ssh-keygen generates, manages and converts the authentication keys (private and public keys) used by SSH. You can generate both RSA and DSA keys. You can also generate Diffie-Hellman groups.
1. Create RSA Keys
This is the default behaviour of ssh-keygen without any parameters. By default it creates RSA keypair, stores key under ~/.ssh directory. Note that the file name it created was id_rsa for private key and id_rsa.pub for public key.
# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 73:69:b0:06:77:cd:52:92:5c:d3:5d:dd:be:68:ec:e4 root@devdb ..
2. Create DSA keys
To create DSA key, pass -t dsa as an argument.
Please note that it still stores the keys under ~/.ssh directory. But now the file name it created was id_dsa for private key and id_dsa.pub for public key.
# ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/root/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_dsa. Your public key has been saved in /root/.ssh/id_dsa.pub. The key fingerprint is: f1:8b:b5:91:c4:81:53:ce:dd:87:7e:26:14:76:0f:b1 root@devdb ..
3. Specify Key Filename and Location
If you don’t want to store the key files under the default location use the -f option. Apart from storing it in a different directory, you can also specify your own name for the key files.
The following example will store the key files under /root directory. The name of the files will be my-key for private key, and my-key.pub for public key.
# ssh-keygen -f /root/my-key Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/my-key. Your public key has been saved in /root/my-key.pub. The key fingerprint is: bf:ca:8e:a1:19:ed:87:91:b7:5b:2b:90:73:3e:40:06 root@devdb ..
4. Specify Custom Comment to the Keys
By default, the keys generated will have “username@hostname” as comment. In all the above example, you can see “root@devdb” as the comment.
The following example will generate the RSA keys with the comment specified.
# ssh-keygen -C "Keys generated for node1 web server" Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 13:fe:7c:c3:9c:67:f0:16:15:7b:f5:a7:8f:64:e4:fd Keys generated for node1 web server ..
5. Convert SSH keys to Different Format
By default the keys generated by ssh-keygen will be used by the OpenSSH implementation. But, if you want to convert those keys to SSH comercial implementations (for example: SSH2), use the -e option as shown below.
# ssh-keygen -e Enter file in which the key is (/root/.ssh/id_rsa): ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "2048-bit RSA, converted from OpenSSH by root@devdb" AAAAB3NzaC1yc2EAAAABIwAAAQEA5kSivOqhs0U9ZMN20nxFe27QZ3t0lT2zbH7OSXylKd 1rjAjYXGnSXC9j2uaZlemHlptBKVziMJC86ha7Hcj6dVOVrDQ6vF4q34bOCjtKLphQ0IjB zVIvqILH9eLJdRaOrS34CmgmPaisrCk5wKVlakygvUfcj3HzaTKS6THyZDGx5shdTpa9lb y8tpOD3JceV7ay4w8r0DipoKPC0OLpvS4EABEeMo9sx8zQEaKv03XygjNCCYtFvxlQQIRG lVoL7mPaHSaL3anI05RpNbm/PS+9BhZg+BqNjU4ofHBbfkXk5MiN6M7ieR4Sk5BquccboG F13U5slNgmCEekdt0amw== ---- END SSH2 PUBLIC KEY ----
You can use the following to specify the file and store the output to a different file.
# ssh-keygen -e -f /root/.ssh/id_rsa > /root/.ssh/id_rsa.ssh2 # cat /root/.ssh/id_rsa.ssh2 ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "2048-bit RSA, converted from OpenSSH by root@devdb" AAAAB3NzaC1yc2EAAAABIwAAAQEA5kSivOqhs0U9ZMN20nxFe27QZ3t0lT2zbH7OSXylKd 1rjAjYXGnSXC9j2uaZlemHlptBKVziMJC86ha7Hcj6dVOVrDQ6vF4q34bOCjtKLphQ0IjB zVIvqILH9eLJdRaOrS34CmgmPaisrCk5wKVlakygvUfcj3HzaTKS6THyZDGx5shdTpa9lb y8tpOD3JceV7ay4w8r0DipoKPC0OLpvS4EABEeMo9sx8zQEaKv03XygjNCCYtFvxlQQIRG lVoL7mPaHSaL3anI05RpNbm/PS+9BhZg+BqNjU4ofHBbfkXk5MiN6M7ieR4Sk5BquccboG F13U5slNgmCEekdt0amw== ---- END SSH2 PUBLIC KEY ----
6. Search Known Hosts File
You can also use ssh-keygen to search for keys in the ~/.ssh/known_hosts files. This is helpful when you have lot of entries in the known_hosts file.
The following output indicates that it found the entry for “dev-db” in the known-hosts file at line#10.
# ssh-keygen -F dev-db # Host dev-db found: line 10 type RSA dev-db ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA7QEcjRkbBWpwE7zIShobue9aEGyVObVHDLhK==
7. Display the Public Key for given Private
The following example will display the public key for the default /root/.ssh/id_rsa private key.
# ssh-keygen -y Enter file in which the key is (/root/.ssh/id_rsa): ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5kSivOqhs0U9ZMN20nxFe27QZ3t0lT2zbH7OSX==
You can also specify the priviate key using -f option. In this example, it will display the public key for ~/.ssh/id_dsa private key.
# ssh-keygen -y -f ~/.ssh/id_dsa ssh-dss AAAAB3NzaC1kc3MAAACBAIpmvehoOuFwJ5YHV+7BCrAinV0BZbkUvxkX8KK2prDmynhT==