ssh-keygen Command in Linux
ssh-keygen is an all-purpose tool within the OpenSSH package employed for generating, changing and transforming SSH keys. Keys play a vital role in having secure, password-less machine authentication and are popularly used for server maintenance, development pipelines, and automatic tasks.
The main function of ssh-keygen is to generate public and private key pairs for SSH authentication. Apart from generating keys, it can be utilized to manage existing keys by viewing, editing, or converting them from one format to another.
Table of Contents
Here is a comprehensive guide to the options available with the ssh-keygen command −
Syntax of ssh-keygen Command
The general syntax of the ssh-keygen command is −
ssh-keygen [options]
Where, [options] indicate a range of flags and parameters to customize the commandâs functionality, such as the output file, passphrase settings, and more.
ssh-keygen Command Options
The ssh-keygen command offers the following options for your use.
| Option | Description |
|---|---|
| -a trials | Defines the number of tests to run when screening Diffie-Hellman Group Exchange (DH-GEX) candidate primes. |
| -B | Displays the bubblebabble-style digest of a specified private or public key file. |
| -b bits | Specifies the length of the key to be generated. |
| -C comment | Adds a custom comment to a newly created key, often used to identify the purpose or owner of the key. |
| -c | Prompts for the existing private and public RSA1 keys to modify their associated comment. |
| -D reader | Retrieves the RSA public key from a smart card in the specified reader. |
| -e | Exports a private or public OpenSSH key into the RFC 4716 SSH Public Key File Format for use with other SSH tools or implementations. |
| -F hostname | Searches for a specific hostname in a known_hosts file and lists any matches. |
| -f filename | Specifies the filename for the key file, overriding the default location (~/.ssh/id_rsa or similar). |
| -H | Hashes all hostnames and IP addresses in a known_hosts file, replacing them with hashed versions while preserving the original file in .old format. |
| -i | Reads an SSH private or public key in SSH2-compatible format and converts it into OpenSSH format. |
| -l | Displays the fingerprint of a given public or private key. |
| -M memory | Sets the memory limit (in megabytes) for generating candidate primes for DH-GEX. |
| -n | Extracts the public key from a smart card and saves it for use in other applications. |
| -N new_passphrase | Sets or updates a new passphrase for the private key being generated or modified. |
| -P passphrase | Specifies the old passphrase when making changes to a private key. |
| -p | Changes the passphrase of an existing private key file. |
| -q | Enables quiet mode to suppress most output during key generation or processing. |
| -R hostname | Removes all keys matching a specific hostname from the known_hosts file. |
| -r hostname | Prints an SSHFP fingerprint resource record for a given hostname and public key file. |
| -S start | Specifies a starting point (in hexadecimal) for generating candidate moduli in DH-GEX. |
| -t type | Defines the type of key to create (e.g., rsa, rsa1, or dsa). |
| -U reader | Uploads an RSA private key to the specified smart card reader. |
| -v | Enables verbose mode, printing detailed information about the key generation process. |
| -W generator | Specifies a generator to use when testing candidate moduli for DH-GEX. |
| -y | Extracts and prints the public key from an OpenSSH private key file. |
Examples of ssh-keygen Command in Linux
Let's explore a few practical examples of the ssh-keygen command on Linux environment −
- Generate a Key with Custom Length and Comments
- Change the Passphrase for a Private Key
- Export a Key in RFC 4716 Format
- Hash the Known Hosts File
- Test the Safety of DH-GEX Primes
Generate a Key with Custom Length and Comment
If you need a custom RSA key with a specific number of bits and a meaningful comment, use this example.
ssh-keygen -t rsa -b 4096 -C "Developer Key" -f ~/.ssh/dev_key
This command generates a 4096-bit RSA key, adds the comment "Developer Key", and saves it to the dev_key and dev_key.pub files.
Change the Passphrase for a Private Key
You may want to update the passphrase of an existing key for improved security.
ssh-keygen -p -P "old_passphrase" -N "new_secure_pass" -f ~/.ssh/id_rsa
This command prompts for the current passphrase (old_passphrase), replaces it with new_secure_pass, and updates the id_rsa private key.
Export a Key in RFC 4716 Format
For compatibility with other SSH implementations, you might need to export your key to RFC 4716 format.
ssh-keygen -e -f ~/.ssh/id_rsa > exported_key
This converts the id_rsa key to the RFC 4716 public key format and saves it to the exported_key file.
Hash the Known Hosts File
To protect sensitive information in the known_hosts file, hash all hostnames and addresses.
ssh-keygen -H -f ~/.ssh/known_hosts
Replaces all hostnames and addresses in known_hosts with hashed representations, moving the original file to known_hosts.old.
Display Fingerprint of a Key
To view the fingerprint of a public key for easier identification, use −
ssh-keygen -l -f ~/.ssh/my_rsa_key.pub
This command outputs the fingerprint of the specified key.
Conclusion
The ssh-keygen command is an essential SSH key-based authentication management tool offering a powerful group of key creation, editing, and secure upgrade capabilities. With everything from generating tightly secured keys with extremely tunable settings through exporting and conversion for interoperability, it enjoys unparalleled flexibility in SSH operations.
By learning how to use ssh-keygen, users and admins can automate management without sacrificing security practices.