Difference between revisions of "Ssh-keygen (command)"

From wikieduonline
Jump to navigation Jump to search
(Created page with "<code>ssh-keygen</code><ref>http://man7.org/linux/man-pages/man1/ssh-keygen.1.html</ref> is an OpenSSH software command used to generate, manage, and convert authenticat...")
 
 
(113 intermediate revisions by 5 users not shown)
Line 1: Line 1:
<code>ssh-keygen</code><ref>http://man7.org/linux/man-pages/man1/ssh-keygen.1.html</ref> is an [[OpenSSH]] software command used to generate, manage, and convert [[authentication keys]]. It support at least four different key types [[RSA]], [[DSA]], [[ECDSA]] and [[ed25519]].
+
{{lowercase}}
 +
<code>ssh-keygen</code><ref>http://man7.org/linux/man-pages/man1/ssh-keygen.1.html</ref> is an [[OpenSSH]] software command used to generate, manage, and convert [[authentication keys]]. It support at least four different [[key]] types [[RSA]], [[DSA]], [[ECDSA]] and [[ed25519]].
 +
* https://www.man7.org/linux/man-pages/man1/ssh-keygen.1.html
 +
 
 +
[[~/.ssh/]]
 +
 
 +
== Commands ==
 +
* <code>[[ssh-keygen --help]]</code>
 +
* <code>[[ssh-keygen -s]]</code>
 +
* <code>[[ssh-keygen -p]]</code>
 +
 
 +
== Generate a key par ==
 +
* <code>[[ssh-keygen]]</code>
 +
* <code>[[ssh-keygen -t ed25519]]</code> (There is no need to set the [[key size]], as all [[ed25519]] keys are 256 bits) other options:
 +
<code>[-t [[dsa]] | [[ecdsa]] | [[ecdsa-sk]] | [[ed25519]] | [[ed25519-sk]] | [[ssh-keygen -t rsa|rsa]]]</code>
 +
 
 +
:::::Two files will be generated, one your private key and a second file containing second key (<code>[[.pub]]</code> extension)
 +
 
 +
* <code>ssh-keygen -t ed25519 -f ~/.ssh/your_new_ed25519_key</code>
 +
 
 +
* <code>ssh-keygen -t ed25519 -f ~/.ssh/your_new_ed25519_key -C "your_coment_or_email_address</code>
 +
 
 +
 
 +
* <code>[[ssh-keygen -t rsa]]</code>
 +
* <code>ssh-keygen -t [[rsa]] -f your_new_rsa_key</code>
 +
 
 +
* <code>[[ssh-keygen -A]]</code> Generate all (<code>-A</code>) [[rsa]], [[dsa]], [[ecdsa]] and [[ed25519]] key types.
 +
 
 +
* Generate [[FIDO]] key:
 +
*<code>ssh-keygen -t [[ecdsa-sk]] -f ~/.ssh/id_ecdsa_sk</code>
 +
*<code>Generating public/private ecdsa-sk key pair.</code>
 +
 
 +
Generate with [[PEM]] format:
 +
* <code>[[ssh-keygen -m]] [[PEM]]</code>
 +
* <code>ssh-keygen -m PEM -t rsa -f your_new_rsa_key[[.pem]]</code>
 +
 
 +
== Convert ==
 +
ssh-keygen -e -m [[PEM]] -f private_key_in_ed25519_format
 +
do_convert_to_pem: unsupported key type [[ED25519]]
 +
 
 +
* <code>ssh-keygen -l -f ~/.ssh/ssh_host_XXXXkey.pub</code>
 +
* <code>-l      Show [[fingerprint]] of specified public key file.</code>
 +
 
 +
* <code>.ssh_host_XXXXkey.pub is not a public key file.</code>
 +
 
 +
===Legacy format===
 +
<ref>https://superuser.com/questions/421997/what-is-a-ssh-key-fingerprint-and-how-is-it-generated</ref>
 +
* <code>ssh-keygen -l -E [[md5]] -f ~/.ssh/ssh_host_XXXXkey.pub</code>
 +
 
 +
See also: [[puttygen]] -O [[fingerprint]]
  
