSH-KEYGEN(1)


NAME
       ssh-keygen - authentication key pair generation


SYNOPSIS
       ssh-keygen    [-b bits]    [-f file]   [-N new_passphrase]
       [-C comment]

       ssh-keygen -p [-P old_passphrase] [-N new_passphrase]

       ssh-keygen -c [-P passphrase] [-C comment]

       ssh-keygen -u [-f file] [-P passphrase]


DESCRIPTION
       Ssh-keygen generates and manages authentication  keys  for
       ssh(1).   Normally  each  user wishing to use ssh with RSA
       authentication runs this once to create the authentication
       key  in  $HOME/.ssh/identity.   Additionally,  the  system
       administrator may use this to generate host keys.

       Normally this program generates the key  and  asks  for  a
       file in which to store the private key.  The public key is
       stored in a file with the same name but  ".pub"  appended.
       The  program  also  asks for a passphrase.  The passphrase
       may be empty to indicate no  passphrase  (host  keys  must
       have empty passphrase), or it may be a string of arbitrary
       length.  Good passphrases are 10-30  characters  long  and
       are  not  simple  sentences  or otherwise easily guessable
       (English prose has only 1-2 bits of entropy per word,  and
       provides  very  bad  passphrases).   The passphrase can be
       changed later by using the -p option.

       There is no way to recover  a  lost  passphrase.   If  the
       passphrase is lost or forgotten, you will have to generate
       a new key and copy the corresponding public key  to  other
       machines.

       USING  GOOD,  UNGUESSABLE  PASSPHRASES  IS STRONGLY RECOM-
       MENDED.  EMPTY PASSPHRASES SHOULD NOT BE USED  UNLESS  YOU
       UNDERSTAND WHAT YOU ARE DOING.

       There is also a comment field in the key file that is only
       for convenience to the user to help identify the key.  The
       comment  can tell what the key is for, or whatever is use-
       ful.  The comment is initialized to user@host when the key
       is created, but can be changed using the -c option.

       The  cipher  to  be  used  when  encrypting  keys  with  a
       passphrase is defined in ssh.h. Using the -u option,  keys
       encrypted  in  any  supported cipher can be updated to use
       this default cipher.




SSH                      November 8, 1995                       1





SSH-KEYGEN(1)                  SSH                  SSH-KEYGEN(1)


OPTIONS
       -b bits
             Specifies the number of bits in the key  to  create.
             Minimum is 512 bits.  Generally 1024 bits is consid-
             ered sufficient, and key sizes above that no  longer
             improve   security  but  make  things  slower.   The
             default is 1024 bits.

       -c    Requests changing the comment  in  the  private  and
             public  key  files.  The program will prompt for the
             file containing the private keys, for passphrase  if
             the key has one, and for the new comment.

       -f    Specifies  the  file name in which to load/store the
             key.

       -p    Requests changing the passphrase of  a  private  key
             file  instead  of  creating  a new private key.  The
             program will prompt for the file containing the pri-
             vate  key, for the old passphrase, and twice for the
             new passphrase.

       -u    Requests that the key's cipher  is  changed  to  the
             current default cipher (determined at compile-time -
             currently 3DES).

       -C    Provides the new comment.

       -N    Provides the new passphrase.

       -P    Provides the (old) passphrase.


FILES
       $HOME/.ssh/random_seed
             Used for seeding the random number generator.   This
             file  should not be readable by anyone but the user.
             This file is created the first time the  program  is
             run, and is updated every time.

       $HOME/.ssh/identity
             Contains  the  RSA  authentication  identity  of the
             user.  This file should not be  readable  by  anyone
             but   the   user.   It  is  possible  to  specify  a
             passphrase when generating the key; that  passphrase
             will  be  used  to  encrypt the private part of this
             file using 3DES.  This  file  is  not  automatically
             accessed  by  ssh-keygen,  but  it is offered as the
             default file for the private key.

       $HOME/.ssh/identity.pub
             Contains the public  key  for  authentication.   The
             contents   of   this   file   should   be  added  to
             $$HHOOMMEE//..sssshh//aauutthhoorriizzeedd__kkeeyyss on all machines where you



SSH                      November 8, 1995                       2





SSH-KEYGEN(1)                  SSH                  SSH-KEYGEN(1)


             wish  to  log in using RSA authentication.  There is
             no need to keep the contents of this file secret.


AUTHOR
       Tatu Ylonen <ylo@ssh.fi>


SEE ALSO
       ssh(1), sshd(8), ssh-agent(1), ssh-add(1)















































SSH                      November 8, 1995                       3


