We use ssh-keygen tool to generate SSH keys which are used for Public Key Based Authentication with SSH. As the time of writing this article, there are 6 different types of authentication methods possible with SSH. But Public key Authentication is one of the most used authentication methods used across production environment.
ssh-keygen is a very vast tool which can do much more than generating SSH keys. It also supports signing of keys to produce certificates that may be used for user or host authentication. In this article we learned about different arguments which can be used to generate SSH keys for Public key Authentication with SSH
You can also combine all the arguments from this tutorial to automate the process. Lastly I hope the steps from the article to understand about ssh-keygen tool in more detail with different examples on Linux was helpful. So, let me know your suggestions and feedback using the comment section.
Secure Shell(SSH) is a cryptographic network protocol used for operating remote services securely. It is used for remote operation of devices on secure channels using a client-server architecture that generally operates on Port 22. SSH is the successor of Telnet. SSH uses public and private keys to validate and authenticate users. ssh-keygen is used to generate these key pairs.
ssh-keygen is the utility used to generate, manage, and convert authentication keys for SSH. ssh-keygen comes installed with SSH in most of the operating systems. ssh-keygen is able to generate a key using one of three different digital signature algorithms.
Use the ssh-keygen command to generate a public/private authentication key pair. Authentication keys allow a user to connect to a remote system without supplying a password. Keys must be generated for each user separately. If you generate key pairs as the root user, only the root can use the keys.
Logging into remote systems with SSH implementations is secure by default -- but those connections are secured only in that they use the TLS protocol to encrypt network protocol exchanges. SSH can be made even more secure by using it to authenticate communicating hosts through the exchange of public keys -- keys that are created using the ssh-keygen command.
GUI versions of SSH usually include the same functionality as the command-line versions. For example, the PuTTYgen program is a GUI version of ssh-keygen for use with PuTTY, a GUI implementation of SSH for Windows. However, modern OSes, including Windows 10 and later, Linux and macOS, include command-line versions of the OpenSSH implementation of SSH.
This tutorial uses examples from OpenSSH in Windows PowerShell and in Linux Bash (Bourne Again Shell) command-line interfaces (CLIs), but they also should apply to the macOS version of OpenSSH. The advantage of using a CLI version of SSH is that commands are consistent across OSes, unlike with GUI versions that may implement commands using a variety of GUI techniques.
This ad hoc approach can be adequately secure when the user is connecting to a server inside a protected network, but it can be riskier for connecting to other remote servers. This is where ssh-keygen can streamline the exchange of public key authentication.
The ssh-keygen command is a component of most SSH implementations used to generate a public key pair for use when authenticating with a remote server. In the typical use case, users generate a new public key and then copy their public key to the server using SSH and their login credentials for the remote server.
This is the default behaviour of ssh-keygen without any parameters. By default it creates RSA keypair, stores key under ~/.ssh directory. Note that the file name it created was id_rsa for private key and id_rsa.pub for public key.
By default the keys generated by ssh-keygen will be used by the OpenSSH implementation. But, if you want to convert those keys to SSH comercial implementations (for example: SSH2), use the -e option as shown below.
When you're prompted to "Enter a file in which to save the key", you can press Enter to accept the default file location. Please note that if you created SSH keys previously, ssh-keygen may ask you to rewrite another key, in which case we recommend creating a custom-named SSH key. To do so, type the default file location and replace id_ssh_keyname with your custom key name.
