Using ssh-keygen (with examples)

The ssh-keygen command is a versatile tool that allows users to generate and manage SSH keys used for authentication, password-less logins, and other purposes. In this article, we will explore eight different use cases of the ssh-keygen command, providing code examples and explanations for each use case.

Use Case 1: Generate a key interactively

ssh-keygen

Motivation: Generating keys interactively allows users to specify the desired key type and the location to save the key. This use case is useful when generating keys for the first time or when a user wants to generate a key with default settings.

Explanation: When the command is executed without any arguments, it prompts the user to enter the file name for saving the key and allows them to choose the key type (RSA or DSA).

Example Output:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):

Use Case 2: Generate an ed25519 key with custom settings

ssh-keygen -t ed25519 -a 32 -f ~/.ssh/filename

Motivation: Ed25519 keys are considered secure and efficient, making them a popular choice for SSH authentication. Specifying custom settings allows users to fine-tune the key generation process to meet their specific requirements.

Explanation: The -t option specifies the key type, -a sets the number of key derivation function rounds, and -f specifies the file name for saving the key.

Example Output:

Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ~/.ssh/filename.
Your public key has been saved in ~/.ssh/filename.pub.
The key fingerprint is:
SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX user@hostname

Use Case 3: Generate an RSA 4096-bit key with email as a comment

ssh-keygen -t rsa -b 4096 -C "user@example.com"

Motivation: Sometimes, it is useful to add comments to SSH keys for identification purposes. In this use case, we generate an RSA key with a 4096-bit key length and use an email address as the comment.

Explanation: The -C option specifies a comment to embed in the public key. The comment is typically used to indicate the owner of the key or provide additional information.

Example Output:

Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ~/.ssh/id_rsa.
Your public key has been saved in ~/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX user@example.com

Use Case 4: Remove a host’s key from the known_hosts file

ssh-keygen -R remote_host

Motivation: The known_hosts file contains the public keys of hosts that a user has previously connected to. If a host has a new key, connecting to it will result in a warning. In such cases, it is necessary to remove the old key from the known_hosts file to avoid warnings.

Explanation: The -R option removes all keys related to a given hostname or IP address from the known_hosts file.

Example Output:

# Host remote_host found: line 42
/home/user/.ssh/known_hosts updated.
Original contents retained as /home/user/.ssh/known_hosts.old

Use Case 5: Retrieve the fingerprint of a key in MD5 Hex

ssh-keygen -l -E md5 -f ~/.ssh/filename

Motivation: Key fingerprints can be used to verify the authenticity of SSH keys. Retrieving the fingerprint in MD5 Hex format can be useful for legacy systems or tools that require this specific format.

Explanation: The -l option is used to show the fingerprint of the specified key file. The -E option specifies the hash algorithm to use for the fingerprint.

Example Output:

2048 MD5:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX ~/.ssh/filename (RSA)

Use Case 6: Change the password of a key

ssh-keygen -p -f ~/.ssh/filename

Motivation: Changing the password of a key is necessary when the existing password has been compromised or needs to be updated.

Explanation: The -p option is used to change the password of a key. The -f option specifies the key file to update.

Example Output:

Enter passphrase for ~/.ssh/filename:
Enter same passphrase again:
Your identification has been saved with the new passphrase.

Use Case 7: Change the type of the key format

ssh-keygen -p -N "" -m PEM -f ~/.ssh/OpenSSH_private_key

Motivation: Changing the type of the key format may be required when working with specific systems or applications that do not support the default OpenSSH format.

Explanation: The -m option specifies the target key format. In this example, we change the format to PEM. The -N option can be used to set a new passphrase if desired.

Example Output:

Enter passphrase for ~/.ssh/OpenSSH_private_key:
Your identification has been saved with the new passphrase.

Use Case 8: Retrieve public key from secret key

ssh-keygen -y -f ~/.ssh/OpenSSH_private_key

Motivation: Occasionally, it may be necessary to extract the public key from a secret key for distribution or other purposes.

Explanation: The -y option is used to retrieve the public key from the specified secret key file (-f option).

Example Output:

ssh-rsa XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX user@hostname

In conclusion, the ssh-keygen command is a powerful tool that enables users to generate, manage, and manipulate SSH keys for various purposes. By understanding its different use cases and options, users can harness the full potential of SSH key authentication and enhance the security and convenience of remote access.