SSH-KEYGEN(1) General Commands Manual SSH-KEYGEN(1) ssh-keygen - OpenSSH ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile] [-m format] [-N new_passphrase] [-O option] [-t ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa] [-w provider] [-Z cipher] ssh-keygen -p [-a rounds] [-f keyfile] [-m format] [-N new_passphrase] [-P old_passphrase] [-Z cipher] ssh-keygen -i [-f input_keyfile] [-m key_format] ssh-keygen -e [-f input_keyfile] [-m key_format] ssh-keygen -y [-f input_keyfile] ssh-keygen -c [-a rounds] [-C comment] [-f keyfile] [-P passphrase] ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile] ssh-keygen -B [-f input_keyfile] ssh-keygen -D pkcs11 ssh-keygen -F hostname [-lv] [-f known_hosts_file] ssh-keygen -H [-f known_hosts_file] ssh-keygen -K [-a rounds] [-w provider] ssh-keygen -R hostname [-f known_hosts_file] ssh-keygen -r hostname [-g] [-f input_keyfile] ssh-keygen -M generate [-O option] output_file ssh-keygen -M screen [-f input_file] [-O option] output_file ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider] [-n principals] [-O option] [-V validity_interval] [-z serial_number] file ... ssh-keygen -L [-f input_keyfile] ssh-keygen -A [-a rounds] [-f prefix_path] ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] file ... ssh-keygen -Q [-l] -f krl_file file ... ssh-keygen -Y find-principals [-O option] -s signature_file -f allowed_signers_file ssh-keygen -Y match-principals -I signer_identity -f allowed_signers_file ssh-keygen -Y check-novalidate [-O option] -n namespace -s signature_file ssh-keygen -Y sign [-O option] -f key_file -n namespace file ... ssh-keygen -Y verify [-O option] -f allowed_signers_file -I signer_identity -n namespace -s signature_file [-r revocation_file] ssh-keygen ssh(1). ssh-keygen 2 SSH. -t. ssh-keygen Ed25519. ssh-keygen - (DH-GEX). MODULI GENERATION . ssh-keygen . KEY REVOCATION LISTS . SSH ~/.ssh/id_ecdsa ~/.ssh/id_ecdsa_sk ~/.ssh/id_ed25519 ~/.ssh/id_ed25519_sk ~/.ssh/id_rsa. /etc/rc. . ".pub". . ( ) . . 10 30 ( 1-2 ) . -p. . . ssh-keygen OpenSSH. . . "user@host" -c. ssh-keygen PEM -m. -p ( ). ssh-keygen . : -A (rsa ecdsa ed25519) . . -f . /etc/rc . -a rounds KDF ( bcrypt_pbkdf(3)) . ( ). 16 . -B bubblebabble . -b bits . RSA 1024 3072 . 3072 . ECDSA -b : 256 384 521 . ECDSA. ECDSA-SK Ed25519 Ed25519-SK -b. -C comment . -c . . -D pkcs11 PKCS#11 pkcs11. -s (CA) PKCS#11 ( CERTIFICATES ). -E fingerprint_hash . : "md5" "sha256". "sha256". -e OpenSSH (stdout) -m. "RFC4716". OpenSSH SSH . -F hostname | [hostname]:port hostname ( ) known_hosts . -H . -f filename . -g DNS -r. -H known_hosts. .old. ssh sshd . . -h . CERTIFICATES . -I certificate_identity . CERTIFICATES . -i ( ) -m ( ) OpenSSH stdout. SSH . "RFC4716". -K FIDO. . FIDO . FIDO AUTHENTICATOR . -k KRL. ssh-keygen KRL -f . / KEY REVOCATION LISTS. -L . -l . ssh-keygen . -v ASCII . -M generate - (DH-GEX) `diffie-hellman-group-exchange-*'. . MODULI GENERATION . -M screen -. ( ) . /etc/ssh/moduli. MODULI GENERATION . -m key_format -i () -e () -p. OpenSSH PEM. : "RFC4716" ( RFC 4716/SSH2 ) "PKCS8" ( PKCS8 ) "PEM" ( PEM ). OpenSSH "RFC4716". "PEM" PEM . -N new_passphrase . -n principals ( ) . . CERTIFICATES . -O option /. ssh-keygen . CERTIFICATES . MODULI GENERATION. FIDO FIDO AUTHENTICATOR. -Y : hashalg=algorithm . "sha256" "sha512." "sha512." print-pubkey . verify-time=timestamp . YYYYMMDD[Z] YYYYMMDDHHMM[SS][Z]. Z UTC. SSHFP DNS -r : hashalg=algorithm SSHFP -D. "sha1" "sha256". . -O . -P passphrase (). -p . . -Q KRL. -l KRL. -q ssh-keygen. -R hostname | [hostname]:port hostname ( ) known_hosts. ( -H ). -r hostname SSHFP hostname . -s ca_key () (CA) . CERTIFICATES . KRL -s (CA) . KEY REVOCATION LISTS . -t ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa . "ecdsa" "ecdsa-sk" "ed25519 ()" "ed25519-sk" "rsa". RSA CA. RSA "ssh-rsa" ( SHA1 ) "rsa-sha2-256" "rsa-sha2-512" ( RSA). -U -s -Y sign CA ssh-agent(1). (CERTIFICATES) . -u KRL. -k KRL KRL . -V validity_interval . . : o "always" . o YYYYMMDD YYYYMMDDHHMM[SS]. o (UTC) YYYYMMDDZ YYYYMMDDHHMM[SS]Z. o (TIME FORMATS) sshd_config(5). o (1 1970 00:00:00 UTC) "0x". : o "forever" . o YYYYMMDD YYYYMMDDHHMM[SS]. o (UTC) YYYYMMDDZ YYYYMMDDHHMM[SS]Z. o (TIME FORMATS) sshd_config(5). o (1 1970 00:00:00 UTC) "0x". : +52w1d 52 . -4w:+4w . 20100101123000:20110101123000 12:30 1 2010 12:30 1 2011. 20100101123000Z:20110101123000Z (UTC) . -1d:20110101 1 2011. 0x1:0x2000000000 1970 2033. -1m:forever . -v . ssh-keygen . . -v . 3. -w provider FIDO USB HID . -Y find-principals ( ) -s -f. (ALLOWED SIGNERS) . . -Y match-principals -I -f. . -Y check-novalidate ssh-keygen -Y sign . . ssh-keygen -n. -s. ssh-keygen . -Y sign SSH. ssh-keygen - ssh-keygen . ".sig" . -f ssh-agent(1). ( ) -n. : "file" "email" . NAMESPACE@YOUR.DOMAIN . -Y verify ssh-keygen -Y sign . ssh-keygen -n. -s -I -f. (ALLOWED SIGNERS) . -r. KRL ( ). ssh-keygen . -y OpenSSH OpenSSH . -Z cipher OpenSSH. "ssh -Q cipher". "aes256-ctr". -z serial_number CA. serial_number `+' . . KRL -z KRL. ssh-keygen - (DH-GEX). : . ( ). -M generate. -O bits. : # ssh-keygen -M generate -O bits=2048 moduli-2048.candidates . -O start ( ). . -M screen. ssh-keygen ( -f). : # ssh-keygen -M screen -f moduli-2048.candidates moduli-2048 100 . -O prime-tests. DH . -O generator. 2 3 5. DH /etc/ssh/moduli. . -O: lines=number DH. start-line=line-number DH. checkpoint=filename DH. . start=hex-value ( ) DH-GEX. generator=value () DH-GEX. ssh-keygen . ( ) (CA). CA /. OpenSSH X.509 ssl(8). ssh-keygen : . . : $ ssh-keygen -s /path/to/ca_key -I id -n user \ /path/to/user_key.pub /path/to/user_key-cert.pub. -I . -n ( ) . -h: $ ssh-keygen -s /path/to/ca_key -I id -h -n foo.example.org \ /path/to/host_key.pub -n (wildcard). /path/to/host_key-cert.pub. CA PKCS#11 -D CA -s: $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I id -n user \ user_key.pub CA ssh-agent(1). -U CA . $ ssh-keygen -Us ca_key.pub -I id -n user user_key.pub key_id " " . (/). : $ ssh-keygen -s ca_key -I id -n user1,user2 user_key.pub $ ssh-keygen -s ca_key -I id -h -n host.domain host_key.pub . SSH . : clear . . critical:name[=contents] extension:name[=contents] . name "name@example.com". contents / / ( ). . force-command=command command . no-agent-forwarding ssh-agent(1) ( ). no-port-forwarding ( ). no-pty PTY ( ). no-user-rc ~/.ssh/rc sshd(8) ( ). no-x11-forwarding X11 ( ). permit-agent-forwarding ssh-agent(1). permit-port-forwarding . permit-pty PTY. permit-user-rc ~/.ssh/rc sshd(8). permit-X11-forwarding X11. no-touch-required ( ). FIDO ecdsa-sk ed25519-sk. source-address=address_list . address_list / CIDR. verify-required PIN . FIDO ecdsa-sk ed25519-sk. . . -V . . UNIX . CA sshd(8) ssh(1). . FIDO ssh-keygen FIDO OpenSSH . FIDO . FIDO : FIDO . . ecdsa-sk ed25519-sk. FIDO : application / FIDO "ssh:". . "ssh:". challenge=path FIDO . ( ). device fido(4) . no-touch-required ( ) . sshd(8) authorized_keys. resident FIDO . . FIDO2 PIN . ssh-add(1). FIDO . user . . verify-required . FIDO . PIN . write-attestation=path FIDO . . . ssh-keygen (KRLs) OpenSSH. . KRL -k. KRL . KRL ( ) . KRL ( ). KRL . KRL . serial: serial_number[-serial_number] . 64 . . CA ssh-keygen -s. id: key_id . CA ssh-keygen -s. key: public_key . . sha1: public_key SHA1 KRL. sha256: public_key SHA256 KRL. KRL SHA256 OpenSSH 7.9. hash: fingerprint sshd(8) -l ssh-keygen. SHA256 KRL OpenSSH 7.9. KRL -u -k. KRL . KRL ( ) . -Q KRL . ( ) ssh-keygen . . ssh-keygen . " " AUTHORIZED_KEYS sshd(8). : base64. `#' . ( PATTERNS ssh_config(5)) USER@DOMAIN . -I . ( ) . . ( ): cert-authority (CA) CA . namespaces=namespace-list . . valid-after=timestamp YYYYMMDD[Z] YYYYMMDDHHMM[SS][Z]. Z (UTC). valid-before=timestamp . . : # user1@example.com,user2@example.com ssh-rsa AAAAX1... # . *@example.com cert-authority ssh-ed25519 AAAB4... # . user2@example.com namespaces="file" ssh-ed25519 AAA41... SSH_SK_PROVIDER FIDO USB HID . ~/.ssh/id_ecdsa ~/.ssh/id_ecdsa_sk ~/.ssh/id_ed25519 ~/.ssh/id_ed25519_sk ~/.ssh/id_rsa ECDSA ECDSA Ed25519 Ed25519 RSA . . AES 128 . ssh-keygen . ssh(1) . ~/.ssh/id_ecdsa.pub ~/.ssh/id_ecdsa_sk.pub ~/.ssh/id_ed25519.pub ~/.ssh/id_ed25519_sk.pub ~/.ssh/id_rsa.pub ECDSA ECDSA Ed25519 Ed25519 RSA . ~/.ssh/authorized_keys . . /etc/ssh/moduli Diffie-Hellman DH-GEX. moduli(5). ssh(1) ssh-add(1) ssh-agent(1) moduli(5) sshd(8) The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006. OpenSSH ssh 1.2.12 Tatu Ylonen. Aaron Campbell Bob Beck Markus Friedl Niels Provos Theo de Raadt Dug Song OpenSSH. Markus Friedl SSH 1.5 2.0. 3: https://www.gnu.org/licenses/gpl-3.0.html . . : kde-l10n-ar@kde.org Linux 7.0.8-arch1-1 $Mdocdate: 22 2025 $ Linux 7.0.8-arch1-1