ssh-keygenis also used to generate groups for use in Diffie-Hellman groupexchange (DH-GEX).See the MODULI GENERATIONsection for details.Normally each user wishing to use SSHwith RSA or DSA authentication runs this once to create the authenticationkey in ~/.ssh/identity, ~/.ssh/id_dsaor ~/.ssh/id_rsa.Additionally, the system administrator may use this to generate host keys,as seen in /etc/rc.Normally this program generates the key and asks for a file in whichto store the private key.The public key is stored in a file with the same name but".pub"appended.The program also asks for a passphrase.The passphrase may be empty to indicate no passphrase(host keys must have an empty passphrase), or it may be a string ofarbitrary length.A passphrase is similar to a password, except it can be a phrase with aseries of words, punctuation, numbers, whitespace, or any string ofcharacters you want.Good passphrases are 10-30 characters long, arenot simple sentences or otherwise easily guessable (Englishprose has only 1-2 bits of entropy per character, and provides very badpassphrases), and contain a mix of upper and lowercase letters,numbers, and non-alphanumeric characters.The passphrase can be changed later by using the-p option.There is no way to recover a lost passphrase.If the passphrase islost or forgotten, a new key must be generated and copied to thecorresponding public key to other machines.For RSA1 keys,there is also a comment field in the key file that is only forconvenience to the user to help identify the key.The comment can tell what the key is for, or whatever is useful.The comment is initialized to"user@host"when the key is created, but can be changed using the-c option.After a key is generated, instructions below detail where the keysshould be placed to be activated.The options are as follows:TagDescription-a trials Specifies the number of primality tests to perform when screening DH-GEXcandidates using the-T command.-B Show the bubblebabble digest of specified private or public key file.-b bits Specifies the number of bits in the key to create.For RSA keys, the minimum size is 768 bits and the default is 2048 bits.Generally, 2048 bits is considered sufficient.DSA keys must be exactly 1024 bits as specified by FIPS 186-2.-C comment Provides a new comment.-c Requests changing the comment in the private and public key files.This operation is only supported for RSA1 keys.The program will prompt for the file containing the private keys, forthe passphrase if the key has one, and for the new comment.-D reader Download the RSA public key stored in the smartcard in reader.-e This option will read a private or public OpenSSH key file andprint the key in a'SECSH Public Key File Format'to stdout.This option allows exporting keys for use by several commercialSSH implementations.-F hostname Search for the specified hostnamein a known_hostsfile, listing any occurrences found.This option is useful to find hashed host names or addresses and may also beused in conjunction with the-H option to print found keys in a hashed format.-f filename Specifies the filename of the key file.-G output_file Generate candidate primes for DH-GEX.These primes must be screened forsafety (using the-T option) before use.-g Use generic DNS format when printing fingerprint resource records using the-r command.-H Hash a known_hostsfile.This replaces all hostnames and addresses with hashed representationswithin the specified file; the original content is moved to a file witha .old suffix.These hashes may be used normally by sshand sshd,but they do not reveal identifying information should the file’s contentsbe disclosed.This option will not modify existing hashed hostnames and is therefore safeto use on files that mix hashed and non-hashed names.-i This option will read an unencrypted private (or public) key filein SSH2-compatible format and print an OpenSSH compatible private(or public) key to stdout.ssh-keygenalso reads the'SECSH Public Key File Format'.This option allows importing keys from several commercialSSH implementations.-l Show fingerprint of specified public key file.Private RSA1 keys are also supported.For RSA and DSA keysssh-keygentries to find the matching public key file and prints its fingerprint.-M memory Specify the amount of memory to use (in megabytes) when generatingcandidate moduli for DH-GEX.-N new_passphrase Provides the new passphrase.-P passphrase Provides the (old) passphrase.-p Requests changing the passphrase of a private key file instead ofcreating a new private key.The program will prompt for the filecontaining the private key, for the old passphrase, and twice for thenew passphrase.-q Silence ssh-keygen.Used by /etc/rcwhen creating a new key.-R hostname Removes all keys belonging to hostnamefrom a known_hostsfile.This option is useful to delete hashed hosts (see the-H option above).-r hostname Print the SSHFP fingerprint resource record named hostnamefor the specified public key file.