ssh-keygen-g3 — authentication key pair generator
ssh-keygen-g3 (ssh-keygen-g3.exe on Windows) is a tool that generates and manages authentication keys for Secure Shell. Each user wishing to use a Secure Shell client with public-key authentication can run this tool to create authentication keys. Additionally, the system administrator can use this to generate host keys for the Secure Shell server.
By default, if no path for the key files is specified, the key pair is
generated under the user's home directory ($HOME/.ssh2
on Unix,
"%APPDATA%\SSH\UserKeys
" on Windows). If no filename is
specified, the key pair is likewise stored under the user's home directory
with such filenames as id_dsa_1024_a
and
id_dsa_1024_a.pub
.
When specifying file paths or other strings that contain spaces, enclose them in quotation marks ("").
The following options are available:
-1
file
Converts a key file from the SSH1 format to the SSH2 format.
Note: "1
" is number one (not letter L).
-7
file
Extracts certificates from a PKCS #7 file.
-b
bits
Specifies the length of the generated key in bits (default:
2048
).
-B
num
Specifies the number base for displaying key information (default:
10
).
-c
comment
Specifies a comment string for the generated key.
-D
file
Derives the public key from the private key
file
.
-e
file
Edits the specified key. Makes ssh-keygen-g3 interactive. You can change the key's passphrase or comment.
-F, --fingerprint
file
Dumps the fingerprint of the given public key. By default, the
fingerprint is given in the SSH Babble format, which makes the
fingerprint look like a string of "real" words (making it easier to
pronounce). The output format can be changed with the
--fingerprint-type
option.
The following options can be also used to modify the behaviour of this option:
--fingerprint-type
--hash
,
--hostkeys-directory
,
--known-hosts
,
--rfc4716
.
-F, --fingerprint
<host id>
Dumps the fingerprint of the locally stored host key identified with the given <host id>. The <host id> is a host name or string "host#port";.
The following options can be used to modify the behaviour of this option:
--fingerprint-type
,
--hash
,
--hostkeys-directory
,
--known-hosts
,
--rfc4716
.
-H, --hostkey
Stores the generated key pair in the default host key directory
(/etc/ssh2
on Unix, "C:\Program Files\SSH Communications Security\SSH Tectia\Tectia Server
" on
Windows). Specify the -P
option to store the private key
with an empty passphrase.
-i
file
Loads and displays information on the key file
.
-k
file
Converts a PKCS #12 file to an SSH2-format certificate and private key.
-p
passphrase
Specifies the passphrase for the generated key.
-P
Specifies that the generated key will be saved with an empty passphrase.
Note | |
---|---|
In FIPS mode, due to a FIPS regulation which forbids exporting unencrypted private keys out of the FIPS module, it is not possible to generate user keys without a passphrase. |
-q, --quiet
Hides the progress indicator during key generation.
-r
file
Adds entropy from file
to the random pool. If file
contains 'relatively random' data (i.e. data unpredictable by a
potential attacker), the randomness of the pool is increased. Good
randomness is essential for the security of the generated keys.
-t
[
dsa
| rsa
]
Selects the type of the key. Valid options are dsa
(default) and rsa
.
-x
file
Converts a private key from the X.509 format to the SSH2 format.
--append
[
=yes
| no
]
Appends the keys. Optional values are yes
and
no
. The default is yes
to append.
--copy-host-id
<host id>
<destination>
Copies the host identity to the specified destination directory.
The following options can be used to modify the behaviour of this option:
--append
,
--hostkeys-directory
,
--known-hosts
,
--overwrite
.
If --hostkey-file
is given, the file is treated as a
normal host identity file used by the Connection Broker, and its contents will be copied
to the destination directory.
--delete-host-id
<host id>
Deletes the host key of the specified host id. The <host id> is a host name or string "host#port";.
The following options can be used to modify the behaviour of this option:
--host-key-file
,
--hostkeys-directory
,
--known-hosts
.
--fingerprint-type
[
=babble
| babble-upper
| pgp-2
| pgp-5
| hex
| hex-upper
]
Specifies the output format of the fingerprint. If this option is
given, the -F
option and the key filename must precede
it. The default format is babble
.
See the section called “Examples” for examples of using this option.
--fips-mode
Generates the key using the FIPS mode for the cryptographic library. In the FIPS mode, only DSA keys of 1024 bits and RSA keys of at least 512 bits can be generated, and the keys must have non-empty passphrases. By default (if this option is not given), the key is generated using the standard mode for the cryptographic library.
--fips-crypto-dll-path
PATH
Specifies the location of the FIPS cryptographic DLL.
--hash
[
=md5
| sha1
]
Specifies the digest algorithm for fingerprint generation.
Valid options are md5
and sha1
.
--hostkey-file
file
When copying, uses the given file as the source host key, instead of autodetecting the location. When deleting, only deletes from the given location. If the specified file does not contain identities for the specified host, does nothing.
--hostkeys-directory
directory
Specifies the directory for known host keys to be used instead of the default location.
--import-public-key
infile
outfile
Attempts to import a public key from
infile
and store it to
outfile
in SSH2 native format.
--import-private-key
infile
outfile
Attempts to import an unencrypted private key from
infile
and store it to
outfile
in SSH2 native private key
format.
--import-ssh1-authorized-keys
infile
outfile
Imports an SSH1-style authorized_keys file
infile
and generates an SSH2-style
authorization file outfile
, and stores the
keys from infile
to generated files into the
same directory with outfile
.
--known-hosts
file
Uses the specified known hosts file. Enables fetching fingerprints
for hosts defined in an OpenSSH-style known-hosts file. Using this option
overrides the default locations of known_hosts
files
(/etc/ssh/ssh_known_hosts
and $HOME/.ssh/known_hosts
).
Giving an empty string will disable known-hosts usage altogether.
--overwrite
[
=yes
| no
]
Overwrite files with the same filenames. The default is to overwrite.
--rfc4716
Displays the fingerprint in the format specified in RFC4716. The digest algorithm (hash) is md5, and the output format is the 16-bytes output in lowercase HEX separated with colons (:).
--set-hostkey-owner-and-dacl
file
On Windows, sets the correct owner and DACL (discretionary access
control list) for the host key file
. This option
is used internally when a host key is generated during Tectia Server
installation.
-V
Displays version string and exits.
-h, --help, -?
Displays a short summary of command-line options and exits.
Create a 1024-bit RSA key pair using the cryptographic library in the
FIPS mode and store the key pair in the default user key directory with
filenames newkey
and
newkey.pub
:
$ ssh-keygen-g3 --fips-mode -t rsa -b 1024 newkey
Convert an SSH1 key oldkey
to SSH2 format:
$ ssh-keygen-g3 -1 oldkey
Display the fingerprint of a server host public key in SSH babble (default) format:
$ ssh-keygen-g3 -F hostkey.pub Fingerprint for key: xeneh-fyvam-sotaf-gutuv-rahih-kipod-poten-byfam-hufeh-tydym-syxex
Display the fingerprint of a server host public key in hex format:
$ ssh-keygen-g3 -F hostkey.pub --fingerprint-type=hex Fingerprint for key: 25533b8c7734f6eb1556ea2ab4900d854d5d088c