mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-09 09:27:59 +00:00
4af8a585e7
Some new cert-related stuff wasn't documented in the usage message and/or man page; and the longer-standing "-E fptype" was entirely omitted from the usage message.
412 lines
13 KiB
Plaintext
412 lines
13 KiB
Plaintext
\cfg{man-identity}{puttygen}{1}{2004-03-24}{PuTTY tool suite}{PuTTY tool suite}
|
|
|
|
\H{puttygen-manpage} Man page for PuTTYgen
|
|
|
|
\S{puttygen-manpage-name} NAME
|
|
|
|
\cw{puttygen} - public-key generator for the PuTTY tools
|
|
|
|
\S{puttygen-manpage-synopsis} SYNOPSIS
|
|
|
|
\c puttygen ( keyfile | -t keytype [ -b bits ] [ --primes method ] [ -q ] )
|
|
\e bbbbbbbb iiiiiii bb iiiiiii bb iiii bbbbbbbb iiiiii bb
|
|
\c [ -C new-comment ] [ -P ] [ --reencrypt ]
|
|
\e bb iiiiiiiiiii bb bbbbbbbbbbb
|
|
\c [ --certificate cert-file | --remove-certificate ]
|
|
\e bbbbbbbbbbbbb iiiiiiiii bbbbbbbbbbbbbbbbbbbb
|
|
\c [ -O output-type | -l | -L | -p | --dump | --cert-info ]
|
|
\e bb iiiiiiiiiii bb bb bb bbbbbb bbbbbbbbbbb
|
|
\c [ --ppk-param key=value,... | -E fptype ]
|
|
\e bbbbbbbbbbb iiibiiiiib bb iiiiii
|
|
\c [ -o output-file ]
|
|
\e bb iiiiiiiiiii
|
|
|
|
\S{puttygen-manpage-description} DESCRIPTION
|
|
|
|
\c{puttygen} is a tool to generate and manipulate SSH public and
|
|
private key pairs. It is part of the PuTTY suite, although it can
|
|
also interoperate with the key formats used by some other SSH clients.
|
|
|
|
When you run \c{puttygen}, it does three things. Firstly, it either
|
|
loads an existing key file (if you specified \e{keyfile}), or
|
|
generates a new key (if you specified \e{keytype}). Then, it
|
|
optionally makes modifications to the key (such as changing the comment
|
|
and/or the passphrase); finally, it outputs the key, or some
|
|
information about the key, to a file.
|
|
|
|
All three of these phases are controlled by the options described in
|
|
the following section.
|
|
|
|
\S{puttygen-manpage-options} OPTIONS
|
|
|
|
In the first phase, \c{puttygen} either loads or generates a key.
|
|
Note that generating a key requires random data, which can cause
|
|
\c{puttygen} to pause, possibly for some time if your system does
|
|
not have much randomness available.
|
|
|
|
The options to control this phase are:
|
|
|
|
\dt \e{keyfile}
|
|
|
|
\dd Specify a key file to be loaded. (Use \cq{-} to read a key
|
|
file from standard input.)
|
|
|
|
\lcont{
|
|
|
|
Usually this will be a private key, which can be in the (de facto
|
|
standard) SSH-1 key format, or in PuTTY's SSH-2 key format, or in
|
|
either of the SSH-2 private key formats used by OpenSSH and
|
|
ssh.com's implementation.
|
|
|
|
You can also specify a file containing only a \e{public} key here.
|
|
The operations you can do are limited to outputting another public
|
|
key format (possibly removing an attached certificate first), or a
|
|
fingerprint. Public keys can be in RFC 4716 or OpenSSH format, or
|
|
the standard SSH-1 format.
|
|
|
|
}
|
|
|
|
\dt \cw{\-t} \e{keytype}
|
|
|
|
\dd Specify a type of key to generate. The acceptable values here are
|
|
\c{rsa}, \c{dsa}, \c{ecdsa}, \c{eddsa}, \c{ed25519}, and \c{ed448}
|
|
(to generate SSH-2 keys), and \c{rsa1} (to generate SSH-1 keys).
|
|
|
|
\dt \cw{\-b} \e{bits}
|
|
|
|
\dd Specify the size of the key to generate, in bits. Default for
|
|
\c{rsa} and \c{dsa} keys is 2048.
|
|
|
|
\dt \cw{\-\-primes} \e{method}
|
|
|
|
\dd Method for generating prime numbers. The acceptable values here
|
|
are \c{probable} (the default), \c{proven}, and \c{proven-even};
|
|
the later methods are slower. (Various synonyms for these method
|
|
names are also accepted.)
