ssh-keygen is a very handy tool for managing ssh-keys. By far the most common use of ssh-keygen is for generating ssh-keys. But this tool can do a bit more..
Generating SSH-Keys
To generate a simple rsa ssh-key-pair just call:
dr@gallifrey:~# ssh-keygen -t rsa -f newkey
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in newkey.
Your public key has been saved in newkey.pub.
The key fingerprint is:
5c:be:d2:0c:82:e7:75:de:62:a4:74:8c:00:d4:89:6c dr@gallifrey
The key's randomart image is:
+---[RSA 2048]----+
| ooo . |
| E.o |
| . . . |
| . o = |
| . o S * |
| o + X o |
| . o B . |
| o . |
| |
+-----------------+
List the fingerprint of a key
If we first connect to a ssh-server we have to approve the identity of the server. We will see the fingerprint of the host-key of the server like this:
dr@gallifrey:~# ssh tardis
The authenticity of host 'tardis (192.168.51.33)' can't be established.
ECDSA key fingerprint is e2:9f:fe:bd:69:ca:d2:75:5b:87:df:02:3e:17:44:3f.
Are you sure you want to continue connecting (yes/no)?
We can call the admin of this server who might tell us the fingerprint of the host-key to compare. Therefore the admin will call the following command on the server:
root@tardis:~# ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub
256 e2:9f:fe:bd:69:ca:d2:75:5b:87:df:02:3e:17:44:3f root@tardis (ECDSA)
The fingerprints are the same. We can safely accept it on the client.
Convert the openssh-key into SSH2-format
dr@gallifrey:~# ssh-keygen -e -f newkey.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by dr@gallifrey from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDt0TJIKdV20EAAefpdRke6ei7AeaahPqndCFX5JV
8lVtiswtK2qmxIPgIOv/dpOh4qFMNdkqVXa7JgpjEaXArCuTlKw4qw56GzFldqq7V9j4H4
wJbG53/EDqdNzAuOkM+1TApljn1RFJaAmkrBnr2l8ssE5w7R2Hg7KS+TykJd9v1XF/NvfU
RqKlI+iOFwsK544Q9JSlPFe4GzRr3ZgvvhQQHnsGnmEIsshnRWB2Yycd8JwC1M7iIWOfTO
FiYaFB1XiYfOs5CTEqpD6w6DgYQQslTRb9YKerE2Wwu7zeaOcsgA89j+u4/Esh9i/8TfZN
gC5KpxSTjSJx6MOJ7gSa65
---- END SSH2 PUBLIC KEY ----
Convert the SSH2-format into openssh-format
dr@gallifrey:~# ssh-keygen -i -f newkey_ssh2.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDt0TJIKdV20EAAefpdRke6ei7AeaahPqndCFX5JV8lVtiswtK2qmxIPgIOv/dpOh4qFMNdkqVXa7JgpjEaXArCuTlKw4qw56GzFldqq7V9j4H4wJbG53/EDqdNzAuOkM+1TApljn1RFJaAmkrBnr2l8ssE5w7R2Hg7KS+TykJd9v1XF/NvfURqKlI+iOFwsK544Q9JSlPFe4GzRr3ZgvvhQQHnsGnmEIsshnRWB2Yycd8JwC1M7iIWOfTOFiYaFB1XiYfOs5CTEqpD6w6DgYQQslTRb9YKerE2Wwu7zeaOcsgA89j+u4/Esh9i/8TfZNgC5KpxSTjSJx6MOJ7gSa65