| SSH-KEYGEN(1) | General Commands Manual | SSH-KEYGEN(1) | 
ssh-keygen —
| ssh-keygen | [ -q] [-arounds] [-bbits] [-Ccomment] [-foutput_keyfile] [-mformat] [-Nnew_passphrase] [-Ooption] [-tdsa|ecdsa|ecdsa-sk|ed25519|ed25519-sk|rsa]
      [-wprovider]
      [-Zcipher] | 
| ssh-keygen | -p[-arounds] [-fkeyfile] [-mformat] [-Nnew_passphrase] [-Pold_passphrase] [-Zcipher] | 
| ssh-keygen | -i[-finput_keyfile] [-mkey_format] | 
| ssh-keygen | -e[-finput_keyfile] [-mkey_format] | 
| ssh-keygen | -y[-finput_keyfile] | 
| ssh-keygen | -c[-arounds] [-Ccomment] [-fkeyfile] [-Ppassphrase] | 
| ssh-keygen | -l[-v]
      [-Efingerprint_hash]
      [-finput_keyfile] | 
| ssh-keygen | -B[-finput_keyfile] | 
| ssh-keygen | -Dpkcs11 | 
| ssh-keygen | -Fhostname
      [-lv] [-fknown_hosts_file] | 
| ssh-keygen | -H[-fknown_hosts_file] | 
| ssh-keygen | -K[-arounds] [-wprovider] | 
| ssh-keygen | -Rhostname
      [-fknown_hosts_file] | 
| ssh-keygen | -rhostname
      [-g] [-finput_keyfile] | 
| ssh-keygen | -Mgenerate[-Ooption]
      output_file | 
| ssh-keygen | -Mscreen[-finput_file]
      [-Ooption]
      output_file | 
| ssh-keygen | -Icertificate_identity-sca_key
      [-hU] [-Dpkcs11_provider] [-nprincipals] [-Ooption] [-Vvalidity_interval] [-zserial_number] file ... | 
| ssh-keygen | -L[-finput_keyfile] | 
| ssh-keygen | -A[-arounds] [-fprefix_path] | 
| ssh-keygen | -k-fkrl_file [-u]
      [-sca_public]
      [-zversion_number]
      file ... | 
| ssh-keygen | -Q[-l]-fkrl_file
      file ... | 
| ssh-keygen | -Yfind-principals[-Ooption]-ssignature_file-fallowed_signers_file | 
| ssh-keygen | -Ymatch-principals-Isigner_identity-fallowed_signers_file | 
| ssh-keygen | -Ycheck-novalidate[-Ooption]-nnamespace-ssignature_file | 
| ssh-keygen | -Ysign[-Ooption]-fkey_file-nnamespace
      file ... | 
| ssh-keygen | -Yverify[-Ooption]-fallowed_signers_file-Isigner_identity-nnamespace-ssignature_file
      [-rrevocation_file] | 
ssh-keygen generates, manages and converts
  authentication keys for ssh(1).
  ssh-keygen can create keys for use by SSH protocol
  version 2.
The type of key to be generated is specified with the
    -t option. If invoked without any arguments,
    ssh-keygen will generate an Ed25519 key.
ssh-keygen is also used to generate groups
    for use in Diffie-Hellman group exchange (DH-GEX). See the
    MODULI GENERATION section for
    details.
Finally, ssh-keygen can be used to
    generate and update Key Revocation Lists, and to test whether given keys
    have been revoked by one. See the
    KEY REVOCATION LISTS section
    for details.
Normally each user wishing to use SSH with public key authentication runs this once to create the authentication key in ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk or ~/.ssh/id_rsa. Additionally, the system administrator may use this to generate host keys, as seen in /etc/rc.d/sshd.
Normally this program generates the key and asks for a file in
    which to store the private key. The public key is stored in a file with the
    same name but “.pub” appended. The program also asks for a
    passphrase. The passphrase may be empty to indicate no passphrase (host keys
    must have an empty passphrase), or it may be a string of arbitrary length. A
    passphrase is similar to a password, except it can be a phrase with a series
    of words, punctuation, numbers, whitespace, or any string of characters you
    want. Good passphrases are 10-30 characters long, are not simple sentences
    or otherwise easily guessable (English prose has only 1-2 bits of entropy
    per character, and provides very bad passphrases), and contain a mix of
    upper and lowercase letters, numbers, and non-alphanumeric characters. The
    passphrase can be changed later by using the -p
    option.
There is no way to recover a lost passphrase. If the passphrase is lost or forgotten, a new key must be generated and the corresponding public key copied to other machines.
ssh-keygen will by default write keys in
    an OpenSSH-specific format. This format is preferred as it offers better
    protection for keys at rest as well as allowing storage of key comments
    within the private key file itself. The key comment may be useful to help
    identify the key. The comment is initialized to “user@host”
    when the key is created, but can be changed using the
    -c option.
It is still possible for ssh-keygen to
    write the previously-used PEM format private keys using the
    -m flag. This may be used when generating new keys,
    and existing new-format keys may be converted using this option in
    conjunction with the -p (change passphrase)
  flag.
After a key is generated, ssh-keygen will
    ask where the keys should be placed to be activated.
The options are as follows:
-A-f has also been specified,
      its argument is used as a prefix to the default path for the resulting
      host key files. This is used by /etc/rc to
      generate new host keys.-a
    rounds-B-b
    bits-b
      flag determines the key length by selecting from one of three elliptic
      curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other
      than these three values for ECDSA keys will fail. ECDSA-SK, Ed25519 and
      Ed25519-SK keys have a fixed length and the -b
      flag will be ignored.-C
    comment-c-D
    pkcs11-s, this option indicates that a CA key resides in
      a PKCS#11 token (see the
      CERTIFICATES section for
    details).-E
    fingerprint_hash-e-m option. The default export format is
      “RFC4716”. This option allows exporting OpenSSH keys for use
      by other programs, including several commercial SSH implementations.-F
    hostname | [hostname]:port-H option to print found keys in a hashed
    format.-f
    filename-g-r command.-Hssh and
      sshd, but they do not reveal identifying
      information should the file's contents be disclosed. This option will not
      modify existing hashed hostnames and is therefore safe to use on files
      that mix hashed and non-hashed names.-h-I
    certificate_identity-i-m option and print an
      OpenSSH compatible private (or public) key to stdout. This option allows
      importing keys from other software, including several commercial SSH
      implementations. The default import format is
    “RFC4716”.-K-kssh-keygen will
      generate a KRL file at the location specified via the
      -f flag that revokes every key or certificate
      presented on the command line. Keys/certificates to be revoked may be
      specified by public key file or using the format described in the
      KEY REVOCATION LISTS
      section.-L-lssh-keygen tries to find the matching public key
      file and prints its fingerprint. If combined with
      -v, a visual ASCII art representation of the key
      is supplied with the fingerprint.-M
    generate-M
    screen-m
    key_format-i
      (import), -e (export) conversion options, and the
      -p change passphrase operation. The latter may be
      used to convert between OpenSSH private key and PEM private key formats.
      The supported key formats are: “RFC4716” (RFC 4716/SSH2
      public or private key), “PKCS8” (PKCS8 public or private
      key) or “PEM” (PEM public key). By default OpenSSH will
      write newly-generated private keys in its own format, but when converting
      public keys for export the default format is “RFC4716”.
      Setting a format of “PEM” when generating or updating a
      supported private key type will cause the key to be stored in the legacy
      PEM private key format.-N
    new_passphrase-n
    principals-O
    optionssh-keygen has been requested to perform.
    When signing certificates, one of the options listed in the CERTIFICATES section may be specified here.
When performing moduli generation or screening, one of the options listed in the MODULI GENERATION section may be specified.
When generating FIDO authenticator-backed keys, the options listed in the FIDO AUTHENTICATOR section may be specified.
When performing signature-related options using the
        -Y flag, the following options are accepted:
hashalg=algorithmprint-pubkeyverify-time=timestampWhen generating SSHFP DNS records from public keys using the
        -r flag, the following options are accepted:
hashalg=algorithm-D flag. Valid algorithms are
          “sha1” and “sha256”. The default is to
          print both.The -O option may be specified
        multiple times.
