Table of Contents
In this article, we will go through 20 Useful Linux/Unix ssh-keygen command examples. ssh-keygen command is one of the most used Open source command in Linux Based Systems to generate Public/Private Key pair which can be used for authentication, passwordless login and in many more use cases. You will see this tool available by default with most of the Linux distros so you don't have the overhead to install it separately. There are many other uses of ssh-keygen command in Linux which we will try to see in this article one by one.
Syntax
ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment] [-f output_keyfile]
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
ssh-keygen -i [-f input_keyfile]
ssh-keygen -e [-f input_keyfile]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
ssh-keygen -l [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D reader
ssh-keygen -F hostname [-f known_hosts_file]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -U reader [-f input_keyfile]
ssh-keygen -r hostname [-f input_keyfile] [-g]
ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
ssh-keygen -T output_file -f input_file [-v] [-a num_trials] [-W generator]
ssh-keygen command examples in Linux/Unix
Also Read: Passwordless ssh login using ssh keygen in 6 Easy Steps
Example 1: How to Search Key of Host from known_hosts file
If you want to search Key of some host from known_hosts file then you need to use -F
option with ssh-keygen command as shown below. In this example, we are trying to find Key of Host 192.168.0.103 from known_hosts file using ssh-keygen -F 192.168.0.103
command.
[root@localhost ~]# ssh-keygen -F 192.168.0.103 # Host 192.168.0.103 found: line 1 192.168.0.103 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNqUWv4MFC3F1saxTSdfKq7hsQrpYnndhtYKS3o9mye18Wlj9eQVioFJfjklV+k2/tyh44edzobcBbxSRIsxvb8=
-F : Search for the specified hostname in a known_hosts file, listing any occurrences found.
NOTE:
root
user to run all the below commands.You can use any user with sudo
access to run all these commands. For more information Please check Step by Step: How to Add User to Sudoers to provide sudo
access to the User.Example 2: How to Generate Public/Private RSA Key Pair
If you want generate Public/Private RSA Key Pair then you need to use simple ssh-keygen
command as shown below.
[root@localhost ~]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /home/admin/.ssh/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/id_rsa. Your public key has been saved in /home/admin/.ssh/id_rsa.pub. The key fingerprint is: SHA256:PUkUGJ/P/otkmduXLVtPEZywMQ8AWsreY+wBjFLoBQs root@localhost.localdomain The key's randomart image is: +---[RSA 2048]----+ | E .o. .=+o.= | | ..o.+ =o . O . | | .o.. * + . = | | .. . +o + . | | .S*+ o . | | o oo o . | | . * = | | o =.++ | | o ==. | +----[SHA256]-----+
Example 3: How to show the Bubblebabble Digest of a Public/Private Key
If you want to show the Bubblebabble Digest of a Public/Private Key Pair then you need to use -B
option with ssh-keygen
command as shown below. In this example, we are trying to show the Bubblebabble digest of private key /home/admin/.ssh/id_rsa
using ssh-keygen -B -f /home/admin/.ssh/id_rsa
command.
[root@localhost ~]# ssh-keygen -B -f /home/admin/.ssh/id_rsa 2048 xoged-kokyh-dafit-gikyl-pebat-rytos-dygup-nakem-fyboz-vumyk-fexax root@localhost.localdomain (RSA)
-B : Show the bubblebabble digest of specified private or public key file.
-f : Specifies the filename of the key file. More info ssh-keygen command Man Page.
Example 4: How to Generate Public/Private RSA1 Key Pair
If you want to use different algorithm than the default RSA Algorithm to generate the Public/Private Key pair then you need to specify the algorithm using -t
option with ssh-keygen command as shown below. In this example, we are trying to generate Public/Private Key Pair based on RSA1 algorithm using ssh-keygen -t rsa1
command.
[root@localhost ~]# ssh-keygen -t rsa1 Generating public/private rsa1 key pair. Enter file in which to save the key (/root/.ssh/identity): /home/admin/.ssh/identity Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/identity. Your public key has been saved in /home/admin/.ssh/identity.pub. The key fingerprint is: SHA256:EfBTrtmOMRLaZ43tOoDsZaoDoJpwrZjrYZNIONON8Kk root@localhost.localdomain The key's randomart image is: +---[RSA1 2048]---+ | ... . | | . + | | . . + . | |o+ + o . X | |*.=oo.o S + | |*+o + ++ * | |E@ o + .. o | |* = o .. | |oo.o .. | +----[SHA256]-----+
-t : Specifies the type of key to create.
