ssh-keygen - authentication key generation
ssh-keygen [-q] [-t type] [-b bits ] [-N new_passphrase] [-C
comment] [-f output_keyfile]
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f
ssh-keygen -x [-f input_keyfile]
ssh-keygen -X [-f input_keyfile]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
ssh-keygen -l [-f input_keyfile]
The ssh-keygen utility generates and manages authentication
keys for ssh(1). ssh-keygen defaults to generating an RSA
key for use by protocol 2.0.
Each user wishing to use SSH with RSA or DSA authentication
normally runs this once to create the authentication key in
$HOME/.ssh/identity or $HOME/.ssh/id_dsa. The system
administrator may also use this to generate host keys.
Ordinarily, this program generates the key and asks for a
file in which to store the private key. The public key is
stored in a file with the same name but with the ``.pub''
extension appended. The program also asks for a passphrase.
The passphrase may be empty to indicate no passphrase (host
keys must have empty passphrases), or it may be a string of
arbitrary length. Good passphrases are 10-30 characters long
and are not simple sentences or otherwise easy to guess.
(English prose has only 1-2 bits of entropy per word, and
provides very poor passphrases.) The passphrase can be
changed later by using the -p option.
There is no way to recover a lost passphrase. If the
passphrase is lost or forgotten, you will have to generate a
new key and copy the corresponding public key to other
For RSA, there is also a comment field in the key file that
is only for convenience to the user to help identify the
key. The comment can tell what the key is for, or whatever
is useful. The comment is initialized to ``user@host'' when
the key is created, but can be changed using the -c option.
After a key is generated, instructions below detail where to
place the keys to activate them.
The following options are supported:
Specifies the number of bits in the key to create. The
minimum number is 512 bits. Generally, 1024 bits is
considered sufficient. Key sizes above that no longer
improve security but make things slower. The default
is 1024 bits.
-c Requests changing the comment in the private and pub-
lic key files. The program will prompt for the file
containing the private keys, for the passphrase if the
key has one, and for the new comment.
Provides the new comment.
-f Specifies the filename of the key file.
-l Shows the fingerprint of the specified private or pub-
lic key file.
Provides the new passphrase.
-p Requests changing the passphrase of a private key file
instead of creating a new private key. The program
will prompt for the file containing the private key,
for the old passphrase, and will prompt twice for the
Provides the (old) passphrase.
-q Silences ssh-keygen. Used by /etc/rc when creating a
Specifies the algorithm used for the key, where type
is one of rsa, dsa, and rsa1. Type rsa1 is used only
for the SSHv1 protocol.
-x Reads a private OpenSSH DSA format file and prints an
SSH2-compatible public key to stdout.
-X Reads an unencrypted SSH2-compatible private (or pub-
lic) key file and prints an OpenSSH compatible private
(or public) key to stdout.
-y Reads a private OpenSSH DSA format file and prints an
OpenSSH DSA public key to stdout.
The following exit values are returned:
0 Successful completion.
1 An error occurred.
This file contains the RSA private key for the SSHv1
protocol. This file should not be readable by anyone
but the user. It is possible to specify a passphrase
when generating the key; that passphrase will be used
to encrypt the private part of this file using 3DES.
This file is not automatically accessed by ssh-keygen,
but it is offered as the default file for the private
key. sshd(1M) will read this file when a login attempt
This file contains the RSA public key for the SSHv1
protocol. The contents of this file should be added to
$HOME/.ssh/authorized_keys on all machines where you
wish to log in using RSA authentication. There is no
need to keep the contents of this file secret.
These files contain, respectively, the DSA or RSA
private key for the SSHv2 protocol. These files should
not be readable by anyone but the user. It is possible
to specify a passphrase when generating the key; that
passphrase will be used to encrypt the private part of
the file using 3DES. Neither of these files is
automatically accessed by ssh-keygen but is offered as
the default file for the private key. sshd(1M) will
read this file when a login attempt is made.
These files contain, respectively, the DSA or RSA pub-
lic key for the SSHv2 protocol. The contents of these
files should be added, respectively, to
$HOME/.ssh/authorized_keys on all machines where you
wish to log in using DSA or RSA authentication. There
is no need to keep the contents of these files secret.
See attributes(5) for descriptions of the following attri-
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
| Availability | SUNWsshcu |
ssh(1), ssh-add(1), ssh-agent(1), sshd(1M), attributes(5)
To view license terms, attribution, and copyright for
OpenSSH, the default path is
/var/sadm/pkg/SUNWsshdr/install/copyright. If the Solaris
operating environment has been installed anywhere other than
the default, modify the given path to access the file at the
Man(1) output converted with