How to use the command ssh-keygen (with examples)

How to use the command ssh-keygen (with examples)

ssh-keygen is a command-line utility used for generating, configuring, and managing SSH keys. These keys are primarily used for secure shell protocol (SSH) connections, providing a means of encrypting communications while allowing for password-less logins between systems. By using SSH keys, you can enhance security, reduce the risk of brute-force attacks, and improve the user experience by eliminating the need to enter passwords repeatedly.

Use case 1: Generate a key interactively

Code:

ssh-keygen

Motivation:

Running ssh-keygen without any options is the simplest and most interactive way of creating a pair of SSH keys. This approach is suitable when you want to quickly generate a key with default settings and provides prompts to guide you through the process. It’s great for beginners or when you do not require specific customizations.

Explanation:

  • ssh-keygen: This is the command invoked to start the key generation process. Without additional arguments, it defaults to generating an RSA key pair and uses typical settings for security.

Example output:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:ThisIsAnExampleOfAFingerprint username@hostname
The key's randomart image is:
+---[RSA 3072]----+
|      ..         |
|     o  o  .     |
| .. . * ..E*+.   |
|. o o.o.o+*.o.   |
|.  .  ..Soo .    |
|    o o.         |
|     . . ...     |
|      ...o o.    |
|     . ..     +  |
+----[SHA256]-----+

Use case 2: Generate an ed25519 key with 32 key derivation function rounds and save the key to a specific file

Code:

ssh-keygen -t ed25519 -a 32 -f ~/.ssh/filename

Motivation:

Using the ed25519 algorithm is often preferred for its speed and strong security properties. Specifying key derivation function (KDF) rounds strengthens the protection of the private key if it is encrypted. You might choose this use case if you need a highly secure key stored in a specific location.

Explanation:

  • -t ed25519: Specifies the type of key to create. ed25519 is a modern elliptic curve algorithm that offers high security at smaller key sizes.
  • -a 32: Sets the number of KDF rounds. This makes it computationally harder to crack the passphrase.
  • -f ~/.ssh/filename: Designates the filename where the private key will be saved.

Example output:

Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/filename.
Your public key has been saved in /home/username/.ssh/filename.pub.
The key fingerprint is:
SHA256:SampleFingerprint username@hostname
The key's randomart image is:
+--[ED25519 256]--+
|  .   ooo+.      |
| o o ..=..       |
|o *  * + .       |
| + *  * o        |
|  . =  oS.       |
|      o  .       |
|      E.. o      |
|     ..o+        |
|     .o.         |
+----[SHA256]-----+

Use case 3: Generate an RSA 4096-bit key with email as a comment

Code:

ssh-keygen -t rsa -b 4096 -C "comment|email"

Motivation:

Generating an RSA key with an increased bit size of 4096 provides enhanced security due to the increased complexity of the key. This can be especially important for environments requiring stringent security standards. Adding a comment, such as an email address, can help in identifying and organizing multiple keys.

Explanation:

  • -t rsa: Specifies the RSA algorithm for key generation.
  • -b 4096: Sets the key to be 4096 bits long, significantly improving security over the default 2048-bit size.
  • -C "comment|email": Adds a comment to the key file, often your email or a descriptive string, aiding in key management.

Example output:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:AnotherFingerprint comment|email
The key's randomart image is:
+---[RSA 4096]----+
|                 |
|      .o+ ooo    |
|      .. =-Eo    |
|       o +o.o    |
|      o.S o .    |
|       ...       |
|        .=       |
|       . *=      |
|       o..@       |
+----[SHA256]-----+

Use case 4: Remove the keys of a host from the known_hosts file

Code:

ssh-keygen -R remote_host

Motivation:

Occasionally, the SSH keys for a known host might change—perhaps due to a server rebuild or reconfiguration. Continued attempts to connect to the host will result in a warning and potentially the connection being blocked. You use this command to remove the old key entry and allow trust to be re-established with the host.

Explanation:

  • -R remote_host: Specifies the removal of all keys associated with the specified host from the known_hosts file.

Example output:

# Host remote_host found: line 12
/Users/username/.ssh/known_hosts updated.
Original contents retained as /Users/username/.ssh/known_hosts.old

Use case 5: Retrieve the fingerprint of a key in MD5 Hex

Code:

ssh-keygen -l -E md5 -f ~/.ssh/filename

Motivation:

Viewing the fingerprint of an SSH key helps verify its integrity and authenticity, often essential for confirming the correct key when troubleshooting or setting up new secure connections. Selecting the MD5 format is useful when interoperating with systems or processes that use this hashing algorithm.

Explanation:

  • -l: Lists the fingerprint of the specified private key or public key.
  • -E md5: Specifies MD5 as the hashing algorithm to use for generating the key’s fingerprint.
  • -f ~/.ssh/filename: Points to the file that contains the private or public key for which the fingerprint is to be retrieved.

Example output:

2048 MD5:aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:ll:mm:nn:oo:ss filename (RSA)

Use case 6: Change the password of a key

Code:

ssh-keygen -p -f ~/.ssh/filename

Motivation:

You might need to update the passphrase on an SSH key to enhance security or comply with updated security policies. Changing the passphrase ensures that the key retains its security even if the old passphrase has been compromised.

Explanation:

  • -p: Prompts for a new passphrase to be associated with the key.
  • -f ~/.ssh/filename: Indicates the file location of the key whose passphrase you wish to change.

Example output:

Enter old passphrase:
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.

Use case 7: Change the type of the key format

Code:

ssh-keygen -p -N "" -m PEM -f ~/.ssh/OpenSSH_private_key

Motivation:

In some cases, specific systems or applications require keys in a particular format, such as PEM. Converting keys to the necessary format ensures compatibility. This command helps you convert and save the private key in the desired format.

Explanation:

  • -p: Starts the process of changing a key’s properties.
  • -N "": Assigns no passphrase to the key (an empty string).
  • -m PEM: Converts the key to PEM format.
  • -f ~/.ssh/OpenSSH_private_key: Indicates the private key file that should be converted.

Example output:

Key has been saved with no passphrase.

Use case 8: Retrieve public key from secret key

Code:

ssh-keygen -y -f ~/.ssh/OpenSSH_private_key

Motivation:

Sometimes, only the private key is available, and the corresponding public key is missing or needed for distribution. This command retrieves the public key directly from the private key, facilitating tasks such as setting up new trusted systems or servers.

Explanation:

  • -y: Outputs the public key.
  • -f ~/.ssh/OpenSSH_private_key: Points to the private key file used to derive the public key.

Example output:

ssh-rsa AAAAB3... rest of public key ... user@hostname

Conclusion:

ssh-keygen is a powerful and versatile tool crucial for managing SSH keys and enhancing system security through encrypted communications. The above use cases provide valuable insight into various scenarios where ssh-keygen can be leveraged to perform key generation, management, and conversion tasks, all of which are essential for secure and efficient server operations. By understanding and applying these use cases, users can significantly improve their system’s security posture and operational efficiency.

Related Posts

How to Use the Command 'arp-scan' (with examples)

How to Use the Command 'arp-scan' (with examples)

‘Arp-scan’ is a command-line tool used to identify active devices on a network.

Read More
How to use the command 'ideviceimagemounter' (with examples)

How to use the command 'ideviceimagemounter' (with examples)

The ideviceimagemounter command is a tool utilized for interfacing with iOS devices to mount disk images directly onto them.

Read More
Cracking BLE Encryption with the 'crackle' Command (with examples)

Cracking BLE Encryption with the 'crackle' Command (with examples)

The ‘crackle’ command is a tool designed to analyze Bluetooth Low Energy (BLE) communications, specifically focusing on cracking and decrypting BLE encryption.

Read More