ssh-keygen

authentication key generation, management and conversion

ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment] [-f output_keyfile]
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
ssh-keygen -i|e [-f keyfile]
(import|export)

ssh-keygen -y [-f keyfile] (yank priavte OpenSSH, output public key)
ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]

ssh-keygen -l [-f keyfile]
(list fingerprint)
ssh-keygen -B [-f keyfile]
(show bubblebabble)
ssh-keygen -F hostname [-f known_hosts_file] [-l]
(find host)

ssh-keygen -H [-f known_hosts_file]
(hash it)
ssh-keygen -R hostname [-f known_hosts_file]
(remove host)
ssh-keygen -D|U reader
download|Upload to reader
ssh-keygen -r hostname [-f input_keyfile] [-g]
(reveal fingerprint)

Generates, manages and converts authentication keys for ssh.
Creates RSA keys for use by SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2.

The type of key is specified with -t the default is RSA for SSH protocol 2.

Also generates groups for use in Diffie-Hellman group exchange (DH-GEX). See the MODULI GENERATION

The system administrator uses this to generate host keys, for /etc/rc.
Each user runs this to create the authentication key . The optional passphrase may be a string of arbitrary length, changed using -p. Similar to a password, can be a phrase of words, punctuation, numbers, whitespace, or any string of characters. . There is no way to recover a lost passphrase. If forgotten, a new key must be generated and copied to the corresponding public key to other machines.

For RSA1 keys, there is a comment field to the user to help identify the key, changed using -c .

-t type of key to create. The possible values are rsa1 for protocol version 1 and rsa or dsa for protocol version 2.
-b bits number of bits in the key
For RSA , minimum 768 and default: 2048 bits.
DSA keys must be 1024
-C comment Provides a comment for RSA1
-c change comment
-D reader
-U reader
Download the RSA public key stored in the smartcard in reader.
Upload an existing RSA private key into the smartcard in reader.
-e outputs the key in RFC 4716 SSH Public Key File Format to stdout
-F hostname Search for hostname in known_hosts , listing any occurrences found.
Useful to find hashed host names or addresses and may also be used in conjunction with -H
-H Hash a known_hosts file, the original is moved to a file with a .old suffix.
-R hostname Removes keys from known_hosts file useful to delete hashed hosts
-i Reads an unencrypted private key file in SSH2-compatible format and outputs an OpenSSH compatible to stdout. ssh-keygen also reads the RFC 4716 SSH Public Key File Format
-f filename key file.
-l list fingerprint of specified public key file. i
With -v, an ASCII art representation of the key output:
-B file Show the bubblebabble digest
-p file Requests changing the passphrase of a private key file instead of creating a new private key. Prompts for the file containing the private key, for the old passphrase, and twice for the new passphrase.
-N new‑passphrase
-P current passphrase
-q quite (Used by /etc/rc when creating a new key.)
-r hostname reveal the SSHFP fingerprint resource record named hostname for the specified public key file. Default .ssh/id_rsa
-g Use generic DNS format when outputing fingerprint resource records using -r
-y read a private file and output public key to stdout.

 > ssh-keygen    
Generating public/private rsa key pair.
Enter file in which to save the key (/Volumes/DATA/dgerman/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Volumes/DATA/dgerman/.ssh/id_rsa.
Your public key has been saved in /Volumes/DATA/dgerman/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:oTvL+IaG8Hpe1D862lBRr7RMsqfEZtMaUymJVX/OLdY dgerman@smacpro
The key's randomart image is:
+---[RSA 2048]----+
|      ..o        |
|     o o +       |
|    . = * o .    |
|     o % + + o   |
|    . & S   = E  |
|.  . = X   . .   |
| . o..= o        |
|  +.==o+ .       |
|.+..o+*.         |
+----[SHA256]-----+

> ssh-keygen -B
Enter file in which the key is (/Volumes/DATA/dgerman/.ssh/id_rsa): 
2048 xugel-tymes-mopal-vyzoz-xxxxx-yyyyy-zzzzz-fucyc-kehip-nelef-vuxyx username@clienthost (RSA) 

> sh-keygen -l
Enter file in which the key is (/Volumes/DATA/dgerman/.ssh/id_rsa): 
2048 SHA256:oTvL+xxxxxxxxxx62yyyyyyyyyyEZtMaUymJVX/OLdY username@clienthost (RSA)/pre>

FILES

~/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this file using 3DES. This file is not automatically accessed by ssh-keygen but it is offered as the default file for the private key. ssh(1) will read this file when a login attempt is made.
~/.ssh/identity.pub Contains the protocol version 1 RSA public key for authentication. The contents of this file should be added to ~/.ssh/authorized_keys on all machines where the user wishes to log in using RSA authentication. There is no need to keep the contents of this file secret.
~/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this file using 3DES. This file is not automatically accessed by ssh-keygen but it is offered as the default file for the private key. ssh(1) will read this file when a login attempt is made.
~/.ssh/id_dsa.pub Contains the protocol version 2 DSA public key for authentication. The contents of this file should be added to ~/.ssh/authorized_keys on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret.
~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this file using 3DES. This file is not automatically accessed by ssh-keygen but it is offered as the default file for the private key. ssh(1) will read this file when a login attempt is made.
~/.ssh/id_rsa.pub Contains the protocol version 2 RSA public key for authentication. The contents of this file should be added to ~/.ssh/authorized_keys on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret.
/etc/ssh/moduli Contains Diffie-Hellman groups used for DH-GEX. The file format is described in moduli(5).

SEE ALSO

ssh(1), ssh-add(1), ssh-agent(1), moduli(5), sshd(8)

The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006.

AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer features and created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0.