==Commands==
 
* <code>ssh-keygen -l -f /etc/ssh/ssh_host_XXXXkey.pub</code>
 
 
* <code>ssh-keygen -vF host</code> (-v flag added in OpenSSH 8.1<ref>https://www.openssh.com/txt/release-8.1</ref>)
 
* <code>ssh-keygen -vF host</code> (-v flag added in OpenSSH 8.1<ref>https://www.openssh.com/txt/release-8.1</ref>)
* <code>ssh-keygen -t ed25519</code> (There is no need to set the key size, as all Ed25519 keys are 256 bits) other options: <code>[-t dsa | ecdsa | ed25519 | [[rsa]]]</code>
+
 
 +
== Changelog ==
 +
* [[OpenSSH 7.8]], released in August 2018 Incompatible changes: ssh-keygen write OpenSSH format private keys by default instead of using [[OpenSSL]]'s [[PEM]] format.
  
 
==Activities==
 
==Activities==
# Generate a public private key using ed25519 key format using the following command: <code>ssh-keygen -t ed25519</code>
+
* Generate a new [[public private key]] using <code>[[ed25519]]</code> key format using the following command:
# Solve" "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" warning:  
+
:::<code>ssh-keygen -t ed25519</code>
::<code>ssh-keygen -R SERVER_NAME</code> -R Removes all keys belonging to hostname from a known_hosts file
+
* Solve" "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" warning:  
 +
::<code>ssh-keygen -R SERVER_NAME</code> -R Removes all keys belonging to hostname from a <code>[[known_hosts]]</code> file
 
::<code>ssh -oStrictHostKeyChecking=no SERVER_NAME</code> Temporarily turning off host key checking
 
::<code>ssh -oStrictHostKeyChecking=no SERVER_NAME</code> Temporarily turning off host key checking
Both solutions have security implications.
+
:::Both solutions have security implications.
# Understand different key types: dsa, ecdsa, ed25519 and [[rsa]]
+
* Understand different key types: <code>[[dsa]]</code>, <code>[[ecdsa]]</code>, <code>[[ed25519]]</code> and <code>[[RSA]]</code>
 +
 
 +
* Change or encrypt private key withouth changing the key: <ref>https://wiki.archlinux.org/index.php/SSH_keys#Changing_the_private_key's_passphrase_without_changing_the_key</ref>
 +
<code>[[ssh-keygen -f]] ~/.ssh/id_rsa -p</code>
 +
 
 +
* Generate [[public key]] from [[private key]]:
 +
::<code>[[ssh-keygen -y]] -f ~/.ssh/id_rsa > ~./.ssh/[[id_rsa.pub]]</code>
 +
* Generate a key par with old [[PEM]] format using:
 +
::<code>[[ssh-keygen -m]] [[PEM]]</code>
 +
 
 +
* Changing the private key's passphrase without changing the key<ref>https://wiki.archlinux.org/index.php/SSH_keys#Changing_the_private_key's_passphrase_without_changing_the_key</ref>
 +
<code>ssh-keygen -f ~/.ssh/[[id_rsa]] -p</code>
 +
: <code>-p</code> change the passphrase of a private key file
 +
 
 +
* Generate [[fingerprint]] or ID of a key
 +
[[ssh-keygen -lf]] your_key.pub
 +
2048 SHA256:u6IaFqRcwp0QX0nPBa/HHB2k/g73tH+YkoaE0riGRAT NAME@XX (RSA)
 +
 
 +
ssh-keygen -lf your_key
 +
your_key is not a key file.
 +
 
 +
== Related terms ==
 +
* <code>[[ssh-copy-id]]</code>
 +
* <code>[[openssl]]</code>: <code>[[openssl rsa]]</code>, <code>[[openssl genrsa]]</code>, <code>[[openssl req]]</code>
 +
* <code>[[puttygen]]</code> ([[PuTTY]])
 +
* [[0600]]
 +
* [[Cisco IOS/Configure public RSA key authentication]]
 +
* [[Terraform resource]]: <code>[[Terraform resource: tls private key|tls_private_key]]</code>
 +
* <code>[[aws ec2 create-key-pair]]</code>
 +
* <code>[[gcloud iam service-accounts keys create]]</code>
 +
* <code>[[gcloud kms keys create]]</code>
 +
* <code>[[gpg --gen-key]]</code>
 +
* Terraform: <code>[[aws_key_pair]]</code>
 +
* Create new [[x509]] certificate: <code>[[Create new x509 certificate: openssl req -x509 -newkey|openssl req -x509 -newkey]]</code>
 +
* [[geth account new]]
  