|
|
|
|
\lcont{
|
|
|
|
The \q{probable primes} method sounds unsafe, but it's the most
|
|
commonly used prime-generation strategy. There is in theory a
|
|
possibility that it might accidentally generate a number that isn't
|
|
prime, but the software does enough checking to make that probability
|
|
vanishingly small (less than 1 in 2^80, or 1 in 10^24). So, in
|
|
practice, nobody worries about it very much.
|
|
|
|
The other methods cause PuTTYgen to use numbers that it is \e{sure}
|
|
are prime, because it generates the output number together with a
|
|
proof of its primality. This takes more effort, but it eliminates that
|
|
theoretical risk in the probabilistic method.
|
|
|
|
You might choose to switch from probable to proven primes if you have
|
|
a local security standard that demands it, or if you don't trust the
|
|
probabilistic argument for the safety of the usual method.
|
|
|
|
}
|
|
|
|
\dt \cw{\-\-strong-rsa}
|
|
|
|
\dd When generating an RSA key, make sure the prime factors of the key
|
|
modulus are \q{strong primes}. A strong prime is a prime number chosen
|
|
to have a particular structure that makes certain factoring algorithms
|
|
more difficult to apply, so some security standards recommend their
|
|
use. However, the most modern factoring algorithms are unaffected, so
|
|
this option is probably not worth turning on \e{unless} you have a
|
|
local standard that recommends it.
|
|
|
|
\dt \cw{\-q}
|
|
|
|
\dd Suppress the progress display when generating a new key.
|
|
|
|
\dt \cw{\-\-old\-passphrase} \e{file}
|
|
|
|
\dd Specify a file name; the first line will be read from this file
|
|
(removing any trailing newline) and used as the old passphrase.
|
|
\s{CAUTION:} If the passphrase is important, the file should be stored
|
|
on a temporary filesystem or else securely erased after use.
|
|
|
|
\dt \cw{\-\-random\-device} \e{device}
|
|
|
|
\dd Specify device to read entropy from. By default, \c{puttygen}
|
|
uses \c{/dev/urandom}, falling back to \c{/dev/random} if it has to.
|
|
|
|
In the second phase, \c{puttygen} optionally alters properties of
|
|
the key it has loaded or generated. The options to control this are:
|
|
|
|
\dt \cw{\-C} \e{new\-comment}
|
|
|
|
\dd Specify a comment string to describe the key. This comment string
|
|
will be used by PuTTY to identify the key to you (when asking you to
|
|
enter the passphrase, for example, so that you know which passphrase
|
|
to type).
|
|
|
|
\dt \cw{\-P}
|
|
|
|
\dd Indicate that you want to change the key's passphrase. This is
|
|
automatic when you are generating a new key, but not when you are
|
|
modifying an existing key.
|
|
|
|
\dt \cw{\-\-certificate} \e{certificate-file}
|
|
|
|
\dd Adds an OpenSSH-style certificate to the public half of the key,
|
|
so that the output file contains a certified public key with the same
|
|
private key. If the input file already contained a certificate, it
|
|
will be replaced with the new one. (Use \cq{-} to read a certificate
|
|
from standard input.)
|
|
|
|
\dt \cw{\-\-remove\-certificate}
|
|
|
|
\dd Removes any certificate that was part of the key, to recover the
|
|
uncertified version of the underlying key.
|
|
|
|
\dt \cw{\-\-reencrypt}
|
|
|
|
\dd For an existing private key saved with a passphrase, refresh the
|
|
encryption without changing the passphrase.
|
|
|
|
\lcont{
|
|
This is most likely to be useful with the \cw{\-\-ppk-param} option,
|
|
to change some aspect of the key file's format or encryption.
|
|
}
|
|
|
|
\dt \cw{\-\-ppk-param} \e{key}\cw{=}\e{value}\cw{,}...
|
|
|
|
\dd When saving a PPK file (the default \cw{private} output type for SSH-2
|
|
keys), adjust details of the on-disk format.
|
|
|
|
\lcont{
|
|
|
|
Aspects to change are specified as a series of \e{key}\cw{=}\e{value} pairs
|
|
separated by commas. The \e{key}s are:
|
|
|
|
\dt \cw{version}
|
|
|
|
\dd The PPK format version. Possible values are \cw{3} (the default)
|
|
and \cw{2} (which is less resistant to brute-force decryption, but
|
|
which you might need if your key needs to be used by old versions of
|
|
PuTTY tools, or other PPK consumers).
|
|
|
|
\lcont{
|
|
The following \e{key}s only affect PPK version 3 files.
|
|
}
|
|
|
|
\dt \cw{kdf}
|
|
|
|
\dd The variant of the Argon2 key derivation function to use. Options
|
|
are \cw{argon2id} (default, and recommended), \cw{argon2i}, and
|
|
\cw{argon2d}.
|
|
|
|
\lcont{
|
|
You might change this if you consider your exposure to side-channel
|
|
attacks to be different to the norm.
|
|
}
|
|
|
|
\dt \cw{memory}
|
|
|
|
\dd The amount of memory needed to decrypt the key, in Kbyte. Default
|
|
is 8192 (i.e., 8 Mbyte).
|
|
|
|
\dt \cw{time}
|
|
|
|
\dd Approximate time, on this machine, required to attempt decrypting
|
|
the key, in milliseconds. Default is 100 (ms).
|
|
|
|
\dt \cw{passes}
|
|
|
|
\dd Alternative to \cw{time}: explicitly specify the number of hash
|
|
passes required to attempt decrypting the key.
|
|
|
|
\dt \cw{parallelism}
|
|
|
|
\dd Number of parallelisable threads that can be used to decrypt the
|
|
key. Default is 1 (force decryption to run single-threaded).
|
|
|
|
}
|
|
|
|
In the third phase, \c{puttygen} saves the key or information
|
|
about it. The options to control this are:
|
|
|
|
\dt \cw{\-O} \e{output\-type}
|
|
|
|
\dd Specify the type of output you want \c{puttygen} to produce.
|
|
Acceptable options are:
|
|
|
|
\lcont{
|
|
|
|
\dt \cw{private}
|
|
|
|
\dd Save the private key in a format usable by PuTTY. This will either
|
|
be the standard SSH-1 key format, or PuTTY's own SSH-2 key format
|
|
(\q{PPK}). This is the default.
|
|
|
|
\dt \cw{public}
|
|
|
|
\dd Save the public key only. For SSH-1 keys, the standard public key
|
|
format will be used (\q{\cw{1024 37 5698745}...}). For SSH-2 keys, the
|
|
public key will be output in the format specified by RFC 4716,
|
|
which is a multi-line text file beginning with the line
|
|
\q{\cw{---- BEGIN SSH2 PUBLIC KEY ----}}.
|
|
|
|
\dt \cw{public-openssh}
|
|
|
|
\dd Save the public key only, in a format usable by OpenSSH. For SSH-1
|
|
keys, this output format behaves identically to \c{public}. For
|
|
SSH-2 keys, the public key will be output in the OpenSSH format,
|
|
which is a single line (\q{\cw{ssh-rsa AAAAB3NzaC1yc2}...}).
|
|
|
|
\dt \cw{fingerprint}
|
|
|
|
\dd Print a fingerprint of the public key. The \cw{-E} option lets you
|
|
specify which fingerprinting algorithm to use. All algorithms are
|
|
believed compatible with OpenSSH.
|
|
|
|
\dt \cw{private-openssh}
|
|
|
|
\dd Save an SSH-2 private key in OpenSSH's format, using the oldest
|
|
format available to maximise backward compatibility. This option is not
|
|
permitted for SSH-1 keys.
|
|
|
|
\dt \cw{private-openssh-new}
|
|
|
|
\dd As \c{private-openssh}, except that it forces the use of OpenSSH's
|
|
newer format even for RSA, DSA, and ECDSA keys.
|
|
|
|
\dt \cw{private-sshcom}
|
|
|
|
\dd Save an SSH-2 private key in ssh.com's format. This option is not
|
|
permitted for SSH-1 keys.
|
|
|
|
\dt \cw{cert-info}
|
|
|
|
\dd Save a textual dump of information about the certificate on the
|
|
key, if any: whether it's a host or a user certificate, what host(s)
|
|
or user(s) it's certified to be, its validity period, ID and serial
|
|
number, and the fingerprint of the signing CA.
|
|
|
|
\dt \cw{text}
|
|
|
|
\dd Save a textual dump of the numeric components comprising the key
|
|
(both the public and private parts, if present). Useful for debugging,
|
|
or for using PuTTYgen as a key generator for applications other than
|
|
SSH.
|
|
|
|
\lcont{
|
|
The output consists of a series of \cw{name=value} lines, where each
|
|
\c{value} is either a C-like string literal in double quotes, a
|
|
hexadecimal number starting with \cw{0x...}, or a binary blob
|
|
encoded with base64, denoted by \cw{b64("...")}.