-P
    passphrase-p-Q-l option is also specified then the contents of
      the KRL will be printed.-qssh-keygen. Used by
      /etc/rc.d/sshd when creating a new key.-R
    hostname | [hostname]:port-H option above).-r
    hostname-s
    ca_keyWhen generating a KRL, -s specifies a
        path to a CA public key file used to revoke certificates directly by key
        ID or serial number. See the
        KEY REVOCATION LISTS
        section for details.
-t
    dsa |
    ecdsa
    |
    ecdsa-sk
    |
    ed25519
    |
    ed25519-sk
    |
    rsaThis flag may also be used to specify the desired signature type when signing certificates using an RSA CA key. The available RSA signature variants are “ssh-rsa” (SHA1 signatures, not recommended), “rsa-sha2-256”, and “rsa-sha2-512” (the default).
-U-s or
      -Y sign, this option
      indicates that a CA key resides in a
      ssh-agent(1). See the
      CERTIFICATES section for more
      information.-u-k, keys listed
      via the command line are added to the existing KRL rather than a new KRL
      being created.-V
    validity_intervalThe start time may be specified as:
The end time may be specified similarly to the start time:
For example:
-vssh-keygen to print debugging
      messages about its progress. This is helpful for debugging moduli
      generation. Multiple -v options increase the
      verbosity. The maximum is 3.-w
    provider-Y
    find-principals-s flag in an authorized
      signers file provided using the -f flag. The
      format of the allowed signers file is documented in the
      ALLOWED SIGNERS section below.
      If one or more matching principals are found, they are returned on
      standard output.-Y
    match-principals-I flag in the authorized signers file specified
      using the -f flag. If one or more matching
      principals are found, they are returned on standard output.-Y
    check-novalidatessh-keygen
      -Y sign has a valid
      structure. This does not validate if a signature comes from an authorized
      signer. When testing a signature, ssh-keygen
      accepts a message on standard input and a signature namespace using
      -n. A file containing the corresponding signature
      must also be supplied using the -s flag.
      Successful testing of the signature is signalled by
      ssh-keygen returning a zero exit status.-Y
    signssh-keygen accepts zero or more files to sign on
      the command-line - if no files are specified then
      ssh-keygen will sign data presented on standard
      input. Signatures are written to the path of the input file with
      “.sig” appended, or to standard output if the message to be
      signed was read from standard input.
    The key used for signing is specified using the
        -f option and may refer to either a private key,
        or a public key with the private half available via
        ssh-agent(1). An
        additional signature namespace, used to prevent signature confusion
        across different domains of use (e.g. file signing vs email signing)
        must be provided via the -n flag. Namespaces are
        arbitrary strings, and may include: “file” for file
        signing, “email” for email signing. For custom uses, it is
        recommended to use names following a NAMESPACE@YOUR.DOMAIN pattern to
        generate unambiguous namespaces.
-Y
    verifyssh-keygen -Y
      sign as described above. When verifying a
      signature, ssh-keygen accepts a message on
      standard input and a signature namespace using -n.
      A file containing the corresponding signature must also be supplied using
      the -s flag, along with the identity of the signer
      using -I and a list of allowed signers via the
      -f flag. The format of the allowed signers file is
      documented in the ALLOWED
      SIGNERS section below. A file containing revoked keys can be passed
      using the -r flag. The revocation file may be a
      KRL or a one-per-line list of public keys. Successful verification by an
      authorized signer is signalled by ssh-keygen
      returning a zero exit status.-y-Z
    cipher-z
    serial_numberWhen generating a KRL, the -z flag is
        used to specify a KRL version number.
ssh-keygen may be used to generate groups for the
  Diffie-Hellman Group Exchange (DH-GEX) protocol. Generating these groups is a
  two-step process: first, candidate primes are generated using a fast, but
  memory intensive process. These candidate primes are then tested for
  suitability (a CPU-intensive process).
Generation of primes is performed using the
    -M generate option. The
    desired length of the primes may be specified by the
    -O bits option. For
  example:
# ssh-keygen -M generate -O bits=2048
  moduli-2048.candidatesBy default, the search for primes begins at a random point in the
    desired length range. This may be overridden using the
    -O start option, which
    specifies a different start point (in hex).
Once a set of candidates have been generated, they must be
    screened for suitability. This may be performed using the
    -M screen option. In this
    mode ssh-keygen will read candidates from standard
    input (or a file specified using the -f option). For
    example:
# ssh-keygen -M screen -f
  moduli-2048.candidates moduli-2048By default, each candidate will be subjected to 100 primality
    tests. This may be overridden using the -O
    prime-tests option. The DH generator value will be
    chosen automatically for the prime under consideration. If a specific
    generator is desired, it may be requested using the
    -O generator option. Valid
    generator values are 2, 3, and 5.
Screened DH groups may be installed in /etc/moduli. It is important that this file contains moduli of a range of bit lengths.
A number of options are available for moduli generation and
    screening via the -O flag:
lines=numberstart-line=line-numbercheckpoint=filenamememory=mbytesstart=hex-valuegenerator=valuessh-keygen supports signing of keys to produce
  certificates that may be used for user or host authentication. Certificates
  consist of a public key, some identity information, zero or more principal
  (user or host) names and a set of options that are signed by a Certification
  Authority (CA) key. Clients or servers may then trust only the CA key and
  verify its signature on a certificate rather than trusting many user/host
  keys. Note that OpenSSH certificates are a different, and much simpler, format
  to the X.509 certificates used in
  ssl(8).
ssh-keygen supports two types of
    certificates: user and host. User certificates authenticate users to
    servers, whereas host certificates authenticate server hosts to users. To
    generate a user certificate:
$ ssh-keygen -s /path/to/ca_key -I
  key_id /path/to/user_key.pubThe resultant certificate will be placed in
    /path/to/user_key-cert.pub. A host certificate
    requires the -h option:
$ ssh-keygen -s /path/to/ca_key -I
  key_id -h /path/to/host_key.pubThe host certificate will be output to /path/to/host_key-cert.pub.
It is possible to sign using a CA key stored in a PKCS#11 token by
    providing the token library using -D and identifying
    the CA key by providing its public half as an argument to
    -s:
$ ssh-keygen -s ca_key.pub -D
  libpkcs11.so -I key_id user_key.pubSimilarly, it is possible for the CA key to be hosted in a
    ssh-agent(1). This is
    indicated by the -U flag and, again, the CA key must
    be identified by its public half.
$ ssh-keygen -Us ca_key.pub -I key_id
  user_key.pubIn all cases, key_id is a "key identifier" that is logged by the server when the certificate is used for authentication.
Certificates may be limited to be valid for a set of principal (user/host) names. By default, generated certificates are valid for all users or hosts. To generate a certificate for a specified set of principals:
$ ssh-keygen -s ca_key -I key_id -n
  user1,user2 user_key.pub$ ssh-keygen -s ca_key -I key_id -h
  -n host.domain host_key.pubAdditional limitations on the validity and use of user certificates may be specified through certificate options. A certificate option may disable features of the SSH session, may be valid only when presented from particular source addresses or may force the use of a specific command.
The options that are valid for user certificates are:
clearcritical:name[=contents]extension:name[=contents]force-command=commandno-agent-forwardingno-port-forwardingno-ptyno-user-rcno-x11-forwardingpermit-agent-forwardingpermit-port-forwardingpermit-ptypermit-user-rcpermit-X11-forwardingno-touch-requiredecdsa-sk and ed25519-sk.
    
  source-address=address_listverify-requiredecdsa-sk and
      ed25519-sk. Currently PIN authentication is the
      only supported verification method, but other methods may be supported in
      the future.At present, no standard options are valid for host keys.
Finally, certificates may be defined with a validity lifetime. The
    -V option allows specification of certificate start
    and end times. A certificate that is presented at a time outside this range
    will not be considered valid. By default, certificates are valid from the
    UNIX Epoch to the distant future.
