sshkeygen.exe
Every Secure Shell node, be it client or server, needs to have a RSA or DSA key. This key, which is actually a pair of keys: one public and one private, is generated by the sshkeygen.exe program. The public part of the key can be distributed widely so that other machines can talk to this machine. The private part of the key must be stored in a secured way. Like other ssh vendors, our ssh key implementation is also file based. Public part of the key is one file and Private part of the key is another file. Typically these files are named in pairs. So if you specify the key name "mymachine" to the sshkeygen program, it will store the public part of the key in "mymachine.pub" file and the private part of the key in "mymachine" file.
To avoid manual work, our install package automatically generates machine key pair for the machine during install using sshkeygen.exe program and stores them in a subdirectory of the installation folder. The ssh1 private key is stored in "SSHD\ssh_host_key" file and the ssh1 public key is stored in "SSHD\ssh_host_key.pub" file. The ssh2 private key is stored in "SSHD\ssh2_host_key" file and the ssh2 public key is stored in "SSHD\ssh2_host_key.pub" file. These keys can be regenerated if desired.
To simplify key distribution, ssh automatically sends the public part of the key of a machine if it already does not have it in its information base. This public key information base is stored in the text file "Toolkit\.ssh\known_hosts" . So as an administrator, you do not have to manually distribute public keys to machines. Ssh can automatically build the public key information base as it encounters new machines in the network.
It is very critical to guard the private part of any RSA or DSA key. So files such as mymachine and ssh_host_key must be protected by NTFS permissions such that only authorized persons have read or access permission into it. For this reason, we urge that you install ssh packages in secured NTFS file systems.
Like machines, each individual who uses ssh client, needs to have a RSA\DSA key pair, generated by sshkeygen.exe program. This RSA key file name is what you specify in "ssh -i mykey" part of the invocation. If no key name is given in -i option, then the key in "Toolkit\.ssh\identity" is used as the keyfile name.
During installation of ssh client, the install package automatically generates the keys and stores them in the subdirectory of the installation directory. The installation generates the RSA keys for ssh1, "Toolkit\.ssh\identity" and "Toolkit\.ssh\identity.pub", and ssh2, "Toolkit\.ssh\id_rsa" and "Toolkit\.ssh\id_rsa.pub", and the DSA key,"Toolkit\.ssh\id_dsa" and "Toolkit\.ssh\id_dsa.pub", to represent the current logged on user. Additional key sets can be generated any time by running sshkeygen.exe program.
The syntax for sshkeygen is:
sshkeygen [-ceilpqyB] [-t type] [-b bits] [-f file] [-C comment] [-N new-pass] [-P pass]
The options are:
|
c |
changed existing comment |
|
e |
export existing ssh1 key to ssh2 key |
|
i |
import ssh2 key to ssh1 key |
|
l |
display key fingerprint |
|
p |
change passphrase from old to new |
|
q |
generate keys quietly |
|
y |
display generated public key |
|
B |
display more fingerprint information |
|
t |
type of key to generate: rsa, rsa1, dsa |
|
b |
key bit size |
|
f |
file to generate |
|
C |
comments for this user |
|
N |
new passphrase, when using p option |
|
P |
new passphrase |