Difference between revisions of "Ssh-keygen (command)"
Jump to navigation
Jump to search
↑ http://man7.org/linux/man-pages/man1/ssh-keygen.1.html
↑ https://superuser.com/questions/421997/what-is-a-ssh-key-fingerprint-and-how-is-it-generated
↑ https://www.openssh.com/txt/release-8.1
↑ https://wiki.archlinux.org/index.php/SSH_keys#Changing_the_private_key's_passphrase_without_changing_the_key
↑ https://wiki.archlinux.org/index.php/SSH_keys#Changing_the_private_key's_passphrase_without_changing_the_key
Tags: Mobile web edit, Mobile edit |
|||
| (83 intermediate revisions by 5 users not shown) | |||
| Line 1: | Line 1: | ||
| − | <code>ssh-keygen</code><ref>http://man7.org/linux/man-pages/man1/ssh-keygen.1.html</ref> is an [[OpenSSH]] software command used to generate, manage, and convert [[authentication keys]]. It support at least four different key types [[RSA]], [[DSA]], [[ECDSA]] and [[ed25519]]. | + | {{lowercase}} |
| + | <code>ssh-keygen</code><ref>http://man7.org/linux/man-pages/man1/ssh-keygen.1.html</ref> is an [[OpenSSH]] software command used to generate, manage, and convert [[authentication keys]]. It support at least four different [[key]] types [[RSA]], [[DSA]], [[ECDSA]] and [[ed25519]]. | ||
| + | * https://www.man7.org/linux/man-pages/man1/ssh-keygen.1.html | ||
| − | + | [[~/.ssh/]] | |
| − | |||
| − | |||
| − | |||
| − | * <code>ssh-keygen - | + | == Commands == |
| + | * <code>[[ssh-keygen --help]]</code> | ||
| + | * <code>[[ssh-keygen -s]]</code> | ||
| + | * <code>[[ssh-keygen -p]]</code> | ||
| + | == Generate a key par == | ||
| + | * <code>[[ssh-keygen]]</code> | ||
| + | * <code>[[ssh-keygen -t ed25519]]</code> (There is no need to set the [[key size]], as all [[ed25519]] keys are 256 bits) other options: | ||
| + | <code>[-t [[dsa]] | [[ecdsa]] | [[ecdsa-sk]] | [[ed25519]] | [[ed25519-sk]] | [[ssh-keygen -t rsa|rsa]]]</code> | ||
| + | |||
| + | :::::Two files will be generated, one your private key and a second file containing second key (<code>[[.pub]]</code> extension) | ||
| + | |||
| + | * <code>ssh-keygen -t ed25519 -f ~/.ssh/your_new_ed25519_key</code> | ||
| + | |||
| + | * <code>ssh-keygen -t ed25519 -f ~/.ssh/your_new_ed25519_key -C "your_coment_or_email_address</code> | ||
| + | |||
| + | |||
| + | * <code>[[ssh-keygen -t rsa]]</code> | ||
* <code>ssh-keygen -t [[rsa]] -f your_new_rsa_key</code> | * <code>ssh-keygen -t [[rsa]] -f your_new_rsa_key</code> | ||
| + | * <code>[[ssh-keygen -A]]</code> Generate all (<code>-A</code>) [[rsa]], [[dsa]], [[ecdsa]] and [[ed25519]] key types. | ||
| − | * Convert | + | * Generate [[FIDO]] key: |
| + | *<code>ssh-keygen -t [[ecdsa-sk]] -f ~/.ssh/id_ecdsa_sk</code> | ||
| + | *<code>Generating public/private ecdsa-sk key pair.</code> | ||
| + | |||
| + | Generate with [[PEM]] format: | ||
| + | * <code>[[ssh-keygen -m]] [[PEM]]</code> | ||
| + | * <code>ssh-keygen -m PEM -t rsa -f your_new_rsa_key[[.pem]]</code> | ||
| + | |||
| + | == Convert == | ||
ssh-keygen -e -m [[PEM]] -f private_key_in_ed25519_format | ssh-keygen -e -m [[PEM]] -f private_key_in_ed25519_format | ||
do_convert_to_pem: unsupported key type [[ED25519]] | do_convert_to_pem: unsupported key type [[ED25519]] | ||
| − | * <code>ssh-keygen -l -f / | + | * <code>ssh-keygen -l -f ~/.ssh/ssh_host_XXXXkey.pub</code> |
| − | + | * <code>-l Show [[fingerprint]] of specified public key file.</code> | |
| + | |||
| + | * <code>.ssh_host_XXXXkey.pub is not a public key file.</code> | ||
| − | + | ===Legacy format=== | |
| − | See also: [[puttygen]] -O fingerprint | + | <ref>https://superuser.com/questions/421997/what-is-a-ssh-key-fingerprint-and-how-is-it-generated</ref> |
| + | * <code>ssh-keygen -l -E [[md5]] -f ~/.ssh/ssh_host_XXXXkey.pub</code> | ||
| + | |||
| + | See also: [[puttygen]] -O [[fingerprint]] | ||
* <code>ssh-keygen -vF host</code> (-v flag added in OpenSSH 8.1<ref>https://www.openssh.com/txt/release-8.1</ref>) | * <code>ssh-keygen -vF host</code> (-v flag added in OpenSSH 8.1<ref>https://www.openssh.com/txt/release-8.1</ref>) | ||
| + | |||
| + | == Changelog == | ||
| + | * [[OpenSSH 7.8]], released in August 2018 Incompatible changes: ssh-keygen write OpenSSH format private keys by default instead of using [[OpenSSL]]'s [[PEM]] format. | ||