For certificates to be used for user or host authentication, the CA public key must be trusted by sshd(8) or ssh(1). Refer to those manual pages for details.
ssh-keygen is able to generate FIDO authenticator-backed
  keys, after which they may be used much like any other key type supported by
  OpenSSH, so long as the hardware authenticator is attached when the keys are
  used. FIDO authenticators generally require the user to explicitly authorise
  operations by touching or tapping them. FIDO keys consist of two parts: a key
  handle part stored in the private key file on disk, and a per-device private
  key that is unique to each FIDO authenticator and that cannot be exported from
  the authenticator hardware. These are combined by the hardware at
  authentication time to derive the real key that is used to sign authentication
  challenges. Supported key types are ecdsa-sk and
  ed25519-sk.
The options that are valid for FIDO keys are:
applicationchallenge=pathdeviceno-touch-requiredresidentuserverify-requiredwrite-attestation=pathssh-keygen is able to manage OpenSSH format Key
  Revocation Lists (KRLs). These binary files specify keys or certificates to be
  revoked using a compact format, taking as little as one bit per certificate if
  they are being revoked by serial number.
KRLs may be generated using the -k flag.
    This option reads one or more files from the command line and generates a
    new KRL. The files may either contain a KRL specification (see below) or
    public keys, listed one per line. Plain public keys are revoked by listing
    their hash or contents in the KRL and certificates revoked by serial number
    or key ID (if the serial is zero or not available).
Revoking keys using a KRL specification offers explicit control over the types of record used to revoke keys and may be used to directly revoke certificates by serial number or key ID without having the complete original certificate on hand. A KRL specification consists of lines containing one of the following directives followed by a colon and some directive-specific information.
serial:
    serial_number[-serial_number]ssh-keygen command
      line using the -s option.id:
    key_idssh-keygen command line
      using the -s option.key:
    public_keysha1:
    public_keysha256:
    public_keyhash:
    fingerprintssh-keygen
      -l flag. Only SHA256 fingerprints are supported
      here and resultant KRLs are not supported by OpenSSH versions prior to
      7.9.KRLs may be updated using the -u flag in
    addition to -k. When this option is specified, keys
    listed via the command line are merged into the KRL, adding to those already
    there.
It is also possible, given a KRL, to test whether it revokes a
    particular key (or keys). The -Q flag will query an
    existing KRL, testing each key specified on the command line. If any key
    listed on the command line has been revoked (or an error encountered) then
    ssh-keygen will exit with a non-zero exit status. A
    zero exit status will only be returned if no key was revoked.
ssh-keygen uses a simple list
  of identities and keys to determine whether a signature comes from an
  authorized source. This "allowed signers" file uses a format
  patterned after the AUTHORIZED_KEYS FILE FORMAT described in
  sshd(8). Each line of the file
  contains the following space-separated fields: principals, options, keytype,
  base64-encoded key. Empty lines and lines starting with a
  ‘#’ are ignored as comments.
The principals field is a pattern-list (see PATTERNS in
    ssh_config(5)) consisting
    of one or more comma-separated USER@DOMAIN identity patterns that are
    accepted for signing. When verifying, the identity presented via the
    -I option must match a principals pattern in order
    for the corresponding key to be considered acceptable for verification.
The options (if present) consist of comma-separated option specifications. No spaces are permitted, except within double quotes. The following option specifications are supported (note that option keywords are case-insensitive):
cert-authoritynamespaces=namespace-listvalid-after=timestampvalid-before=timestampWhen verifying signatures made by certificates, the expected principal name must match both the principals pattern in the allowed signers file and the principals embedded in the certificate itself.
An example allowed signers file:
# Comments allowed at start of line user1@example.com,user2@example.com ssh-rsa AAAAX1... # A certificate authority, trusted for all principals in a domain. *@example.com cert-authority ssh-ed25519 AAAB4... # A key that is accepted only for file signing. user2@example.com namespaces="file" ssh-ed25519 AAA41...
SSH_SK_PROVIDERssh-keygen but it is
      offered as the default file for the private key.
      ssh(1) will read this file when
      a login attempt is made.
    
  The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.
| September 4 2023 | NetBSD 9.4 |