Example 5: How to Change Your Comment in Key File
Sometimes you might want to change your comment in the Key File from default username@hostname format to something meaningful. You can easily do that by using -c
option with ssh-keygen command as shown below. In this example we are trying to change the comment of RSA1 Key using ssh-keygen -c -f /home/admin/.ssh/identity
command.
[root@localhost ~]# ssh-keygen -c -f /home/admin/.ssh/identity Key now has comment 'root@localhost.localdomain' Enter new comment: This is RSA1 Key The comment in your key file has been changed.
-c : Requests changing the comment in the private and public key files.
Example 6: How to Provide Comment during Key Generation
If you want to provide some comment during key generation instead of using default one then you need to use -C
option with ssh-keygen command as shown below. In this example, we are trying to generate a Public/Private RSA Key Pair with comment "Generating a Key"
.
[root@localhost ~]# ssh-keygen -C "Generating a Key" Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /home/admin/.ssh/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/id_rsa. Your public key has been saved in /home/admin/.ssh/id_rsa.pub. The key fingerprint is: SHA256:wxYL9NlL+FOHHzIiV1RwjdWQ93PugXmEhI71aohrNVw Generating a Key The key's randomart image is: +---[RSA 2048]----+ | . .=o+*o | | . . + + +o +| | . * O B +..| | o O E B +o| | S * . =.o| | o * + o o.| | o o ...| | o .| | . | +----[SHA256]-----+
-C : Provides a new comment.
Example 7: How to Show Public Key for a Given Private Key
If you want to show public key of a given private key then you need to use -y
option as shown below. In this example, we have given input private key file location to check its public key by using below ssh-keygen command. Please note that in absence of input key file, it will try to use the key file from User home location.
[root@localhost ~]# ssh-keygen -y -f /home/admin/.ssh/id_rsa ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/4XiVwY+/F8F1h6Lf9lV6NUhIPQ1SQqtGJJSarmtHSmnyNiVvhsiBDezh6s9fIw1P6jRQ87oQw06Tkcg6UfAGDV84mEYDoDQxZ0i3r3NWKdGqYPFSF9bTnUaOtve5G/EYxVr/z2S8tDbUr2jFpyKYHWCGLo7dqELQYyiNEIuIRMc1xujFOOHsf6byo7SNlfpV6iyrRzpgsmXQ7lilZjefQJdsBJN/FlZ1o8rkf+XUzHXNz0PK/uKVUl016Pruw6QpWbPRss1Jr865GFCGJfxXv+PeTPa4KAJ/QqIqwosDwlxKtNUpRKBZEjKnjrEt/F1w3u7RmJVWLuW3sV91oyGr
-y : This option will read a private OpenSSH format file and print an OpenSSH public key to stdout.
Example 8: How to Generate Public/Private Key Pair Using MD5 Hashing
If you want to use different hashing instead of default SHA256 during Public/Private Key Pair generation then you need to specify the hashing type using -E
option with ssh-keygen command as shown below. In this example, we are trying to use MD5 hashing during Public/Private Key Pair generation using ssh-keygen -E md5
command.
[root@localhost ~]# ssh-keygen -E md5 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /home/admin/.ssh/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/id_rsa. Your public key has been saved in /home/admin/.ssh/id_rsa.pub. The key fingerprint is: MD5:b4:f6:d4:94:69:02:b4:5a:2d:5c:98:8f:aa:23:21:6e root@localhost.localdomain The key's randomart image is: +---[RSA 2048]----+ | .oo. | | .o= o | | *oo = | | +.o.= | | ..S . . | |. . .. o | |.. . . . | | E. o | |. . . | +------[MD5]------+
-E : Specifies the hash algorithm used when displaying key fingerprints.
Example 9: How to Generate 4096 bits RSA Public/Private Key Pair
If you want to generate RSA Public/Private key pair of different length than the default 2048 bits then you need to specify the length of the key using -b
option with ssh-keygen command as shown below. In this example, we are trying to generate RSA Public/Private Key Pair of length 4096 bits using ssh-keygen -b 4096
command.