 
== See also ==
 
== See also ==
* [[Certification Authority]]
+
* {{ssh-keygen}}
* [[OpenSSH/OpenSSH versions Release Notes]]/ Changelog
+
* {{OpenSSH}}
* [[Kerberos]]
+
* {{Kerberos}}
* [[Cisco IOS/Configure public RSA key authentication]]
+
* {{key}}
 +
 
  
[[Category:Server administration]]
+
[[Category:OpenSSH]]
 
[[Category:Cryptography]]
 
[[Category:Cryptography]]
 +
[[Category:ssh-keygen]]
 
[[Category:Security]]
 
[[Category:Security]]

Latest revision as of 15:46, 8 May 2024

ssh-keygen[1] is an OpenSSH software command used to generate, manage, and convert authentication keys. It support at least four different key types RSA, DSA, ECDSA and ed25519.

~/.ssh/

Commands[edit]

Generate a key par[edit]

[-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]

Two files will be generated, one your private key and a second file containing second key (.pub extension)
  • ssh-keygen -t ed25519 -f ~/.ssh/your_new_ed25519_key
  • ssh-keygen -t ed25519 -f ~/.ssh/your_new_ed25519_key -C "your_coment_or_email_address


  • Generate FIDO key:
  • ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
  • Generating public/private ecdsa-sk key pair.

Generate with PEM format:

Convert[edit]

ssh-keygen -e -m PEM -f private_key_in_ed25519_format
do_convert_to_pem: unsupported key type ED25519
  • ssh-keygen -l -f ~/.ssh/ssh_host_XXXXkey.pub
  • -l Show fingerprint of specified public key file.
  • .ssh_host_XXXXkey.pub is not a public key file.

Legacy format[edit]

[2]

  • ssh-keygen -l -E md5 -f ~/.ssh/ssh_host_XXXXkey.pub

See also: puttygen -O fingerprint

  • ssh-keygen -vF host (-v flag added in OpenSSH 8.1[3])

Changelog[edit]

  • OpenSSH 7.8, released in August 2018 Incompatible changes: ssh-keygen write OpenSSH format private keys by default instead of using OpenSSL's PEM format.

Activities[edit]

ssh-keygen -t ed25519
  • Solve" "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" warning:
ssh-keygen -R SERVER_NAME -R Removes all keys belonging to hostname from a known_hosts file
ssh -oStrictHostKeyChecking=no SERVER_NAME Temporarily turning off host key checking
Both solutions have security implications.
  • Change or encrypt private key withouth changing the key: [4]

ssh-keygen -f ~/.ssh/id_rsa -p

ssh-keygen -y -f ~/.ssh/id_rsa > ~./.ssh/id_rsa.pub
  • Generate a key par with old PEM format using:
ssh-keygen -m PEM
  • Changing the private key's passphrase without changing the key[5]

ssh-keygen -f ~/.ssh/id_rsa -p

-p change the passphrase of a private key file
ssh-keygen -lf your_key.pub
2048 SHA256:u6IaFqRcwp0QX0nPBa/HHB2k/g73tH+YkoaE0riGRAT NAME@XX (RSA)
ssh-keygen -lf your_key
your_key is not a key file.

Related terms[edit]

See also[edit]

  • http://man7.org/linux/man-pages/man1/ssh-keygen.1.html
  • https://superuser.com/questions/421997/what-is-a-ssh-key-fingerprint-and-how-is-it-generated
  • https://www.openssh.com/txt/release-8.1
  • https://wiki.archlinux.org/index.php/SSH_keys#Changing_the_private_key's_passphrase_without_changing_the_key
  • https://wiki.archlinux.org/index.php/SSH_keys#Changing_the_private_key's_passphrase_without_changing_the_key
  • Advertising: