bssh/docs/man/bssh-keygen.1 at 617128423e11e1c7f920f063d87a07880dbe3821 · lablup/bssh · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
.\" Manpage for bssh-keygen
.\" Contact the maintainers to correct errors or typos.
.TH BSSH-KEYGEN 1 "April 2026" "v2.1.2" "User Commands"

.SH NAME
bssh-keygen \- SSH key pair generation tool

.SH SYNOPSIS
.B bssh-keygen
[\fB\-t\fR \fItype\fR]
[\fB\-b\fR \fIbits\fR]
[\fB\-f\fR \fIfile\fR]
[\fB\-C\fR \fIcomment\fR]
[\fB\-y\fR]
[\fB\-q\fR]

.SH DESCRIPTION
.B bssh-keygen
generates SSH key pairs in OpenSSH format. It supports Ed25519 (recommended) and RSA algorithms.
Generated keys are compatible with OpenSSH and can be used for SSH authentication.

By default, bssh-keygen generates an Ed25519 key pair and saves it to
\fI~/.ssh/id_ed25519\fR (private key) and \fI~/.ssh/id_ed25519.pub\fR (public key).

.SH OPTIONS
.TP
.BR \-t ", " \-\-type " " \fITYPE\fR
Specifies the type of key to generate. Supported types:
.RS
.IP \fBed25519\fR 10
(default, recommended) Ed25519 elliptic curve key. Provides strong security with compact key size
and fast operations.
.IP \fBrsa\fR 10
RSA key. Use \fB-b\fR to specify key size. Supported for compatibility with legacy systems.
.RE

.TP
.BR \-f ", " \-\-file " " \fIFILE\fR
Output file path for the private key. The public key is saved to \fIFILE.pub\fR.
Default: \fI~/.ssh/id_<type>\fR (e.g., ~/.ssh/id_ed25519 for Ed25519 keys)

.TP
.BR \-b ", " \-\-bits " " \fIBITS\fR
Number of bits for RSA key. Only applicable when \fB-t rsa\fR is specified.
.RS
.IP "Minimum:" 10
2048 bits
.IP "Maximum:" 10
16384 bits
.IP "Default:" 10
4096 bits
.IP "Recommended:" 10
4096 bits for new deployments
.RE

.TP
.BR \-C ", " \-\-comment " " \fICOMMENT\fR
Comment to include in the public key. Typically used to identify the key owner.
Default: "bssh-keygen"

Example: \fB-C "user@hostname"\fR

.TP
.BR \-y ", " \-\-yes
Overwrite existing key files without prompting for confirmation.

.TP
.BR \-q ", " \-\-quiet
Quiet mode. Suppress all output except error messages.

.TP
.BR \-v ", " \-\-verbose
Increase verbosity level. Can be specified multiple times (\fB-vvv\fR) for maximum verbosity.

.TP
.BR \-h ", " \-\-help
Display help message and exit.

.TP
.BR \-V ", " \-\-version
Display version information and exit.

.SH KEY TYPES
.SS Ed25519 (Recommended)
Ed25519 is a modern elliptic curve signature algorithm that provides:
.IP \(bu 2
128-bit security level (equivalent to RSA-3072)
.IP \(bu 2
Fast key generation and signing operations
.IP \(bu 2
Compact key size (32 bytes public key, 64 bytes private key)
.IP \(bu 2
Deterministic signatures
.IP \(bu 2
Resistance to side-channel attacks
.PP
Ed25519 is recommended for all new key generation.

.SS RSA
RSA is a widely-used public key algorithm. While still secure with sufficient key sizes
(2048+ bits), Ed25519 is preferred due to:
.IP \(bu 2
Faster key generation and operations
.IP \(bu 2
Smaller key sizes for equivalent security
.IP \(bu 2
Better resistance to implementation errors
.PP
RSA support is provided for compatibility with legacy systems.

.SH OUTPUT
.B bssh-keygen
creates two files:

.TP
.I FILE
Private key in OpenSSH format. This file has permissions 0600 (owner read/write only) and should
be kept secret.

.TP
.I FILE.pub
Public key in OpenSSH format. This file can be shared and added to remote servers'
\fIauthorized_keys\fR files.

.PP
Unless \fB-q\fR is specified, bssh-keygen displays:
.IP \(bu 2
Path to the saved private key
.IP \(bu 2
Path to the saved public key
.IP \(bu 2
SHA256 fingerprint of the key
.IP \(bu 2
The public key content

.SH EXAMPLES
.SS Generate Ed25519 Key (Recommended)
.nf
$ bssh-keygen
Your identification has been saved in /home/user/.ssh/id_ed25519
Your public key has been saved in /home/user/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Public key:
ssh-ed25519 AAAA... bssh-keygen
.fi

.SS Generate Ed25519 Key with Custom Path
.nf
$ bssh-keygen -f ~/.ssh/my_server_key
.fi

.SS Generate Ed25519 Key with Custom Comment
.nf
$ bssh-keygen -C "john@workstation"
.fi

.SS Generate RSA Key with 4096 Bits
.nf
$ bssh-keygen -t rsa -b 4096
.fi

.SS Generate Key Non-Interactively
.nf
$ bssh-keygen -f /tmp/deploy_key -C "deploy@server" -y -q
.fi

.SS Generate Key for CI/CD Pipeline
.nf
#!/bin/bash
# Generate a deployment key
bssh-keygen -t ed25519 -f ./deploy_key -C "ci-deploy" -y -q

# Display public key for adding to server
cat ./deploy_key.pub
.fi

.SH FILES
.TP
.I ~/.ssh/id_ed25519
Default Ed25519 private key.

.TP
.I ~/.ssh/id_ed25519.pub
Default Ed25519 public key.

.TP
.I ~/.ssh/id_rsa
Default RSA private key.

.TP
.I ~/.ssh/id_rsa.pub
Default RSA public key.

.TP
.I ~/.ssh/
Default directory for SSH keys. Created with permissions 0700 if it doesn't exist.

.SH SECURITY CONSIDERATIONS
.IP \(bu 2
Private key files are created with permissions 0600 (owner read/write only).
Never share or expose private key files.
.IP \(bu 2
The ~/.ssh directory is created with permissions 0700 (owner only) if it doesn't exist.
.IP \(bu 2
Ed25519 is recommended over RSA for new keys due to its stronger security properties
and resistance to various attack classes.
.IP \(bu 2
For RSA keys, use at least 2048 bits. 4096 bits is recommended.
.IP \(bu 2
Store private keys securely. Consider using encrypted backup solutions.
.IP \(bu 2
Rotate keys periodically, especially for high-security environments.

.SH EXIT STATUS
.TP
.B 0
Successful key generation.
.TP
.B 1
Error occurred (invalid options, write failure, etc.)

.SH COMPATIBILITY
Keys generated by bssh-keygen are fully compatible with OpenSSH and can be used with:
.IP \(bu 2
OpenSSH client and server
.IP \(bu 2
bssh client
.IP \(bu 2
bssh-server
.IP \(bu 2
Any SSH implementation supporting OpenSSH key formats

.SH BUGS
Report bugs at https://github.com/lablup/bssh/issues

.SH AUTHORS
Written by Jeongkyu Shin <inureyes@gmail.com> and the Lablup team.
.br
Developed and maintained by Lablup Inc. <https://lablup.com> as part of the Backend.AI project.

.SH COPYRIGHT
Copyright (C) 2025 Lablup Inc. and Jeongkyu Shin.
.br
License: Apache-2.0
.br
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

.SH SEE ALSO
.BR bssh (1),
.BR bssh-server (8),
.BR ssh-keygen (1),
.BR ssh (1)

Project homepage: https://github.com/lablup/bssh