==Activities== | ==Activities== | ||
| Line 27: | Line 59: | ||
:::<code>ssh-keygen -t ed25519</code> | :::<code>ssh-keygen -t ed25519</code> | ||
* Solve" "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" warning: | * Solve" "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" warning: | ||
| − | ::<code>ssh-keygen -R SERVER_NAME</code> -R Removes all keys belonging to hostname from a known_hosts file | + | ::<code>ssh-keygen -R SERVER_NAME</code> -R Removes all keys belonging to hostname from a <code>[[known_hosts]]</code> file |
::<code>ssh -oStrictHostKeyChecking=no SERVER_NAME</code> Temporarily turning off host key checking | ::<code>ssh -oStrictHostKeyChecking=no SERVER_NAME</code> Temporarily turning off host key checking | ||
| − | Both solutions have security implications. | + | :::Both solutions have security implications. |
| − | * Understand different key types: dsa, ecdsa, ed25519 and [[ | + | * Understand different key types: <code>[[dsa]]</code>, <code>[[ecdsa]]</code>, <code>[[ed25519]]</code> and <code>[[RSA]]</code> |
| − | * Generate public key from private key: | + | |
| − | ::<code>ssh-keygen -y -f ~/.ssh/id_rsa > ~./.ssh/id_rsa.pub</code> | + | * Change or encrypt private key withouth changing the key: <ref>https://wiki.archlinux.org/index.php/SSH_keys#Changing_the_private_key's_passphrase_without_changing_the_key</ref> |
| + | <code>[[ssh-keygen -f]] ~/.ssh/id_rsa -p</code> | ||
| + | |||
| + | * Generate [[public key]] from [[private key]]: | ||
| + | ::<code>[[ssh-keygen -y]] -f ~/.ssh/id_rsa > ~./.ssh/[[id_rsa.pub]]</code> | ||
* Generate a key par with old [[PEM]] format using: | * Generate a key par with old [[PEM]] format using: | ||
| − | ::<code>ssh-keygen -m [[PEM]]</code> | + | ::<code>[[ssh-keygen -m]] [[PEM]]</code> |
* Changing the private key's passphrase without changing the key<ref>https://wiki.archlinux.org/index.php/SSH_keys#Changing_the_private_key's_passphrase_without_changing_the_key</ref> | * Changing the private key's passphrase without changing the key<ref>https://wiki.archlinux.org/index.php/SSH_keys#Changing_the_private_key's_passphrase_without_changing_the_key</ref> | ||
| − | <code>ssh-keygen -f ~/.ssh/id_rsa -p</code> | + | <code>ssh-keygen -f ~/.ssh/[[id_rsa]] -p</code> |
: <code>-p</code> change the passphrase of a private key file | : <code>-p</code> change the passphrase of a private key file | ||
| − | == Related | + | * Generate [[fingerprint]] or ID of a key |
| + | [[ssh-keygen -lf]] your_key.pub | ||
| + | 2048 SHA256:u6IaFqRcwp0QX0nPBa/HHB2k/g73tH+YkoaE0riGRAT NAME@XX (RSA) | ||
| + | |||
| + | ssh-keygen -lf your_key | ||
| + | your_key is not a key file. | ||
| + | |||
| + | == Related terms == | ||
* <code>[[ssh-copy-id]]</code> | * <code>[[ssh-copy-id]]</code> | ||
| − | * <code>[[openssl]]</code> | + | * <code>[[openssl]]</code>: <code>[[openssl rsa]]</code>, <code>[[openssl genrsa]]</code>, <code>[[openssl req]]</code> |
* <code>[[puttygen]]</code> ([[PuTTY]]) | * <code>[[puttygen]]</code> ([[PuTTY]]) | ||
| + | * [[0600]] | ||
| + | * [[Cisco IOS/Configure public RSA key authentication]] | ||
| + | * [[Terraform resource]]: <code>[[Terraform resource: tls private key|tls_private_key]]</code> | ||
| + | * <code>[[aws ec2 create-key-pair]]</code> | ||
| + | * <code>[[gcloud iam service-accounts keys create]]</code> | ||
| + | * <code>[[gcloud kms keys create]]</code> | ||
| + | * <code>[[gpg --gen-key]]</code> | ||
| + | * Terraform: <code>[[aws_key_pair]]</code> | ||
| + | * Create new [[x509]] certificate: <code>[[Create new x509 certificate: openssl req -x509 -newkey|openssl req -x509 -newkey]]</code> | ||
| + | * [[geth account new]] | ||
== See also == | == See also == | ||
| − | + | * {{ssh-keygen}} | |
| − | * {{ | ||
* {{OpenSSH}} | * {{OpenSSH}} | ||
| − | * | + | * {{Kerberos}} |
| − | * | + | * {{key}} |
| + | |||
| − | [[Category: | + | [[Category:OpenSSH]] |
[[Category:Cryptography]] | [[Category:Cryptography]] | ||
| + | [[Category:ssh-keygen]] | ||
[[Category:Security]] | [[Category:Security]] | ||
Latest revision as of 15:46, 8 May 2024
ssh-keygen[1] is an OpenSSH software command used to generate, manage, and convert authentication keys. It support at least four different key types RSA, DSA, ECDSA and ed25519.
~/.ssh/
Contents
Commands[edit]
Generate a key par[edit]
ssh-keygenssh-keygen -t ed25519(There is no need to set the key size, as all ed25519 keys are 256 bits) other options:
[-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
- Two files will be generated, one your private key and a second file containing second key (
.pubextension)
- Two files will be generated, one your private key and a second file containing second key (
ssh-keygen -t ed25519 -f ~/.ssh/your_new_ed25519_key
ssh-keygen -t ed25519 -f ~/.ssh/your_new_ed25519_key -C "your_coment_or_email_address
ssh-keygen -t rsassh-keygen -t rsa -f your_new_rsa_key
ssh-keygen -AGenerate all (-A) rsa, dsa, ecdsa and ed25519 key types.
- Generate FIDO key:
ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_skGenerating public/private ecdsa-sk key pair.
Generate with PEM format:
ssh-keygen -m PEMssh-keygen -m PEM -t rsa -f your_new_rsa_key.pem
Convert[edit]
ssh-keygen -e -m PEM -f private_key_in_ed25519_format do_convert_to_pem: unsupported key type ED25519
ssh-keygen -l -f ~/.ssh/ssh_host_XXXXkey.pub-l Show fingerprint of specified public key file.
.ssh_host_XXXXkey.pub is not a public key file.
Legacy format[edit]
ssh-keygen -l -E md5 -f ~/.ssh/ssh_host_XXXXkey.pub
See also: puttygen -O fingerprint
ssh-keygen -vF host(-v flag added in OpenSSH 8.1[3])
Changelog[edit]
- OpenSSH 7.8, released in August 2018 Incompatible changes: ssh-keygen write OpenSSH format private keys by default instead of using OpenSSL's PEM format.
Activities[edit]
- Generate a new public private key using
ed25519key format using the following command:
ssh-keygen -t ed25519
- Solve" "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" warning:
ssh-keygen -R SERVER_NAME-R Removes all keys belonging to hostname from aknown_hostsfilessh -oStrictHostKeyChecking=no SERVER_NAMETemporarily turning off host key checking- Both solutions have security implications.
- Change or encrypt private key withouth changing the key: [4]
ssh-keygen -f ~/.ssh/id_rsa -p
- Generate public key from private key:
ssh-keygen -y -f ~/.ssh/id_rsa > ~./.ssh/id_rsa.pub
- Generate a key par with old PEM format using:
- Changing the private key's passphrase without changing the key[5]
ssh-keygen -f ~/.ssh/id_rsa -p
-pchange the passphrase of a private key file
- Generate fingerprint or ID of a key
ssh-keygen -lf your_key.pub 2048 SHA256:u6IaFqRcwp0QX0nPBa/HHB2k/g73tH+YkoaE0riGRAT NAME@XX (RSA)
ssh-keygen -lf your_key your_key is not a key file.
Related terms[edit]
ssh-copy-idopenssl:openssl rsa,openssl genrsa,openssl reqputtygen(PuTTY)- 0600
- Cisco IOS/Configure public RSA key authentication
- Terraform resource:
tls_private_key aws ec2 create-key-pairgcloud iam service-accounts keys creategcloud kms keys creategpg --gen-key- Terraform:
aws_key_pair - Create new x509 certificate:
openssl req -x509 -newkey - geth account new
See also[edit]
ssh-keygen[-R,-t|-p|-i|-y | -f | ~/.ssh/id_rsa|--help ] ~/.ssh/known_hosts- OpenSSH (changelog):
/etc/ssh/sshd_config|/etc/ssh/ssh_config|~/.ssh/|openSSL | sshd logs|sftp|scp|authorized_keys|ssh-keygen|ssh-keyscan|ssh-add|ssh-agent|ssh|Ssh -O stop|ssh-copy-id|CheckHostIP|UseKeychain, OpenSSF - AAA, Kerberos, KDC,
kinit, klist, ktutil, /etc/krb5.conf, krb5-workstation, pam_krb5 - Public key cryptography,
private key,public key,key length,ssh-keygen,ssh-keyscan, Root certificate, KEX, Generate a key
Advertising:
