Ssh-keygen parameter related instructions

Source: Internet
Author: User
Tags modulus

Ssh-keygen-Generate, manage, and convert authentication keys

Ssh-keygen [-Q] [-B bits]-t type [-n new_passphrase] [-c comment] [-foutput_keyfile]

ssh-keygen-p [-P old_passphrase] [-N new_passphrase] [-F keyfile]

Ssh-keygen-i [-F Input_keyfile]

SSH-KEYGEN-E [-F Input_keyfile]

Ssh-keygen-y [-F Input_keyfile]

ssh-keygen-c [-P passphrase] [-c comment] [-f keyfile]

Ssh-keygen-l [-F Input_keyfile]

Ssh-keygen-b [-F Input_keyfile]

Ssh-keygen-d Reader

ssh-keygen-f hostname [-f Known_hosts_file]

Ssh-keygen-h [-F Known_hosts_file]

ssh-keygen-r hostname [-f Known_hosts_file]

Ssh-keygen-u Reader [-F Input_keyfile]

ssh-keygen-r hostname [-f input_keyfile] [-g]

Ssh-keygen-g Output_file [-v] [-B bits] [-M memory] [-s start_point]

Ssh-keygen-t output_file-f Input_file [-v] [-a num_trials] [-W generator]

Ssh-keygen is used to generate, manage, and convert authentication keys, including RSA and DSA two keys.

The key type can be specified with the-t option. If not specified, the RSA key for SSH-2 is generated by default.

Ssh-keygen can also be used to generate prime modulus used in Diffie-hellman Group Exchange (Dh-gex).

In general, if you want to use RSA or DSA authentication, you should run this program at least once,

Create the required keys for authentication in ~/.ssh/identity, ~/.SSH/ID_DSA, or ~/.ssh/id_rsa files.

In addition, the system administrator can also use it to generate the host key.

Typically, this program generates a key pair and requires that a file be specified to hold the private key, while the public key is stored in a file with the same name appended with the ". Pub" suffix.

The program also requires the input of a cipher string (passphrase), which indicates that there is no passphrase (the secret of the master key must be empty).

The Passphrase and password (password) are very similar, but the secret word can be a sentence with words, punctuation marks, numbers, spaces, or any character you want.

Good secret words to more than 30 characters, difficult to guess, by the size of letters, letters, numbers, non-letter mixed composition. The passphrase can be modified with the-P option.

The lost passphrase cannot be restored. If the passphrase is lost or forgotten, the user must generate a new key and then distribute the corresponding public key to other machines.

The RSA1 key file has a "comment" field that allows the user to identify the key, indicate the purpose of the key, or other useful information.

When creating the key, the comment domain is initialized to "[email protected]" and can be modified later with the-C option.

After the key is generated, the following command describes how the key is disposed and activated. The available options are:

-A trials

The number of basic tests that need to be performed when using-T to safely filter the Dh-gex candidate primes.

-B Displays the bubblebabble summary for the specified public/private key file.

-B Bits

Specifies the key length. For RSA keys, the minimum requirement is 768 bits, which is 2048 bits by default. The DSA key must be exactly 1024 bits (required by the FIPS 186-2 standard).

-C Comment

Provide a new comment

-C requires that comments in the private key and public key file be modified. This option only supports RSA1 keys.

The program will prompt for a private key file name, a passphrase (if present), and a new comment.

-D Reader

Download the RSA public key stored in the smart card reader.

-e reads the private key or public key file of the OpenSSH and is displayed on the stdout in the RFC 4716 SSH public key file format.

This option enables you to output keys for multiple commercial versions of SSH.

-F hostname

Searches for the specified hostname in the known_hosts file and lists all occurrences.

This option is primarily used to find hashed hostname/IP addresses, and can also be used with the-H option to print the hash value of the public key found.

-F filename

Specifies the key file name.

-G output_file

Generates a candidate prime number for Dh-gex. These primes must be safely filtered using the-t option before use.

-G uses a common DNS format when printing fingerprint resource records using-R.

-h hashes the known_hosts file. This replaces all host name/IP addresses in the file with the corresponding hash values.

The contents of the original file will be saved after an ". old" suffix is added. These hash values can only be used by SSH and sshd.

This option does not modify an already hashed hostname/IP address, so it can be used safely on files that have been hashed by some public key.

