ssh-keygen (command)

ssh-keygen^[1] is an OpenSSH software command used to generate, manage, and convert authentication keys. It support at least four different key types RSA, DSA, ECDSA and ed25519.

• https://www.man7.org/linux/man-pages/man1/ssh-keygen.1.html

Commands[edit]

• ssh-keygen --help
• ssh-keygen -s

Generate a key par[edit]

• ssh-keygen
• ssh-keygen -t ed25519 (There is no need to set the key size, as all ed25519 keys are 256 bits) other options:

[-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]

Two files will be generated, one your private key and a second file containing second key (.pub extension)

• ssh-keygen -t ed25519 -f your_new_ed25519_key

• ssh-keygen -t ed25519 -f your_new_ed25519_key -C "your_coment_or_email_address

• ssh-keygen -t rsa
• ssh-keygen -t rsa -f your_new_rsa_key

• ssh-keygen -A Generate all (-A) rsa, dsa, ecdsa and ed25519 key types.

• Generate FIDO key:
• ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
• Generating public/private ecdsa-sk key pair.

Generate with PEM format:

• ssh-keygen -m PEM
• ssh-keygen -m PEM -t rsa -f your_new_rsa_key.pem

Convert[edit]

ssh-keygen -e -m PEM -f private_key_in_ed25519_format
do_convert_to_pem: unsupported key type ED25519

• ssh-keygen -l -f ~/.ssh/ssh_host_XXXXkey.pub
• -l Show fingerprint of specified public key file.

• .ssh_host_XXXXkey.pub is not a public key file.

Legacy format[edit]

^[2]

• ssh-keygen -l -E md5 -f ~/.ssh/ssh_host_XXXXkey.pub

See also: puttygen -O fingerprint

• ssh-keygen -vF host (-v flag added in OpenSSH 8.1^[3])

Changelog[edit]

• OpenSSH 7.8, released in August 2018 Incompatible changes: ssh-keygen write OpenSSH format private keys by default instead of using OpenSSL's PEM format.

Activities[edit]

• Generate a new public private key using ed25519 key format using the following command:

ssh-keygen -t ed25519

• Solve" "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" warning:

ssh-keygen -R SERVER_NAME -R Removes all keys belonging to hostname from a known_hosts file

ssh -oStrictHostKeyChecking=no SERVER_NAME Temporarily turning off host key checking

Both solutions have security implications.

• Understand different key types: dsa, ecdsa, ed25519 and RSA

• Change or encrypt private key withouth changing the key: ^[4]

ssh-keygen -f ~/.ssh/id_rsa -p

• Generate public key from private key:

ssh-keygen -y -f ~/.ssh/id_rsa > ~./.ssh/id_rsa.pub

• Generate a key par with old PEM format using:

ssh-keygen -m PEM

• Changing the private key's passphrase without changing the key^[5]

ssh-keygen -f ~/.ssh/id_rsa -p

-p change the passphrase of a private key file

• Generate fingerprint or ID of a key

ssh-keygen -lf your_key.pub
2048 SHA256:u6IaFqRcwp0QX0nPBa/HHB2k/g73tH+YkoaE0riGRAT NAME@XX (RSA)

ssh-keygen -lf your_key
your_key is not a key file.

Related terms[edit]

• ssh-copy-id
• openssl: openssl rsa, openssl genrsa, openssl req
• puttygen (PuTTY)
• 0600
• Cisco IOS/Configure public RSA key authentication
• Terraform resource: tls_private_key
• aws ec2 create-key-pair
• gcloud iam service-accounts keys create
• gcloud kms keys create
• gpg --gen-key
• Terraform: aws_key_pair

See also[edit]

• ssh-keygen [ -t | -p | -i | -y | -f | ~/.ssh/id_rsa | --help ]
• OpenSSH (changelog): /etc/ssh/sshd_config | /etc/ssh/ssh_config | ~/.ssh/ | openSSL | sshd logs | sftp | scp | authorized_keys | ssh-keygen | ssh-keyscan | ssh-add | ssh-agent | ssh | Ssh -O stop | ssh-copy-id | CheckHostIP | UseKeychain
• AAA, Kerberos, KDC, kinit, klist
• Public key cryptography, private key, public key, key length, ssh-keygen, ssh-keyscan, Root certificate, KEX, Generate a key

↑ http://man7.org/linux/man-pages/man1/ssh-keygen.1.html

↑ https://superuser.com/questions/421997/what-is-a-ssh-key-fingerprint-and-how-is-it-generated

↑ https://www.openssh.com/txt/release-8.1

↑ https://wiki.archlinux.org/index.php/SSH_keys#Changing_the_private_key's_passphrase_without_changing_the_key

↑ https://wiki.archlinux.org/index.php/SSH_keys#Changing_the_private_key's_passphrase_without_changing_the_key