SSH-KEYGEN(1) General Commands Manual SSH-KEYGEN(1) ssh-keygen - OpenSSH ssh-keygen [-q] [-a ] [-b ] [-C ] [-f __] [-m ] [-N __] [-O ] [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa] [-w ] [-Z ] ssh-keygen -p [-a ] [-f _] [-m ] [-N __] [-P __] [-Z ] ssh-keygen -i [-f __] [-m _] ssh-keygen -e [-f __] [-m _] ssh-keygen -y [-f __] ssh-keygen -c [-a ] [-C ] [-f _] [-P _] ssh-keygen -l [-v] [-E _] [-f __] ssh-keygen -B [-f __] ssh-keygen -D pkcs11 ssh-keygen -F _ [-lv] [-f __] ssh-keygen -H [-f __] ssh-keygen -K [-a ] [-w ] ssh-keygen -R _ [-f __] ssh-keygen -r _ [-g] [-f __] ssh-keygen -M generate [-O ] _ ssh-keygen -M screen [-f _] [-O ] _ ssh-keygen -I _ -s ca- [-hU] [-D _pkcs11] [-n ] [-O ] [-V _] [-z _] file ... ssh-keygen -L [-f __] ssh-keygen -A [-a ] [-f __] ssh-keygen -k -f _krl [-u] [-s _ca] [-z _] file ... ssh-keygen -Q [-l] -f _krl file ... ssh-keygen -Y find-principals [-O ] -s _ -f __ ssh-keygen -Y match-principals -I _ -f __ ssh-keygen -Y check-novalidate [-O ] -n _ -s _ ssh-keygen -Y sign [-O ] -f _ -n _ file ... ssh-keygen -Y verify [-O ] -f __ -I _ -n _ -s _ [-r _] ssh-keygen , ssh(1). ssh-keygen SSH 2. -t. , ssh-keygen Ed25519. ssh-keygen , - (DH-GEX). MODULI GENERATION. , ssh-keygen , , , . . KEY REVOCATION LISTS . , SSH , in ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk ~/.ssh/id_rsa. , , , /etc/rc. , , . ', ".pub". , ( ), . , , , , , - . 10-30 , ( 1-2 , ), , , . -p. . , . ssh-keygen, , , OpenSSH. , , . . "user@host" , -c. ssh-keygen PEM -m. , -p ( ). , ssh-keygen , . : -A (rsa, dsa, ecdsa ed25519), . , , . -f, . /etc/rc . -a KDF (<> << >>, bcrypt_pbkdf(3)). , ( ). 16. -B bubblebabble . -b . RSA 1024 , -- 3072 . , 3072 . DSA 1024 , FIPS 186-2. ECDSA -b , : 256, 384 521 . , , ECDSA . ECDSA-SK, Ed25519 Ed25519-SK -b . -C . -c . , , , , . -D pkcs11 , PKCS#11 pkcs11. -s , (CA) PKCS#11 (. , ). -E _ . : "md5" "sha256". -- "sha256". -e OpenSSH stdout , -m. "RFC4716". OpenSSH , SSH. -F _ | [_]: _ ( ' ) known_hosts, . . -H . -f _ . -g DNS, -r. -H known_hosts. ; .old. ssh sshd, , . , , . -h , . . , . -I _ . . , . -i ( ) , -m, OpenSSH ( ) stdout. , SSH. "RFC4716". -K FIDO. . FIDO, . . the FIDO, . -k KRL. ssh-keygen KRL , -f, , . , , , . -L . -l . RSA DSA ssh-keygen . -v, ASCII, . -M generate - (DH-GEX) `diffie-hellman-group-exchange-*'. . . , . -M screen -. - ( ) . /etc/ssh/moduli. . , . -m _ , -i (), -e () -p. OpenSSH PEM. : "RFC4716" ( RFC 4716/SSH2), "PKCS8" ( PKCS8) "PEM" ( PEM). , OpenSSH , "RFC4716". "PEM" , PEM. -N __ . -n _ ( ), . , . . , . -O /. , ssh-keygen. . . FIDO FIDO. , ' , -Y, : hashalg= . "sha256" "sha512." "sha512." print-pubkey . verify-time=_ , . [Z] [][Z]. , Z, , . DNS SSHFP -r, : hashalg= SSHFP -D. "sha1" "sha256". . -O . -P () . -p . , , . . -Q , KRL. -l, KRL. -q ssh-keygen. -R _ | [_]: , _ ( ' ) known_hosts. (. -H ). -r _ SSHFP _ . -s _ca () (CA). . , . KRL -s (CA), . . , . -t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa . : "dsa", "ecdsa", "ecdsa-sk", "ed25519", "ed25519-sk" "rsa". RSA . RSA "ssh-rsa" ( SHA1, ), "rsa-sha2-256" "rsa-sha2-512" (). -U -s -Y sign , (CA) ssh-agent(1). . , . -u KRL. -k, , , KRL, KRL. -V validity_interval . , , , , . : o "always" , . o []. o UTC Z []Z. o ( ) , <<>>, , << >> sshd_config(5). o (1 1970 00:00:00 UTC) , "0x". , : o "forever" , . o []. o UTC Z []Z. o ( ) , <<>>, , << >> sshd_config(5). o (1 1970 00:00:00 UTC) , "0x". : +52w1d 52 . -4w:+4w . 20100101123000:20110101123000 12:30 1 2010 12:30 1 2011 . 20100101123000Z:20110101123000Z , (UTC), . -1d:20110101 1 2011 . 0x1:0x2000000000 1970 2033 . -1m:forever . -v ssh-keygen . . -v . 3 . -w provider , - FIDO . HID USB. -Y find-principals , ' , -s , -f. . , . -Y match-principals , , -I, , -f. , . -Y check-novalidate ssh-keygen -Y sign . , . ssh-keygen -n. , , -s. ssh-keygen . -Y sign SSH. ssh-keygen . , ssh-keygen , . ".sig" , , , . , , -f , ssh-agent(1). , (, ), -n. , "file" , "email" . _@., ' . -Y verify ssh-keygen -Y sign, . ssh-keygen , -n. , , -s, -I -f. . , , -r. KRL . ssh-keygen . -y OpenSSH OpenSSH stdout. -Z , OpenSSH. "ssh -Q cipher". "aes256-ctr". -z _ , , (CA). _ `+', , . . KRL -z KRL. ssh-keygen - (DH-GEX). : , -- , ' ' . -- ( ). -M generate. -O bits. : # ssh-keygen -M generate -O bits=2048 moduli-2048.candidates , . -O start, ( ). , . -M screen. ssh-keygen ( , -f). : # ssh-keygen -M screen -f moduli-2048.candidates moduli-2048 , - 100 . -O prime-tests. . , -O generator. 2, 3 5. /etc/ssh/moduli. , . -O: lines= . start-line=- . checkpoint=- . , , . memory= ' ' ( ), DH-GEX. start=- ( ) DH-GEX. generator= ( ) DH-GEX. ssh-keygen , '. , , ( ') , (Certification Authority CA). CA , '. , OpenSSH , , X.509, ssl(8). ssh-keygen : . , . : $ ssh-keygen -s ///_ca -I _ ///_.pub - ///_-cert.pub. -h: $ ssh-keygen -s ///_ca -I _ -h ///_.pub ///_-cert.pub. CA, PKCS#11, -D CA -s: $ ssh-keygen -s _ca.pub -D libpkcs11.so -I _ _.pub , CA ssh-agent(1). -U , , CA . $ ssh-keygen -Us _ca.pub -I _ _.pub _ << >>, , . ( ). , . , : $ ssh-keygen -s _ca -I _ -n 1,2 _.pub $ ssh-keygen -s _ca -I _ -h -n . _.pub . SSH, . : clear . , . critical:[=] extension:[=] . . : "name@example.com". , /, . , / (, ). , , . force-command= - , . no-agent-forwarding ssh-agent(1) (, ). no-port-forwarding (, ). no-pty PTY (, ). no-user-rc ~/.ssh/rc sshd(8) (, ). no-x11-forwarding X11 (, ). permit-agent-forwarding ssh-agent(1). permit-port-forwarding . permit-pty PTY. permit-user-rc ~/.ssh/rc sshd(8). permit-X11-forwarding X11. no-touch-required , , ( ). FIDO ecdsa-sk ed25519-sk. source-address=_ , . _ / CIDR. verify-required , , , . ecdsa-sk ed25519-sk. PIN-, . , . , . -V . , , . , UNIX . , , (CA) sshd(8) ssh(1). , . FIDO ssh-keygen FIDO, , OpenSSH, ' . FIDO, , . FIDO : , , , FIDO . , . ecdsa-sk ed25519-sk. , FIDO, : application / FIDO "ssh:". . "ssh:". challenge= , FIDO . (, ). device fido(4) , , . no-touch-required , ( ) . , sshd(8) , authorized_keys. resident , FIDO. '. FIDO2. , PIN . ssh-add(1). FIDO , . user ' , ' , ' . . verify-required , . FIDO. PIN-. , . write-attestation= , FIDO . . , . ssh-keygen (Key Revocation Lists KRL) OpenSSH. , : , . KRL -k. KRL. KRL (. ), . , - KRL, , ( ). KRL , . . KRL , , . serial: _[-_] . 64- , , , . , , . CA ssh-keygen -s. id: _ . ssh-keygen (CA) -s. key: _ . , . sha1: _ , - SHA1 KRL. sha256: _ , - SHA256 KRL. OpenSSH 7.9 KRL, SHA256. hash: - , sshd(8) ssh-keygen -l. SHA256, KRL OpenSSH, 7.9. KRL -u, -k. , ' KRL: , . , KRL, ( ). -Q KRL, , . - , , ( ), ssh-keygen . , . ssh-keygen , . << >> , , sshd(8). : , , , base64. , `#', -- . (. <<>> ssh_config(5)), @, . , -I, , . ( ) . , . (, ): cert-authority , (CA), , CA, . namespaces=-- , . , , ' , , . valid-after=- , , [Z] [][Z]. , Z, , . valid-before=- , . , , , . : # user1@example.com,user2@example.com ssh-rsa AAAAX1... # , . *@example.com cert-authority ssh-ed25519 AAAB4... # , . user2@example.com namespaces="file" ssh-ed25519 AAA41... SSH_SK_PROVIDER , - FIDO . HID USB. ~/.ssh/id_dsa ~/.ssh/id_ecdsa ~/.ssh/id_ecdsa_sk ~/.ssh/id_ed25519 ~/.ssh/id_ed25519_sk ~/.ssh/id_rsa DSA, ECDSA, ECDSA, Ed25519, Ed25519 RSA. . ; 128- AES. ssh-keygen , . ssh(1) . ~/.ssh/id_dsa.pub ~/.ssh/id_ecdsa.pub ~/.ssh/id_ecdsa_sk.pub ~/.ssh/id_ed25519.pub ~/.ssh/id_ed25519_sk.pub ~/.ssh/id_rsa.pub DSA, ECDSA, ECDSA, Ed25519, Ed25519 RSA. ~/.ssh/authorized_keys , . . /etc/ssh/moduli -, DH-GEX. moduli(5). . ssh(1), ssh-add(1), ssh-agent(1), moduli(5), sshd(8) The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006. OpenSSH ssh 1.2.12, Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt Dug Song , OpenSSH. Markus Friedl SSH 1.5 2.0. Andrij Mizyk , Andriy Rysin Yuri Chornoivan ; , GNU General Public License Version 3: https://www.gnu.org/licenses/gpl-3.0.html. . , , : trans-uk@lists.fedoraproject.org Linux 6.8.2-arch2-1 $Mdocdate: 4 2023 $ Linux 6.8.2-arch2-1