-S start Specify start point (in hex) when generating candidate moduli for DH-GEX.-T output_file Test DH group exchange candidate primes (generated using the-G option) for safety.-t type Specifies the type of key to create.The possible values are"rsa1"for protocol version 1 and"rsa"or"dsa"for protocol version 2.-U reader Upload an existing RSA private key into the smartcard in reader.-v Verbose mode.Causesssh-keygento print debugging messages about its progress.This is helpful for debugging moduli generation.Multiple-v options increase the verbosity.The maximum is 3.-W generator Specify desired generator when testing candidate moduli for DH-GEX.-y This option will read a privateOpenSSH format file and print an OpenSSH public key to stdout.MODULI GENERATIONssh-keygenmay be used to generate groups for the Diffie-Hellman Group Exchange(DH-GEX) protocol.Generating these groups is a two-step process: first, candidateprimes are generated using a fast, but memory intensive process.These candidate primes are then tested for suitability (a CPU-intensiveprocess).Generation of primes is performed using the-G option.The desired length of the primes may be specified by the-b option.For example: # ssh-keygen -G moduli-2048.candidates -b 2048By default, the search for primes begins at a random point in thedesired length range.This may be overridden using the-S option, which specifies a different start point (in hex).Once a set of candidates have been generated, they must be tested forsuitability.This may be performed using the-T option.In this modessh-keygenwill read candidates from standard input (or a file specified using the-f option).For example: # ssh-keygen -T moduli-2048 -f moduli-2048.candidatesBy default, each candidate will be subjected to 100 primality tests.This may be overridden using the-a option.The DH generator value will be chosen automatically for theprime under consideration.If a specific generator is desired, it may be requested using the-W option.Valid generator values are 2, 3, and 5.Screened DH groups may be installed in /etc/moduli.It is important that this file contains moduli of a range of bit lengths andthat both ends of a connection share common moduli.FILESTagDescription ~/.ssh/identity Contains the protocol version 1 RSA authentication identity of the user.This file should not be readable by anyone but the user.It is possible tospecify a passphrase when generating the key; that passphrase will beused to encrypt the private part of this file using 3DES.This file is not automatically accessed byssh-keygenbut it is offered as the default file for the private key.ssh(1)will read this file when a login attempt is made. ~/.ssh/identity.pub Contains the protocol version 1 RSA public key for authentication.The contents of this file should be added to ~/.ssh/authorized_keyson all machineswhere the user wishes to log in using RSA authentication.There is no need to keep the contents of this file secret. ~/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user.This file should not be readable by anyone but the user.It is possible tospecify a passphrase when generating the key; that passphrase will beused to encrypt the private part of this file using 3DES.This file is not automatically accessed byssh-keygenbut it is offered as the default file for the private key.ssh(1)will read this file when a login attempt is made. ~/.ssh/id_dsa.pub Contains the protocol version 2 DSA public key for authentication.The contents of this file should be added to ~/.ssh/authorized_keyson all machineswhere the user wishes to log in using public key authentication.There is no need to keep the contents of this file secret. ~/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user.This file should not be readable by anyone but the user.It is possible tospecify a passphrase when generating the key; that passphrase will beused to encrypt the private part of this file using 3DES.This file is not automatically accessed byssh-keygenbut it is offered as the default file for the private key.ssh(1)will read this file when a login attempt is made. ~/.ssh/id_rsa.pub Contains the protocol version 2 RSA public key for authentication.The contents of this file should be added to ~/.ssh/authorized_keyson all machineswhere the user wishes to log in using public key authentication.There is no need to keep the contents of this file secret. /etc/moduli Contains Diffie-Hellman groups used for DH-GEX.The file format is described inmoduli(5).SEE ALSOssh-add(1),ssh-agent(1),moduli(5),sshd(8).Rs SECSH Public Key File Format.Re AUTHORSOpenSSH is a derivative of the original and freessh 1.2.12 release by Tatu Ylonen.Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,Theo de Raadt and Dug Songremoved many bugs, re-added newer features andcreated OpenSSH.Markus Friedl contributed the support for SSHprotocol versions 1.5 and 2.0. Advertisements 2b1af7f3a8