# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR Free Software Foundation, Inc. # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "POT-Creation-Date: 2024-03-01 17:09+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: Dd #: archlinux debian-unstable opensuse-tumbleweed #, no-wrap msgid "$Mdocdate: September 4 2023 $" msgstr "" #. type: Dt #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "SSH-KEYGEN 1" msgstr "" #. type: Sh #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "NAME" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "E<.Nm ssh-keygen>" msgstr "" #. type: Nd #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "OpenSSH authentication key utility" msgstr "" #. type: Sh #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "SYNOPSIS" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "E<.Nm ssh-keygen> E<.Op Fl q> E<.Op Fl a Ar rounds> E<.Op Fl b Ar bits> E<." "Op Fl C Ar comment> E<.Op Fl f Ar output_keyfile> E<.Op Fl m Ar format> E<." "Op Fl N Ar new_passphrase> E<.Op Fl O Ar option> E<.Op Fl t Cm dsa | ecdsa | " "ecdsa-sk | ed25519 | ed25519-sk | rsa> E<.Op Fl w Ar provider> E<.Op Fl Z Ar " "cipher> E<.Nm ssh-keygen> E<.Fl p> E<.Op Fl a Ar rounds> E<.Op Fl f Ar " "keyfile> E<.Op Fl m Ar format> E<.Op Fl N Ar new_passphrase> E<.Op Fl P Ar " "old_passphrase> E<.Op Fl Z Ar cipher> E<.Nm ssh-keygen> E<.Fl i> E<.Op Fl f " "Ar input_keyfile> E<.Op Fl m Ar key_format> E<.Nm ssh-keygen> E<.Fl e> E<.Op " "Fl f Ar input_keyfile> E<.Op Fl m Ar key_format> E<.Nm ssh-keygen> E<.Fl y> " "E<.Op Fl f Ar input_keyfile> E<.Nm ssh-keygen> E<.Fl c> E<.Op Fl a Ar " "rounds> E<.Op Fl C Ar comment> E<.Op Fl f Ar keyfile> E<.Op Fl P Ar " "passphrase> E<.Nm ssh-keygen> E<.Fl l> E<.Op Fl v> E<.Op Fl E Ar " "fingerprint_hash> E<.Op Fl f Ar input_keyfile> E<.Nm ssh-keygen> E<.Fl B> E<." "Op Fl f Ar input_keyfile> E<.Nm ssh-keygen> E<.Fl D Ar pkcs11> E<.Nm ssh-" "keygen> E<.Fl F Ar hostname> E<.Op Fl lv> E<.Op Fl f Ar known_hosts_file> E<." "Nm ssh-keygen> E<.Fl H> E<.Op Fl f Ar known_hosts_file> E<.Nm ssh-keygen> E<." "Fl K> E<.Op Fl a Ar rounds> E<.Op Fl w Ar provider> E<.Nm ssh-keygen> E<.Fl " "R Ar hostname> E<.Op Fl f Ar known_hosts_file> E<.Nm ssh-keygen> E<.Fl r Ar " "hostname> E<.Op Fl g> E<.Op Fl f Ar input_keyfile> E<.Nm ssh-keygen> E<.Fl M " "Cm generate> E<.Op Fl O Ar option> E<.Ar output_file> E<.Nm ssh-keygen> E<." "Fl M Cm screen> E<.Op Fl f Ar input_file> E<.Op Fl O Ar option> E<.Ar " "output_file> E<.Nm ssh-keygen> E<.Fl I Ar certificate_identity> E<.Fl s Ar " "ca_key> E<.Op Fl hU> E<.Op Fl D Ar pkcs11_provider> E<.Op Fl n Ar " "principals> E<.Op Fl O Ar option> E<.Op Fl V Ar validity_interval> E<.Op Fl " "z Ar serial_number> E<.Ar> E<.Nm ssh-keygen> E<.Fl L> E<.Op Fl f Ar " "input_keyfile> E<.Nm ssh-keygen> E<.Fl A> E<.Op Fl a Ar rounds> E<.Op Fl f " "Ar prefix_path> E<.Nm ssh-keygen> E<.Fl k> E<.Fl f Ar krl_file> E<.Op Fl u> " "E<.Op Fl s Ar ca_public> E<.Op Fl z Ar version_number> E<.Ar> E<.Nm ssh-" "keygen> E<.Fl Q> E<.Op Fl l> E<.Fl f Ar krl_file> E<.Ar> E<.Nm ssh-keygen> " "E<.Fl Y Cm find-principals> E<.Op Fl O Ar option> E<.Fl s Ar signature_file> " "E<.Fl f Ar allowed_signers_file> E<.Nm ssh-keygen> E<.Fl Y Cm match-" "principals> E<.Fl I Ar signer_identity> E<.Fl f Ar allowed_signers_file> E<." "Nm ssh-keygen> E<.Fl Y Cm check-novalidate> E<.Op Fl O Ar option> E<.Fl n Ar " "namespace> E<.Fl s Ar signature_file> E<.Nm ssh-keygen> E<.Fl Y Cm sign> E<." "Op Fl O Ar option> E<.Fl f Ar key_file> E<.Fl n Ar namespace> E<.Ar> E<.Nm " "ssh-keygen> E<.Fl Y Cm verify> E<.Op Fl O Ar option> E<.Fl f Ar " "allowed_signers_file> E<.Fl I Ar signer_identity> E<.Fl n Ar namespace> E<." "Fl s Ar signature_file> E<.Op Fl r Ar revocation_file>" msgstr "" #. type: Sh #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "DESCRIPTION" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "E<.Nm> generates, manages and converts authentication keys for E<.Xr ssh " "1>. E<.Nm> can create keys for use by SSH protocol version 2." msgstr "" #. type: Plain text #: archlinux debian-unstable opensuse-tumbleweed msgid "" "The type of key to be generated is specified with the E<.Fl t> option. If " "invoked without any arguments, E<.Nm> will generate an Ed25519 key." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "E<.Nm> is also used to generate groups for use in Diffie-Hellman group " "exchange (DH-GEX). See the E<.Sx MODULI GENERATION> section for details." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Finally, E<.Nm> can be used to generate and update Key Revocation Lists, and " "to test whether given keys have been revoked by one. See the E<.Sx KEY " "REVOCATION LISTS> section for details." msgstr "" #. type: Plain text #: archlinux opensuse-leap-15-6 opensuse-tumbleweed msgid "" "Normally each user wishing to use SSH with public key authentication runs " "this once to create the authentication key in E<.Pa ~/.ssh/id_dsa>, E<.Pa ~/." "ssh/id_ecdsa>, E<.Pa ~/.ssh/id_ecdsa_sk>, E<.Pa ~/.ssh/id_ed25519>, E<.Pa ~/." "ssh/id_ed25519_sk> or E<.Pa ~/.ssh/id_rsa>. Additionally, the system " "administrator may use this to generate host keys, as seen in E<.Pa /etc/rc>." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Normally this program generates the key and asks for a file in which to " "store the private key. The public key is stored in a file with the same " "name but E<.Dq .pub> appended. The program also asks for a passphrase. The " "passphrase may be empty to indicate no passphrase (host keys must have an " "empty passphrase), or it may be a string of arbitrary length. A passphrase " "is similar to a password, except it can be a phrase with a series of words, " "punctuation, numbers, whitespace, or any string of characters you want. " "Good passphrases are 10-30 characters long, are not simple sentences or " "otherwise easily guessable (English prose has only 1-2 bits of entropy per " "character, and provides very bad passphrases), and contain a mix of upper " "and lowercase letters, numbers, and non-alphanumeric characters. The " "passphrase can be changed later by using the E<.Fl p> option." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "There is no way to recover a lost passphrase. If the passphrase is lost or " "forgotten, a new key must be generated and the corresponding public key " "copied to other machines." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "E<.Nm> will by default write keys in an OpenSSH-specific format. This " "format is preferred as it offers better protection for keys at rest as well " "as allowing storage of key comments within the private key file itself. The " "key comment may be useful to help identify the key. The comment is " "initialized to E<.Dq user@host> when the key is created, but can be changed " "using the E<.Fl c> option." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "It is still possible for E<.Nm> to write the previously-used PEM format " "private keys using the E<.Fl m> flag. This may be used when generating new " "keys, and existing new-format keys may be converted using this option in " "conjunction with the E<.Fl p> (change passphrase) flag." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "After a key is generated, E<.Nm> will ask where the keys should be placed to " "be activated." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "The options are as follows:" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl A" msgstr "" #. type: Plain text #: archlinux opensuse-tumbleweed msgid "" "Generate host keys of all default key types (rsa, ecdsa, and ed25519) if " "they do not already exist. The host keys are generated with the default key " "file path, an empty passphrase, default bits for the key type, and default " "comment. If E<.Fl f> has also been specified, its argument is used as a " "prefix to the default path for the resulting host key files. This is used " "by E<.Pa /etc/rc> to generate new host keys." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl a Ar rounds" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "When saving a private key, this option specifies the number of KDF (key " "derivation function, currently E<.Xr bcrypt_pbkdf 3>) rounds used. Higher " "numbers result in slower passphrase verification and increased resistance to " "brute-force password cracking (should the keys be stolen). The default is " "16 rounds." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl B" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "Show the bubblebabble digest of specified private or public key file." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl b Ar bits" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Specifies the number of bits in the key to create. For RSA keys, the " "minimum size is 1024 bits and the default is 3072 bits. Generally, 3072 " "bits is considered sufficient. DSA keys must be exactly 1024 bits as " "specified by FIPS 186-2. For ECDSA keys, the E<.Fl b> flag determines the " "key length by selecting from one of three elliptic curve sizes: 256, 384 or " "521 bits. Attempting to use bit lengths other than these three values for " "ECDSA keys will fail. ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed " "length and the E<.Fl b> flag will be ignored." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl C Ar comment" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "Provides a new comment." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl c" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Requests changing the comment in the private and public key files. The " "program will prompt for the file containing the private keys, for the " "passphrase if the key has one, and for the new comment." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl D Ar pkcs11" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Download the public keys provided by the PKCS#11 shared library E<.Ar " "pkcs11>. When used in combination with E<.Fl s>, this option indicates that " "a CA key resides in a PKCS#11 token (see the E<.Sx CERTIFICATES> section for " "details)." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl E Ar fingerprint_hash" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Specifies the hash algorithm used when displaying key fingerprints. Valid " "options are: E<.Dq md5> and E<.Dq sha256>. The default is E<.Dq sha256>." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl e" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "This option will read a private or public OpenSSH key file and print to " "stdout a public key in one of the formats specified by the E<.Fl m> option. " "The default export format is E<.Dq RFC4716>. This option allows exporting " "OpenSSH keys for use by other programs, including several commercial SSH " "implementations." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl F Ar hostname | [hostname]:port" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Search for the specified E<.Ar hostname> (with optional port number) in a " "E<.Pa known_hosts> file, listing any occurrences found. This option is " "useful to find hashed host names or addresses and may also be used in " "conjunction with the E<.Fl H> option to print found keys in a hashed format." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl f Ar filename" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "Specifies the filename of the key file." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl g" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Use generic DNS format when printing fingerprint resource records using the " "E<.Fl r> command." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl H" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Hash a E<.Pa known_hosts> file. This replaces all hostnames and addresses " "with hashed representations within the specified file; the original content " "is moved to a file with a .old suffix. These hashes may be used normally by " "E<.Nm ssh> and E<.Nm sshd>, but they do not reveal identifying information " "should the file's contents be disclosed. This option will not modify " "existing hashed hostnames and is therefore safe to use on files that mix " "hashed and non-hashed names." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl h" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "When signing a key, create a host certificate instead of a user " "certificate. See the E<.Sx CERTIFICATES> section for details." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl I Ar certificate_identity" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Specify the key identity when signing a public key. See the E<.Sx " "CERTIFICATES> section for details." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl i" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "This option will read an unencrypted private (or public) key file in the " "format specified by the E<.Fl m> option and print an OpenSSH compatible " "private (or public) key to stdout. This option allows importing keys from " "other software, including several commercial SSH implementations. The " "default import format is E<.Dq RFC4716>." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl K" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Download resident keys from a FIDO authenticator. Public and private key " "files will be written to the current directory for each downloaded key. If " "multiple FIDO authenticators are attached, keys will be downloaded from the " "first touched authenticator. See the E<.Sx FIDO AUTHENTICATOR> section for " "more information." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl k" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Generate a KRL file. In this mode, E<.Nm> will generate a KRL file at the " "location specified via the E<.Fl f> flag that revokes every key or " "certificate presented on the command line. Keys/certificates to be revoked " "may be specified by public key file or using the format described in the E<." "Sx KEY REVOCATION LISTS> section." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl L" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "Prints the contents of one or more certificates." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl l" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Show fingerprint of specified public key file. For RSA and DSA keys E<.Nm> " "tries to find the matching public key file and prints its fingerprint. If " "combined with E<.Fl v>, a visual ASCII art representation of the key is " "supplied with the fingerprint." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl M Cm generate" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Generate candidate Diffie-Hellman Group Exchange (DH-GEX) parameters for " "eventual use by the E<.Sq diffie-hellman-group-exchange-*> key exchange " "methods. The numbers generated by this operation must be further screened " "before use. See the E<.Sx MODULI GENERATION> section for more information." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl M Cm screen" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Screen candidate parameters for Diffie-Hellman Group Exchange. This will " "accept a list of candidate numbers and test that they are safe (Sophie " "Germain) primes with acceptable group generators. The results of this " "operation may be added to the E<.Pa /etc/ssh/moduli> file. See the E<.Sx " "MODULI GENERATION> section for more information." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl m Ar key_format" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Specify a key format for key generation, the E<.Fl i> (import), E<.Fl e> " "(export) conversion options, and the E<.Fl p> change passphrase operation. " "The latter may be used to convert between OpenSSH private key and PEM " "private key formats. The supported key formats are: E<.Dq RFC4716> (RFC " "4716/SSH2 public or private key), E<.Dq PKCS8> (PKCS8 public or private " "key) or E<.Dq PEM> (PEM public key). By default OpenSSH will write newly-" "generated private keys in its own format, but when converting public keys " "for export the default format is E<.Dq RFC4716>. Setting a format of E<.Dq " "PEM> when generating or updating a supported private key type will cause the " "key to be stored in the legacy PEM private key format." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl N Ar new_passphrase" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "Provides the new passphrase." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl n Ar principals" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Specify one or more principals (user or host names) to be included in a " "certificate when signing a key. Multiple principals may be specified, " "separated by commas. See the E<.Sx CERTIFICATES> section for details." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl O Ar option" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Specify a key/value option. These are specific to the operation that E<.Nm> " "has been requested to perform." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "When signing certificates, one of the options listed in the E<.Sx " "CERTIFICATES> section may be specified here." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "When performing moduli generation or screening, one of the options listed in " "the E<.Sx MODULI GENERATION> section may be specified." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "When generating FIDO authenticator-backed keys, the options listed in the E<." "Sx FIDO AUTHENTICATOR> section may be specified." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "When performing signature-related options using the E<.Fl Y> flag, the " "following options are accepted:" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed #, no-wrap msgid "Cm hashalg Ns = Ns Ar algorithm" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Selects the hash algorithm to use for hashing the message to be signed. " "Valid algorithms are E<.Dq sha256> and E<.Dq sha512.> The default is E<.Dq " "sha512.>" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed #, no-wrap msgid "Cm print-pubkey" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Print the full public key to standard output after signature verification." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed #, no-wrap msgid "Cm verify-time Ns = Ns Ar timestamp" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Specifies a time to use when validating signatures instead of the current " "time. The time may be specified as a date or time in the YYYYMMDD[Z] or in " "YYYYMMDDHHMM[SS][Z] formats. Dates and times will be interpreted in the " "current system time zone unless suffixed with a Z character, which causes " "them to be interpreted in the UTC time zone." msgstr "" #. type: Plain text #: archlinux debian-unstable opensuse-tumbleweed msgid "" "When generating SSHFP DNS records from public keys using the E<.Fl r> flag, " "the following options are accepted:" msgstr "" #. type: Plain text #: archlinux debian-unstable opensuse-tumbleweed msgid "" "Selects a hash algorithm to use when printing SSHFP records using the E<.Fl " "D> flag. Valid algorithms are E<.Dq sha1> and E<.Dq sha256>. The default " "is to print both." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "The E<.Fl O> option may be specified multiple times." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl P Ar passphrase" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "Provides the (old) passphrase." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl p" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Requests changing the passphrase of a private key file instead of creating a " "new private key. The program will prompt for the file containing the " "private key, for the old passphrase, and twice for the new passphrase." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl Q" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Test whether keys have been revoked in a KRL. If the E<.Fl l> option is " "also specified then the contents of the KRL will be printed." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl q" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "Silence E<.Nm ssh-keygen>." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl R Ar hostname | [hostname]:port" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Removes all keys belonging to the specified E<.Ar hostname> (with optional " "port number) from a E<.Pa known_hosts> file. This option is useful to " "delete hashed hosts (see the E<.Fl H> option above)." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl r Ar hostname" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Print the SSHFP fingerprint resource record named E<.Ar hostname> for the " "specified public key file." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl s Ar ca_key" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Certify (sign) a public key using the specified CA key. See the E<.Sx " "CERTIFICATES> section for details." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "When generating a KRL, E<.Fl s> specifies a path to a CA public key file " "used to revoke certificates directly by key ID or serial number. See the E<." "Sx KEY REVOCATION LISTS> section for details." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Specifies the type of key to create. The possible values are E<.Dq dsa>, E<." "Dq ecdsa>, E<.Dq ecdsa-sk>, E<.Dq ed25519>, E<.Dq ed25519-sk>, or E<.Dq rsa>." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "This flag may also be used to specify the desired signature type when " "signing certificates using an RSA CA key. The available RSA signature " "variants are E<.Dq ssh-rsa> (SHA1 signatures, not recommended), E<.Dq rsa-" "sha2-256>, and E<.Dq rsa-sha2-512> (the default)." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl U" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "When used in combination with E<.Fl s> or E<.Fl Y Cm sign>, this option " "indicates that a CA key resides in a E<.Xr ssh-agent 1>. See the E<.Sx " "CERTIFICATES> section for more information." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl u" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Update a KRL. When specified with E<.Fl k>, keys listed via the command " "line are added to the existing KRL rather than a new KRL being created." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl V Ar validity_interval" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Specify a validity interval when signing a certificate. A validity interval " "may consist of a single time, indicating that the certificate is valid " "beginning now and expiring at that time, or may consist of two times " "separated by a colon to indicate an explicit time interval." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "The start time may be specified as:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "The string E<.Dq always> to indicate the certificate has no specified start " "time." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "A date or time in the system time zone formatted as YYYYMMDD or " "YYYYMMDDHHMM[SS]." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "A date or time in the UTC time zone as YYYYMMDDZ or YYYYMMDDHHMM[SS]Z." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "A relative time before the current system time consisting of a minus sign " "followed by an interval in the format described in the TIME FORMATS section " "of E<.Xr sshd_config 5>." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "A raw seconds since epoch (Jan 1 1970 00:00:00 UTC) as a hexadecimal number " "beginning with E<.Dq 0x>." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "The end time may be specified similarly to the start time:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "The string E<.Dq forever> to indicate the certificate has no specified end " "time." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "A relative time after the current system time consisting of a plus sign " "followed by an interval in the format described in the TIME FORMATS section " "of E<.Xr sshd_config 5>." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "For example:" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed #, no-wrap msgid "+52w1d" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "Valid from now to 52 weeks and one day from now." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed #, no-wrap msgid "-4w:+4w" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "Valid from four weeks ago to four weeks from now." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed #, no-wrap msgid "20100101123000:20110101123000" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "Valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed #, no-wrap msgid "20100101123000Z:20110101123000Z" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Similar, but interpreted in the UTC time zone rather than the system time " "zone." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed #, no-wrap msgid "-1d:20110101" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "Valid from yesterday to midnight, January 1st, 2011." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed #, no-wrap msgid "0x1:0x2000000000" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "Valid from roughly early 1970 to May 2033." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed #, no-wrap msgid "-1m:forever" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "Valid from one minute ago and never expiring." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl v" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Verbose mode. Causes E<.Nm> to print debugging messages about its " "progress. This is helpful for debugging moduli generation. Multiple E<.Fl " "v> options increase the verbosity. The maximum is 3." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl w Ar provider" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Specifies a path to a library that will be used when creating FIDO " "authenticator-hosted keys, overriding the default of using the internal USB " "HID support." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl Y Cm find-principals" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Find the principal(s) associated with the public key of a signature, " "provided using the E<.Fl s> flag in an authorized signers file provided " "using the E<.Fl f> flag. The format of the allowed signers file is " "documented in the E<.Sx ALLOWED SIGNERS> section below. If one or more " "matching principals are found, they are returned on standard output." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed #, no-wrap msgid "Fl Y Cm match-principals" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Find principal matching the principal name provided using the E<.Fl I> flag " "in the authorized signers file specified using the E<.Fl f> flag. If one or " "more matching principals are found, they are returned on standard output." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl Y Cm check-novalidate" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Checks that a signature generated using E<.Nm> E<.Fl Y Cm sign> has a valid " "structure. This does not validate if a signature comes from an authorized " "signer. When testing a signature, E<.Nm> accepts a message on standard " "input and a signature namespace using E<.Fl n>. A file containing the " "corresponding signature must also be supplied using the E<.Fl s> flag. " "Successful testing of the signature is signalled by E<.Nm> returning a zero " "exit status." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl Y Cm sign" msgstr "" #. type: Plain text #: archlinux debian-unstable opensuse-tumbleweed msgid "" "Cryptographically sign a file or some data using an SSH key. When signing, " "E<.Nm> accepts zero or more files to sign on the command-line - if no files " "are specified then E<.Nm> will sign data presented on standard input. " "Signatures are written to the path of the input file with E<.Dq .sig> " "appended, or to standard output if the message to be signed was read from " "standard input." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "The key used for signing is specified using the E<.Fl f> option and may " "refer to either a private key, or a public key with the private half " "available via E<.Xr ssh-agent 1>. An additional signature namespace, used " "to prevent signature confusion across different domains of use (e.g. file " "signing vs email signing) must be provided via the E<.Fl n> flag. " "Namespaces are arbitrary strings, and may include: E<.Dq file> for file " "signing, E<.Dq email> for email signing. For custom uses, it is recommended " "to use names following a NAMESPACE@YOUR.DOMAIN pattern to generate " "unambiguous namespaces." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl Y Cm verify" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Request to verify a signature generated using E<.Nm> E<.Fl Y Cm sign> as " "described above. When verifying a signature, E<.Nm> accepts a message on " "standard input and a signature namespace using E<.Fl n>. A file containing " "the corresponding signature must also be supplied using the E<.Fl s> flag, " "along with the identity of the signer using E<.Fl I> and a list of allowed " "signers via the E<.Fl f> flag. The format of the allowed signers file is " "documented in the E<.Sx ALLOWED SIGNERS> section below. A file containing " "revoked keys can be passed using the E<.Fl r> flag. The revocation file may " "be a KRL or a one-per-line list of public keys. Successful verification by " "an authorized signer is signalled by E<.Nm> returning a zero exit status." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl y" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "This option will read a private OpenSSH format file and print an OpenSSH " "public key to stdout." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed #, no-wrap msgid "Fl Z Ar cipher" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Specifies the cipher to use for encryption when writing an OpenSSH-format " "private key file. The list of available ciphers may be obtained using E<.Qq " "ssh -Q cipher>. The default is E<.Dq aes256-ctr>." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Fl z Ar serial_number" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Specifies a serial number to be embedded in the certificate to distinguish " "this certificate from others from the same CA. If the E<.Ar serial_number> " "is prefixed with a E<.Sq +> character, then the serial number will be " "incremented for each certificate signed on a single command-line. The " "default serial number is zero." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "When generating a KRL, the E<.Fl z> flag is used to specify a KRL version " "number." msgstr "" #. type: Sh #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "MODULI GENERATION" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "E<.Nm> may be used to generate groups for the Diffie-Hellman Group Exchange " "(DH-GEX) protocol. Generating these groups is a two-step process: first, " "candidate primes are generated using a fast, but memory intensive process. " "These candidate primes are then tested for suitability (a CPU-intensive " "process)." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Generation of primes is performed using the E<.Fl M Cm generate> option. " "The desired length of the primes may be specified by the E<.Fl O Cm bits> " "option. For example:" msgstr "" #. type: Dl #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "# ssh-keygen -M generate -O bits=2048 moduli-2048.candidates" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "By default, the search for primes begins at a random point in the desired " "length range. This may be overridden using the E<.Fl O Cm start> option, " "which specifies a different start point (in hex)." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Once a set of candidates have been generated, they must be screened for " "suitability. This may be performed using the E<.Fl M Cm screen> option. In " "this mode E<.Nm> will read candidates from standard input (or a file " "specified using the E<.Fl f> option). For example:" msgstr "" #. type: Dl #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "# ssh-keygen -M screen -f moduli-2048.candidates moduli-2048" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "By default, each candidate will be subjected to 100 primality tests. This " "may be overridden using the E<.Fl O Cm prime-tests> option. The DH " "generator value will be chosen automatically for the prime under " "consideration. If a specific generator is desired, it may be requested " "using the E<.Fl O Cm generator> option. Valid generator values are 2, 3, " "and 5." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Screened DH groups may be installed in E<.Pa /etc/ssh/moduli>. It is " "important that this file contains moduli of a range of bit lengths." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "A number of options are available for moduli generation and screening via " "the E<.Fl O> flag:" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic lines Ns = Ns Ar number" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Exit after screening the specified number of lines while performing DH " "candidate screening." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic start-line Ns = Ns Ar line-number" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Start screening at the specified line number while performing DH candidate " "screening." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic checkpoint Ns = Ns Ar filename" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Write the last line processed to the specified file while performing DH " "candidate screening. This will be used to skip lines in the input file that " "have already been processed if the job is restarted." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic memory Ns = Ns Ar mbytes" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Specify the amount of memory to use (in megabytes) when generating candidate " "moduli for DH-GEX." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic start Ns = Ns Ar hex-value" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Specify start point (in hex) when generating candidate moduli for DH-GEX." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic generator Ns = Ns Ar value" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Specify desired generator (in decimal) when testing candidate moduli for DH-" "GEX." msgstr "" #. type: Sh #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "CERTIFICATES" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "E<.Nm> supports signing of keys to produce certificates that may be used for " "user or host authentication. Certificates consist of a public key, some " "identity information, zero or more principal (user or host) names and a set " "of options that are signed by a Certification Authority (CA) key. Clients " "or servers may then trust only the CA key and verify its signature on a " "certificate rather than trusting many user/host keys. Note that OpenSSH " "certificates are a different, and much simpler, format to the X.509 " "certificates used in E<.Xr ssl 8>." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "E<.Nm> supports two types of certificates: user and host. User certificates " "authenticate users to servers, whereas host certificates authenticate server " "hosts to users. To generate a user certificate:" msgstr "" #. type: Dl #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "$ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "The resultant certificate will be placed in E<.Pa /path/to/user_key-cert." "pub>. A host certificate requires the E<.Fl h> option:" msgstr "" #. type: Dl #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "$ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "The host certificate will be output to E<.Pa /path/to/host_key-cert.pub>." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "It is possible to sign using a CA key stored in a PKCS#11 token by providing " "the token library using E<.Fl D> and identifying the CA key by providing its " "public half as an argument to E<.Fl s>:" msgstr "" #. type: Dl #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "$ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id user_key.pub" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Similarly, it is possible for the CA key to be hosted in a E<.Xr ssh-agent " "1>. This is indicated by the E<.Fl U> flag and, again, the CA key must be " "identified by its public half." msgstr "" #. type: Dl #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "$ ssh-keygen -Us ca_key.pub -I key_id user_key.pub" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "In all cases, E<.Ar key_id> is a \"key identifier\" that is logged by the " "server when the certificate is used for authentication." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Certificates may be limited to be valid for a set of principal (user/host) " "names. By default, generated certificates are valid for all users or " "hosts. To generate a certificate for a specified set of principals:" msgstr "" #. type: Dl #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "$ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub" msgstr "" #. type: Dl #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "$ ssh-keygen -s ca_key -I key_id -h -n host.domain host_key.pub" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Additional limitations on the validity and use of user certificates may be " "specified through certificate options. A certificate option may disable " "features of the SSH session, may be valid only when presented from " "particular source addresses or may force the use of a specific command." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "The options that are valid for user certificates are:" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic clear" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Clear all enabled permissions. This is useful for clearing the default set " "of permissions so permissions may be added individually." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic critical : Ns Ar name Ns Op Ns = Ns Ar contents" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic extension : Ns Ar name Ns Op Ns = Ns Ar contents" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Includes an arbitrary certificate critical option or extension. The " "specified E<.Ar name> should include a domain suffix, e.g.\\& E<.Dq " "name@example.com>. If E<.Ar contents> is specified then it is included as " "the contents of the extension/option encoded as a string, otherwise the " "extension/option is created with no contents (usually indicating a flag). " "Extensions may be ignored by a client or server that does not recognise " "them, whereas unknown critical options will cause the certificate to be " "refused." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic force-command Ns = Ns Ar command" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Forces the execution of E<.Ar command> instead of any shell or command " "specified by the user when the certificate is used for authentication." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic no-agent-forwarding" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "Disable E<.Xr ssh-agent 1> forwarding (permitted by default)." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic no-port-forwarding" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "Disable port forwarding (permitted by default)." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic no-pty" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "Disable PTY allocation (permitted by default)." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic no-user-rc" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Disable execution of E<.Pa ~/.ssh/rc> by E<.Xr sshd 8> (permitted by " "default)." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic no-x11-forwarding" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "Disable X11 forwarding (permitted by default)." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic permit-agent-forwarding" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "Allows E<.Xr ssh-agent 1> forwarding." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic permit-port-forwarding" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "Allows port forwarding." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic permit-pty" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "Allows PTY allocation." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic permit-user-rc" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "Allows execution of E<.Pa ~/.ssh/rc> by E<.Xr sshd 8>." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic permit-X11-forwarding" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "Allows X11 forwarding." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic no-touch-required" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Do not require signatures made using this key include demonstration of user " "presence (e.g. by having the user touch the authenticator). This option " "only makes sense for the FIDO authenticator algorithms E<.Cm ecdsa-sk> and " "E<.Cm ed25519-sk>." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic source-address Ns = Ns Ar address_list" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Restrict the source addresses from which the certificate is considered " "valid. The E<.Ar address_list> is a comma-separated list of one or more " "address/netmask pairs in CIDR format." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ic verify-required" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Require signatures made using this key indicate that the user was first " "verified. This option only makes sense for the FIDO authenticator " "algorithms E<.Cm ecdsa-sk> and E<.Cm ed25519-sk>. Currently PIN " "authentication is the only supported verification method, but other methods " "may be supported in the future." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "At present, no standard options are valid for host keys." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Finally, certificates may be defined with a validity lifetime. The E<.Fl V> " "option allows specification of certificate start and end times. A " "certificate that is presented at a time outside this range will not be " "considered valid. By default, certificates are valid from the E<.Ux> Epoch " "to the distant future." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "For certificates to be used for user or host authentication, the CA public " "key must be trusted by E<.Xr sshd 8> or E<.Xr ssh 1>. Refer to those manual " "pages for details." msgstr "" #. type: Sh #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed #, no-wrap msgid "FIDO AUTHENTICATOR" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "E<.Nm> is able to generate FIDO authenticator-backed keys, after which they " "may be used much like any other key type supported by OpenSSH, so long as " "the hardware authenticator is attached when the keys are used. FIDO " "authenticators generally require the user to explicitly authorise operations " "by touching or tapping them. FIDO keys consist of two parts: a key handle " "part stored in the private key file on disk, and a per-device private key " "that is unique to each FIDO authenticator and that cannot be exported from " "the authenticator hardware. These are combined by the hardware at " "authentication time to derive the real key that is used to sign " "authentication challenges. Supported key types are E<.Cm ecdsa-sk> and E<." "Cm ed25519-sk>." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "The options that are valid for FIDO keys are:" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Cm application" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Override the default FIDO application/origin string of E<.Dq ssh:>. This " "may be useful when generating host or domain-specific resident keys. The " "specified application string must begin with E<.Dq ssh:>." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Cm challenge Ns = Ns Ar path" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Specifies a path to a challenge string that will be passed to the FIDO " "authenticator during key generation. The challenge string may be used as " "part of an out-of-band protocol for key enrollment (a random challenge is " "used by default)." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Cm device" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Explicitly specify a E<.Xr fido 4> device to use, rather than letting the " "authenticator middleware select one." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Cm no-touch-required" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Indicate that the generated private key should not require touch events " "(user presence) when making signatures. Note that E<.Xr sshd 8> will refuse " "such signatures by default, unless overridden via an authorized_keys option." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Cm resident" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Indicate that the key handle should be stored on the FIDO authenticator " "itself. This makes it easier to use the authenticator on multiple " "computers. Resident keys may be supported on FIDO2 authenticators and " "typically require that a PIN be set on the authenticator prior to " "generation. Resident keys may be loaded off the authenticator using E<.Xr " "ssh-add 1>. Storing both parts of a key on a FIDO authenticator increases " "the likelihood of an attacker being able to use a stolen authenticator " "device." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Cm user" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "A username to be associated with a resident key, overriding the empty " "default username. Specifying a username may be useful when generating " "multiple resident keys for the same application name." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Cm verify-required" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Indicate that this private key should require user verification for each " "signature. Not all FIDO authenticators support this option. Currently PIN " "authentication is the only supported verification method, but other methods " "may be supported in the future." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Cm write-attestation Ns = Ns Ar path" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "May be used at key generation time to record the attestation data returned " "from FIDO authenticators during key generation. This information is " "potentially sensitive. By default, this information is discarded." msgstr "" #. type: Sh #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "KEY REVOCATION LISTS" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "E<.Nm> is able to manage OpenSSH format Key Revocation Lists (KRLs). These " "binary files specify keys or certificates to be revoked using a compact " "format, taking as little as one bit per certificate if they are being " "revoked by serial number." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "KRLs may be generated using the E<.Fl k> flag. This option reads one or " "more files from the command line and generates a new KRL. The files may " "either contain a KRL specification (see below) or public keys, listed one " "per line. Plain public keys are revoked by listing their hash or contents " "in the KRL and certificates revoked by serial number or key ID (if the " "serial is zero or not available)." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Revoking keys using a KRL specification offers explicit control over the " "types of record used to revoke keys and may be used to directly revoke " "certificates by serial number or key ID without having the complete original " "certificate on hand. A KRL specification consists of lines containing one " "of the following directives followed by a colon and some directive-specific " "information." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Cm serial : Ar serial_number Ns Op - Ns Ar serial_number" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Revokes a certificate with the specified serial number. Serial numbers are " "64-bit values, not including zero and may be expressed in decimal, hex or " "octal. If two serial numbers are specified separated by a hyphen, then the " "range of serial numbers including and between each is revoked. The CA key " "must have been specified on the E<.Nm> command line using the E<.Fl s> " "option." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Cm id : Ar key_id" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Revokes a certificate with the specified key ID string. The CA key must " "have been specified on the E<.Nm> command line using the E<.Fl s> option." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Cm key : Ar public_key" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Revokes the specified key. If a certificate is listed, then it is revoked " "as a plain public key." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Cm sha1 : Ar public_key" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "Revokes the specified key by including its SHA1 hash in the KRL." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Cm sha256 : Ar public_key" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Revokes the specified key by including its SHA256 hash in the KRL. KRLs " "that revoke keys by SHA256 hash are not supported by OpenSSH versions prior " "to 7.9." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Cm hash : Ar fingerprint" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Revokes a key using a fingerprint hash, as obtained from a E<.Xr sshd 8> " "authentication log message or the E<.Nm> E<.Fl l> flag. Only SHA256 " "fingerprints are supported here and resultant KRLs are not supported by " "OpenSSH versions prior to 7.9." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "KRLs may be updated using the E<.Fl u> flag in addition to E<.Fl k>. When " "this option is specified, keys listed via the command line are merged into " "the KRL, adding to those already there." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "It is also possible, given a KRL, to test whether it revokes a particular " "key (or keys). The E<.Fl Q> flag will query an existing KRL, testing each " "key specified on the command line. If any key listed on the command line " "has been revoked (or an error encountered) then E<.Nm> will exit with a non-" "zero exit status. A zero exit status will only be returned if no key was " "revoked." msgstr "" #. type: Sh #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "ALLOWED SIGNERS" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "When verifying signatures, E<.Nm> uses a simple list of identities and keys " "to determine whether a signature comes from an authorized source. This " "\"allowed signers\" file uses a format patterned after the AUTHORIZED_KEYS " "FILE FORMAT described in E<.Xr sshd 8>. Each line of the file contains the " "following space-separated fields: principals, options, keytype, base64-" "encoded key. Empty lines and lines starting with a E<.Ql #> are ignored as " "comments." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "The principals field is a pattern-list (see PATTERNS in E<.Xr ssh_config " "5>) consisting of one or more comma-separated USER@DOMAIN identity patterns " "that are accepted for signing. When verifying, the identity presented via " "the E<.Fl I> option must match a principals pattern in order for the " "corresponding key to be considered acceptable for verification." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "The options (if present) consist of comma-separated option specifications. " "No spaces are permitted, except within double quotes. The following option " "specifications are supported (note that option keywords are case-" "insensitive):" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Cm cert-authority" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Indicates that this key is accepted as a certificate authority (CA) and that " "certificates signed by this CA may be accepted for verification." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed #, no-wrap msgid "Cm namespaces Ns = Ns namespace-list" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Specifies a pattern-list of namespaces that are accepted for this key. If " "this option is present, the signature namespace embedded in the signature " "object and presented on the verification command-line must match the " "specified list before the key will be considered acceptable." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed #, no-wrap msgid "Cm valid-after Ns = Ns timestamp" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Indicates that the key is valid for use at or after the specified timestamp, " "which may be a date or time in the YYYYMMDD[Z] or YYYYMMDDHHMM[SS][Z] " "formats. Dates and times will be interpreted in the current system time " "zone unless suffixed with a Z character, which causes them to be interpreted " "in the UTC time zone." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed #, no-wrap msgid "Cm valid-before Ns = Ns timestamp" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-tumbleweed msgid "" "Indicates that the key is valid for use at or before the specified timestamp." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "When verifying signatures made by certificates, the expected principal name " "must match both the principals pattern in the allowed signers file and the " "principals embedded in the certificate itself." msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "An example allowed signers file:" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "" "# Comments allowed at start of line\n" "user1@example.com,user2@example.com ssh-rsa AAAAX1...\n" "# A certificate authority, trusted for all principals in a domain.\n" "*@example.com cert-authority ssh-ed25519 AAAB4...\n" "# A key that is accepted only for file signing.\n" "user2@example.com namespaces=\"file\" ssh-ed25519 AAA41...\n" msgstr "" #. type: Sh #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "ENVIRONMENT" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Ev SSH_SK_PROVIDER" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Specifies a path to a library that will be used when loading any FIDO " "authenticator-hosted keys, overriding the default of using the built-in USB " "HID support." msgstr "" #. type: Sh #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "FILES" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Pa ~/.ssh/id_dsa" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Pa ~/.ssh/id_ecdsa" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Pa ~/.ssh/id_ecdsa_sk" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Pa ~/.ssh/id_ed25519" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Pa ~/.ssh/id_ed25519_sk" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Pa ~/.ssh/id_rsa" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-" "hosted Ed25519 or RSA authentication identity of the user. This file should " "not be readable by anyone but the user. It is possible to specify a " "passphrase when generating the key; that passphrase will be used to encrypt " "the private part of this file using 128-bit AES. This file is not " "automatically accessed by E<.Nm> but it is offered as the default file for " "the private key. E<.Xr ssh 1> will read this file when a login attempt is " "made." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Pa ~/.ssh/id_dsa.pub" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Pa ~/.ssh/id_ecdsa.pub" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Pa ~/.ssh/id_ecdsa_sk.pub" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Pa ~/.ssh/id_ed25519.pub" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Pa ~/.ssh/id_ed25519_sk.pub" msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Pa ~/.ssh/id_rsa.pub" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-" "hosted Ed25519 or RSA public key for authentication. The contents of this " "file should be added to E<.Pa ~/.ssh/authorized_keys> on all machines where " "the user wishes to log in using public key authentication. There is no need " "to keep the contents of this file secret." msgstr "" #. type: It #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "Pa /etc/ssh/moduli" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "Contains Diffie-Hellman groups used for DH-GEX. The file format is " "described in E<.Xr moduli 5>." msgstr "" #. type: Sh #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "SEE ALSO" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "E<.Xr ssh 1>, E<.Xr ssh-add 1>, E<.Xr ssh-agent 1>, E<.Xr moduli 5>, E<.Xr " "sshd 8> E<.Rs> E<.%R RFC 4716> E<.%T \"The Secure Shell (SSH) Public Key " "File Format\"> E<.%D 2006> E<.Re>" msgstr "" #. type: Sh #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed #, no-wrap msgid "AUTHORS" msgstr "" #. type: Plain text #: archlinux debian-bookworm debian-unstable opensuse-leap-15-6 #: opensuse-tumbleweed msgid "" "OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu " "Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de " "Raadt and Dug Song removed many bugs, re-added newer features and created " "OpenSSH. Markus Friedl contributed the support for SSH protocol versions " "1.5 and 2.0." msgstr "" #. type: Dd #: debian-bookworm #, no-wrap msgid "$Mdocdate: September 10 2022 $" msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 msgid "" "The type of key to be generated is specified with the E<.Fl t> option. If " "invoked without any arguments, E<.Nm> will generate an RSA key." msgstr "" #. type: Plain text #: debian-bookworm debian-unstable msgid "" "Normally each user wishing to use SSH with public key authentication runs " "this once to create the authentication key in E<.Pa ~/.ssh/id_dsa>, E<.Pa ~/." "ssh/id_ecdsa>, E<.Pa ~/.ssh/id_ecdsa_sk>, E<.Pa ~/.ssh/id_ed25519>, E<.Pa ~/." "ssh/id_ed25519_sk> or E<.Pa ~/.ssh/id_rsa>. Additionally, the system " "administrator may use this to generate host keys." msgstr "" #. type: Plain text #: debian-bookworm debian-unstable msgid "" "Generate host keys of all default key types (rsa, ecdsa, and ed25519) if " "they do not already exist. The host keys are generated with the default key " "file path, an empty passphrase, default bits for the key type, and default " "comment. If E<.Fl f> has also been specified, its argument is used as a " "prefix to the default path for the resulting host key files. This is used " "by system administration scripts to generate new host keys." msgstr "" #. type: Plain text #: debian-bookworm opensuse-leap-15-6 msgid "" "Cryptographically sign a file or some data using a SSH key. When signing, " "E<.Nm> accepts zero or more files to sign on the command-line - if no files " "are specified then E<.Nm> will sign data presented on standard input. " "Signatures are written to the path of the input file with E<.Dq .sig> " "appended, or to standard output if the message to be signed was read from " "standard input." msgstr "" #. type: Dd #: opensuse-leap-15-6 #, no-wrap msgid "$Mdocdate: September 9 2020 $" msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "E<.Nm ssh-keygen> E<.Op Fl q> E<.Op Fl a Ar rounds> E<.Op Fl b Ar bits> E<." "Op Fl C Ar comment> E<.Op Fl f Ar output_keyfile> E<.Op Fl m Ar format> E<." "Op Fl N Ar new_passphrase> E<.Op Fl O Ar option> E<.Op Fl t Cm dsa | ecdsa | " "ecdsa-sk | ed25519 | ed25519-sk | rsa> E<.Op Fl w Ar provider> E<.Nm ssh-" "keygen> E<.Fl p> E<.Op Fl a Ar rounds> E<.Op Fl f Ar keyfile> E<.Op Fl m Ar " "format> E<.Op Fl N Ar new_passphrase> E<.Op Fl P Ar old_passphrase> E<.Nm " "ssh-keygen> E<.Fl i> E<.Op Fl f Ar input_keyfile> E<.Op Fl m Ar key_format> " "E<.Nm ssh-keygen> E<.Fl e> E<.Op Fl f Ar input_keyfile> E<.Op Fl m Ar " "key_format> E<.Nm ssh-keygen> E<.Fl y> E<.Op Fl f Ar input_keyfile> E<.Nm " "ssh-keygen> E<.Fl c> E<.Op Fl a Ar rounds> E<.Op Fl C Ar comment> E<.Op Fl f " "Ar keyfile> E<.Op Fl P Ar passphrase> E<.Nm ssh-keygen> E<.Fl l> E<.Op Fl v> " "E<.Op Fl E Ar fingerprint_hash> E<.Op Fl f Ar input_keyfile> E<.Nm ssh-" "keygen> E<.Fl B> E<.Op Fl f Ar input_keyfile> E<.Nm ssh-keygen> E<.Fl D Ar " "pkcs11> E<.Nm ssh-keygen> E<.Fl F Ar hostname> E<.Op Fl lv> E<.Op Fl f Ar " "known_hosts_file> E<.Nm ssh-keygen> E<.Fl H> E<.Op Fl f Ar known_hosts_file> " "E<.Nm ssh-keygen> E<.Fl K> E<.Op Fl a Ar rounds> E<.Op Fl w Ar provider> E<." "Nm ssh-keygen> E<.Fl R Ar hostname> E<.Op Fl f Ar known_hosts_file> E<.Nm " "ssh-keygen> E<.Fl r Ar hostname> E<.Op Fl g> E<.Op Fl f Ar input_keyfile> E<." "Nm ssh-keygen> E<.Fl M Cm generate> E<.Op Fl O Ar option> E<.Ar output_file> " "E<.Nm ssh-keygen> E<.Fl M Cm screen> E<.Op Fl f Ar input_file> E<.Op Fl O Ar " "option> E<.Ar output_file> E<.Nm ssh-keygen> E<.Fl I Ar " "certificate_identity> E<.Fl s Ar ca_key> E<.Op Fl hU> E<.Op Fl D Ar " "pkcs11_provider> E<.Op Fl n Ar principals> E<.Op Fl O Ar option> E<.Op Fl V " "Ar validity_interval> E<.Op Fl z Ar serial_number> E<.Ar> E<.Nm ssh-keygen> " "E<.Fl L> E<.Op Fl f Ar input_keyfile> E<.Nm ssh-keygen> E<.Fl A> E<.Op Fl a " "Ar rounds> E<.Op Fl f Ar prefix_path> E<.Nm ssh-keygen> E<.Fl k> E<.Fl f Ar " "krl_file> E<.Op Fl u> E<.Op Fl s Ar ca_public> E<.Op Fl z Ar version_number> " "E<.Ar> E<.Nm ssh-keygen> E<.Fl Q> E<.Op Fl l> E<.Fl f Ar krl_file> E<.Ar> E<." "Nm ssh-keygen> E<.Fl Y Cm find-principals> E<.Fl s Ar signature_file> E<.Fl " "f Ar allowed_signers_file> E<.Nm ssh-keygen> E<.Fl Y Cm check-novalidate> E<." "Fl n Ar namespace> E<.Fl s Ar signature_file> E<.Nm ssh-keygen> E<.Fl Y Cm " "sign> E<.Fl f Ar key_file> E<.Fl n Ar namespace> E<.Ar> E<.Nm ssh-keygen> E<." "Fl Y Cm verify> E<.Fl f Ar allowed_signers_file> E<.Fl I Ar signer_identity> " "E<.Fl n Ar namespace> E<.Fl s Ar signature_file> E<.Op Fl r Ar " "revocation_file>" msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "For each of the key types (rsa, dsa, ecdsa and ed25519) for which host keys " "do not exist, generate the host keys with the default key file path, an " "empty passphrase, default bits for the key type, and default comment. If E<." "Fl f> has also been specified, its argument is used as a prefix to the " "default path for the resulting host key files. This is used by E<.Pa /etc/" "rc> to generate new host keys." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "When saving a private key, this option specifies the number of KDF (key " "derivation function) rounds used. Higher numbers result in slower " "passphrase verification and increased resistance to brute-force password " "cracking (should the keys be stolen). The default is 16 rounds." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "When signing a key, create a host certificate instead of a user " "certificate. Please see the E<.Sx CERTIFICATES> section for details." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "Specify the key identity when signing a public key. Please see the E<.Sx " "CERTIFICATES> section for details." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "Download resident keys from a FIDO authenticator. Public and private key " "files will be written to the current directory for each downloaded key. If " "multiple FIDO authenticators are attached, keys will be downloaded from the " "first touched authenticator." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "Specify one or more principals (user or host names) to be included in a " "certificate when signing a key. Multiple principals may be specified, " "separated by commas. Please see the E<.Sx CERTIFICATES> section for details." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "When generating a key that will be hosted on a FIDO authenticator, this flag " "may be used to specify key-specific options. Those supported at present are:" msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "Specifies a path to a challenge string that will be passed to the FIDO token " "during key generation. The challenge string may be used as part of an out-" "of-band protocol for key enrollment (a random challenge is used by default)." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "Explicitly specify a E<.Xr fido 4> device to use, rather than letting the " "token middleware select one." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "Indicate that the key should be stored on the FIDO authenticator itself. " "Resident keys may be supported on FIDO2 tokens and typically require that a " "PIN be set on the token prior to generation. Resident keys may be loaded " "off the token using E<.Xr ssh-add 1>." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "Indicate that this private key should require user verification for each " "signature. Not all FIDO tokens support this option. Currently PIN " "authentication is the only supported verification method, but other methods " "may be supported in the future." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "May be used at key generation time to record the attestation data returned " "from FIDO tokens during key generation. Please note that this information " "is potentially sensitive. By default, this information is discarded." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "Certify (sign) a public key using the specified CA key. Please see the E<." "Sx CERTIFICATES> section for details." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "When used in combination with E<.Fl s>, this option indicates that a CA key " "resides in a E<.Xr ssh-agent 1>. See the E<.Sx CERTIFICATES> section for " "more information." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "The start time may be specified as the string E<.Dq always> to indicate the " "certificate has no specified start time, a date in YYYYMMDD format, a time " "in YYYYMMDDHHMM[SS] format, a relative time (to the current time) consisting " "of a minus sign followed by an interval in the format described in the TIME " "FORMATS section of E<.Xr sshd_config 5>." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMM[SS] time, a " "relative time starting with a plus character or the string E<.Dq forever> to " "indicate that the certificate has no expiry date." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "For example: E<.Dq +52w1d> (valid from now to 52 weeks and one day from " "now), E<.Dq -4w:+4w> (valid from four weeks ago to four weeks from now), E<." "Dq 20100101123000:20110101123000> (valid from 12:30 PM, January 1st, 2010 to " "12:30 PM, January 1st, 2011), E<.Dq -1d:20110101> (valid from yesterday to " "midnight, January 1st, 2011). E<.Dq -1m:forever> (valid from one minute ago " "and never expiring)." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "Screened DH groups may be installed in E<.Pa /etc/ssh/moduli>. It is " "important that this file contains moduli of a range of bit lengths and that " "both ends of a connection share common moduli." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "Finally, certificates may be defined with a validity lifetime. The E<.Fl V> " "option allows specification of certificate start and end times. A " "certificate that is presented at a time outside this range will not be " "considered valid. By default, certificates are valid from E<.Ux> Epoch to " "the distant future." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "For certificates to be used for user or host authentication, the CA public " "key must be trusted by E<.Xr sshd 8> or E<.Xr ssh 1>. Please refer to those " "manual pages for details." msgstr "" #. type: Plain text #: opensuse-leap-15-6 msgid "" "The principals field is a pattern-list (See PATTERNS in E<.Xr ssh_config " "5>) consisting of one or more comma-separated USER@DOMAIN identity patterns " "that are accepted for signing. When verifying, the identity presented via " "the E<.Fl I> option must match a principals pattern in order for the " "corresponding key to be considered acceptable for verification." msgstr "" #. type: It #: opensuse-leap-15-6 #, no-wrap msgid "Cm namespaces=\"namespace-list\"" msgstr ""