[root@localhost ~]# ssh-keygen -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /home/admin/.ssh/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/id_rsa. Your public key has been saved in /home/admin/.ssh/id_rsa.pub. The key fingerprint is: SHA256:IuXTyhuWuS/xiStfJT8cXB8FLV9El7uLCr68E9nuI+4 root@localhost.localdomain The key's randomart image is: +---[RSA 4096]----+ | .=*| | .o+| | . . .oo| | o. . . . o.| | . + S * . .| | o . * B o . | | B + . o *. .| | ..o==o.+ .. | | o =++ E*oo | +----[SHA256]-----+
-b : Specifies the number of bits in the key to create.
Example 10: How to Change your Private Key Passphrase
If you want to change your private key passphrase then you need to use -p
option with ssh-keygen command as shown below. In this example we are trying to change the passphrase of /home/admin/.ssh/id_rsa
private key using ssh-keygen -p -f /home/admin/.ssh/id_rsa
command.
[root@localhost ~]# ssh-keygen -p -f /home/admin/.ssh/id_rsa Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase.
-p : Requests changing the passphrase of a private key file instead of creating a new private key.
Example 11: How to Generate Candidate Primes for DH-GEX
If you want to generate Candidate Primes for DH-GEX using 2048 bits key length then you need to use ssh-keygen -G moduli-2048.candidates -b 2048
command as shown below.
[root@localhost ~]# ssh-keygen -G moduli-2048.candidates -b 2048 Sun May 24 00:21:55 2020 Sieve next 67043328 plus 2047-bit Sun May 24 00:27:40 2020 Sieved with 203277289 small primes in 345 seconds Sun May 24 00:27:44 2020 Found 56812 candidates
-G : Generate candidate primes for DH-GEX.
Example 12: How to Specify the amount of memory to be used for Generating Candidate Primes for DH-GEX
Somtimes you might want to increase the amount of memory to be used for Generating Candidate Primes for DH-GEX. This can be done by passing amount of memory (in MB) using -M
option with ssh-keygen command as shown below. In this example, we are trying to use 10 MB memory to generate Candidate Primes for DH-GEX using ssh-keygen -G moduli-2048.candidate -M 10 -b 2048
command.
[root@localhost ~]# ssh-keygen -G moduli-2048.candidates -M 10 -b 2048 Increased memory: 10 MB; need 4190208 bytes Sun May 24 00:38:49 2020 Sieve next 167772160 plus 2047-bit Sun May 24 00:44:43 2020 Sieved with 203277289 small primes in 354 seconds Sun May 24 00:44:54 2020 Found 140611 candidates
-M : Specify the amount of memory to use (in megabytes) when generating candidate moduli for DH-GEX.
Example 13: How to remove all the Keys belonging to a Specific Host from Known_hosts file
If you want to remove all the keys for a host from known_hosts file then you need to use -R
option with ssh-keygen command as shown below. In this example, we are trying to remove all the keys of host 192.168.0.103
from known_hosts file using ssh-keygen -f /home/admin/.ssh/known_hosts -R 192.168.0.103
command.
[root@localhost ~]# ssh-keygen -f /home/admin/.ssh/known_hosts -R 192.168.0.103 # Host 192.168.0.103 found: line 1 /home/admin/.ssh/known_hosts updated. Original contents retained as /home/admin/.ssh/known_hosts.old
-R hostname : Removes all keys belonging to hostname from a known_hosts file.
Example 14: How to Hash known_hosts file
If you want to hash known_hosts file then you need to use -H
option with ssh-keygen
command as shown below. In this example, we are hashing known_hosts file using ssh-keygen -H
command.
[root@localhost ~]# ssh-keygen -H /root/.ssh/known_hosts updated. Original contents retained as /root/.ssh/known_hosts.old WARNING: /root/.ssh/known_hosts.old contains unhashed entries Delete this file to ensure privacy of hostnames
-H : Hash a known_hosts file.