-I reads the unencrypted SSH-2-compatible private key/public key file, and then displays the OpenSSH-compatible private key/public key in stdout.

This option is primarily used to import keys from multiple commercial versions of SSH.

-L Displays the thumbprint data of the public key file. It also supports RSA1 's private key.

For RSA and DSA keys, the corresponding public key file is looked up and its thumbprint data is displayed.

-M memory

Specifies the maximum memory usage (in megabytes) when generating the Dh-gexs candidate Prime.

-N New_passphrase

Provide a new passphrase.

-P Passphrase

Provide (old) secret words.

-P requires changing the passphrase of a private key file without rebuilding the private key. The program will prompt for the private key file name, the original passphrase, and two input Xinmi language.

-Q Quiet mode. Used to create a new key in/ETC/RC.

-R hostname

Removes all keys belonging to hostname from the known_hosts file.

This option is primarily used to remove the key from the hashed host (see-H option).

-R hostname

Prints the SSHFP thumbprint resource record for the public key file named hostname.

-S Start

Specifies the starting point (16 binary) when generating the Dh-gex candidate modulus.

-T Output_file

Tests the security of the Diffie-hellman Group Exchange candidate prime number (generated by the-G option).

-T type

Specifies the type of key to create. Can be used: "RSA1" (SSH-1) "RSA" (SSH-2) "DSA" (SSH-2)

-U Reader

Upload the existing RSA private key to the smart card reader

-v Verbose mode. The Ssh-keygen will output detailed debugging information for the processing process. Often used in the production of debug modulus.

Reusing multiple-v options will increase the verbosity of the information (up to 3 times).

-W Generator

Specifies the generator that you want to use when testing candidate modulus for Dh-gex

-Y reads the public key file in the OpenSSH proprietary format and displays the OpenSSH public key on the stdout.



Ssh-keygen can generate groups for the Diffie-hellman Group Exchange (dh-gex) protocol.

The build process is divided into two steps:

First, some candidate primes are generated using a fast and memory-intensive method. These primes are then tested for suitability (consuming more CPU).

You can use the-G option to generate a candidate prime number, using the-B option to make its digits.

For example:

# SSH-KEYGEN-G Moduli-2048.candidates-b 2048


The default is to search for primes from a random point in the specified number of digits, but you can use the-S option to specify this random point (16 binary).

After generating a set of candidates, the next step is to use the-t option for adaptive testing.

At this point Ssh-keygen will read the candidate prime number from stdin (or read a file through the-F option),

For example:

# ssh-keygen-t Moduli-2048-f moduli-2048.candidates


Each candidate prime number is passed through 100 basic tests (which can be modified with the-a option) by default.

The value of DH generator is automatically selected, but you can also force the designation with the-w option. Valid values can be: 2, 3, 5

After the screening of DH groups can be stored in the/etc/ssh/moduli inside.

It is important that the file must include a modulus of varying lengths, and that both parties share the same modulus.

~/.ssh/identity

The user's default RSA1 authentication private key (SSH-1). The permissions for this file should be limited to "600" at least.

The key can be generated by specifying a passphrase to encrypt the private key (3DES).

Read this file when it is recorded.

~/.ssh/identity.pub

The user's default RSA1 authentication public key (SSH-1). This file is not confidential.

The contents of this file should be added to the ~/.ssh/authorized_keys file for all RSA1 target hosts.

~/.ssh/id_dsa

The user's default DSA authentication private key (SSH-2). The permissions for this file should be limited to "600" at least.

The key can be generated by specifying a passphrase to encrypt the private key (3DES).

Read this file when it is recorded.

~/.ssh/id_dsa.pub

The user's default DSA authentication public key (SSH-2). This file is not confidential.

The contents of this file should be added to the ~/.ssh/authorized_keys file of all DSA target hosts.

~/.ssh/id_rsa

The user's default RSA authentication private key (SSH-2). The permissions for this file should be limited to "600" at least.

The key can be generated by specifying a passphrase to encrypt the private key (3DES).

Read this file when it is recorded.

~/.ssh/id_rsa.pub

The user's default RSA authentication public key (SSH-2). This file is not confidential.

The contents of this file should be added to the ~/.ssh/authorized_keys file of all RSA target hosts.

/etc/ssh/moduli

Contains the Diffie-hellman groups for Dh-gex. The format of the file is


Ssh-keygen parameter related instructions

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.