|
|
}
|
|
|
|
If no output type is specified, the default is \c{private}.
|
|
|
|
}
|
|
|
|
\dt \cw{\-o} \e{output\-file}
|
|
|
|
\dd Specify the file where \c{puttygen} should write its output. If
|
|
this option is not specified, \c{puttygen} will assume you want to
|
|
overwrite the original file if the input and output file types are
|
|
the same (changing a comment or passphrase), and will assume you
|
|
want to output to stdout if you are asking for a public key,
|
|
fingerprint, or one of the textual dump types. Otherwise, the
|
|
\c{\-o} option is required.
|
|
|
|
\dt \cw{\-l}
|
|
|
|
\dd Synonym for \q{\cw{-O fingerprint}}.
|
|
|
|
\dt \cw{\-L}
|
|
|
|
\dd Synonym for \q{\cw{-O public-openssh}}.
|
|
|
|
\dt \cw{\-p}
|
|
|
|
\dd Synonym for \q{\cw{-O public}}.
|
|
|
|
\dt \cw{\-\-cert\-info}
|
|
|
|
\dd Synonym for \q{\cw{-O cert-info}}.
|
|
|
|
\dt \cw{\-\-dump}
|
|
|
|
\dd Synonym for \q{\cw{-O text}}.
|
|
|
|
\dt \cw{-E} \e{fptype}
|
|
|
|
\dd Specify the algorithm to use if generating a fingerprint. The
|
|
available algorithms are are \cw{sha256} (the default) and \cw{md5}.
|
|
|
|
\lcont{
|
|
|
|
By default, when showing the fingerprint of a public key that includes
|
|
a certificate, \c{puttygen} will not include the certificate, so that
|
|
the fingerprint shown will be the same as the underlying public key.
|
|
If you want the fingerprint including the certificate (for example, so
|
|
as to tell two certified keys apart), you can specify \cw{sha256-cert}
|
|
or \cw{md5-cert} as the fingerprint type.
|
|
|
|
}
|
|
|
|
\dt \cw{\-\-new\-passphrase} \e{file}
|
|
|
|
\dd Specify a file name; the first line will be read from this file
|
|
(removing any trailing newline) and used as the new passphrase. If the
|
|
file is empty then the saved key will be unencrypted. \s{CAUTION:} If
|
|
the passphrase is important, the file should be stored on a temporary
|
|
filesystem or else securely erased after use.
|
|
|
|
The following options do not run PuTTYgen as normal, but print
|
|
informational messages and then quit:
|
|
|
|
\dt \cw{\-h}, \cw{\-\-help}
|
|
|
|
\dd Display a message summarizing the available options.
|
|
|
|
\dt \cw{\-V}, \cw{\-\-version}
|
|
|
|
\dd Display the version of PuTTYgen.
|
|
|
|
\dt \cw{\-\-pgpfp}
|
|
|
|
\dd Display the fingerprints of the PuTTY PGP Master Keys, to aid
|
|
in verifying new files released by the PuTTY team.
|
|
|
|
\S{puttygen-manpage-examples} EXAMPLES
|
|
|
|
To generate an SSH-2 RSA key pair and save it in PuTTY's own format
|
|
(you will be prompted for the passphrase):
|
|
|
|
\c puttygen -t rsa -C "my home key" -o mykey.ppk
|
|
|
|
To generate a larger (4096-bit) key:
|
|
|
|
\c puttygen -t rsa -b 4096 -C "my home key" -o mykey.ppk
|
|
|
|
To change the passphrase on a key (you will be prompted for the old
|
|
and new passphrases):
|
|
|
|
\c puttygen -P mykey.ppk
|
|
|
|
To change the comment on a key:
|
|
|
|
\c puttygen -C "new comment" mykey.ppk
|
|
|
|
To convert a key into OpenSSH's private key format:
|
|
|
|
\c puttygen mykey.ppk -O private-openssh -o my-openssh-key
|
|
|
|
To convert a key \e{from} another format (\c{puttygen} will
|
|
automatically detect the input key type):
|
|
|
|
\c puttygen my-ssh.com-key -o mykey.ppk
|
|
|
|
To display the SHA-256 fingerprint of a key (some key types require a
|
|
passphrase to extract even this much information):
|
|
|
|
\c puttygen -l mykey.ppk
|
|
|
|
To add the OpenSSH-format public half of a key to your authorised
|
|
keys file:
|
|
|
|
\c puttygen -L mykey.ppk >> $HOME/.ssh/authorized_keys
|