Example 15: How to Convert SSH2 Key to OpenSSH Format
If you want to convert ssh2 key to openssh key then you need to use -i
option with ssh-keygen command as shown below. In this example, we are trying to convert ssh2 key to openssh key using ssh-keygen -i -f /home/admin/.ssh/id_rsa.pub > key.pub
command. This command will save the converted openssh key to key.pub file.
[root@localhost ~]# ssh-keygen -i -f /home/admin/.ssh/id_rsa.pub > key.pub
-i : This option will read an unencrypted private (or public) key file in the format specified by the -m option and print an OpenSSH compatible private (or public) key to stdout.
Example 16: How to Convert OpenSSH Key to SSH2 Key
If you want to convert openssh key to ssh2 key then you need to use -e
option with ssh-keygen command as shown below. In this example, we are trying to convert openssh key to ssh2 key using ssh-keygen -e -f key.pub >> ~/.ssh/authroized_keys
command. This command will save the converted ssh2 key in authorized_keys file.
[root@localhost ~]# ssh-keygen -e -f key.pub >> ~/.ssh/authorized_keys
-e : This option will read a private or public OpenSSH key file and print to stdout the key in one of the formats specified by the -m option.
Example 17: How to Change Passphrase based on Old Passphrase
If you want to change passphrase based on Old passphrase then you need to provide old and new passphrase using -P
and -N
option with ssh-keygen command as shown below.
[root@localhost ~]# ssh-keygen -p -f /home/admin/.ssh/id_rsa -P Test@123 -N Test@123$ Your identification has been saved with the new passphrase.
-P : Provides the (old) passphrase.
-N : Provides the new passphrase.
Example 18: How to Test DH group exchange candidate primes for safety
If you want to test DH group exchange candidate primes for safety then you need to use -T
option with ssh-keygen command as shown below.
[root@localhost ~]# ssh-keygen -T moduli-2048 -f moduli-2048.candidates
-T : Test DH group exchange candidate primes for safety.
Example 19 : How to Debug DH group exchange candidate primes for safety in Verbose Mode
If you want to debug group exchange candidate primes for safety in verbose mode then you need to use -v
option with ssh-keygen command as shown below. In this example we are trying to debug DH group exchange candidate primes for safety using ssh-keygen -v -T moduli-2048 -f moduli-2048.candidates
command.
[root@localhost ~]# ssh-keygen -v -T moduli-2048 -f moduli-2048.candidates debug1: input file has 55792 lines debug1: process from line 0 to line 55792 debug1: 1: q failed first possible prime test debug1: 2: q failed first possible prime test debug1: 3: q failed first possible prime test debug1: 4: q failed first possible prime test debug1: 5: q failed first possible prime test debug1: 7: q failed first possible prime test debug1: 8: q failed first possible prime test debug1: 9: q failed first possible prime test debug1: 10: q failed first possible prime test debug1: 11: q failed first possible prime test debug1: 12: q failed first possible prime test debug1: 13: q failed first possible prime test debug1: 14: q failed first possible prime test debug1: 15: q failed first possible prime test
-v : Verbose mode.
Example 20 : How to Sign a Host's Public Key to Create a Host Certificate
If you want to sign a host's public key to create a host certificate then you need to pass source key and certificate identity using -s
and -I
option with ssh-keygen command as shown below. In this example, we are trying to sign host's public key /home/admin/.ssh/id_rsa-cert.pub
using ca key and certificate identity as mentioned in below output.
[root@localhost ~]# ssh-keygen -s /home/admin/.ssh/id_rsa -I cert_id -h /home/admin/.ssh/id_rsa.pub Enter passphrase: Signed host key /home/admin/.ssh/id_rsa-cert.pub: id "cert_id" serial 0 valid forever
-s ca_key : Certify (sign) a public key using the specified CA key.
-I certificate_Identity : Specify the key identity when signing a public key.
Recommended Posts:-
10 Useful iproute2 tools examples to Manage Network Connections in Linux
Popular firewalld examples to open a port on RedHat/CentOS 7
8 Most Popular mkdir command in Linux with Examples
26 Useful Firewall CMD Examples on RedHat/CentOS 7
12 Most Popular rm command in Linux with Examples
9 useful w command in Linux with Examples
Popular Apache Kafka Architecture Explained Using 4 Basic Components
5 Easy Steps to recover LVM2 Partition , PV , VG , LVM metadata in Linux