FUN WITH LINUX

Using ssh-keygen

8 July 2016

ssh-keygen is a very handy tool for managing ssh-keys. By far the most common use of ssh-keygen is for generating ssh-keys. But this tool can do a bit more..

Generating SSH-Keys

To generate a simple rsa ssh-key-pair just call:

dr@gallifrey:~# ssh-keygen -t rsa -f newkey
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in newkey.
Your public key has been saved in newkey.pub.
The key fingerprint is:
5c:be:d2:0c:82:e7:75:de:62:a4:74:8c:00:d4:89:6c dr@gallifrey
The key's randomart image is:
+---[RSA 2048]----+
| ooo . |
| E.o |
| . . . |
| . o = |
| . o S * |
| o + X o |
| . o B . |
| o . |
| |
+-----------------+

List the fingerprint of a key

If we first connect to a ssh-server we have to approve the identity of the server. We will see the fingerprint of the host-key of the server like this:

dr@gallifrey:~# ssh tardis
The authenticity of host 'tardis (192.168.51.33)' can't be established.
ECDSA key fingerprint is e2:9f:fe:bd:69:ca:d2:75:5b:87:df:02:3e:17:44:3f.
Are you sure you want to continue connecting (yes/no)? 

We can call the admin of this server who might tell us the fingerprint of the host-key to compare. Therefore the admin will call the following command on the server:

root@tardis:~# ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub 
256 e2:9f:fe:bd:69:ca:d2:75:5b:87:df:02:3e:17:44:3f root@tardis (ECDSA)

The fingerprints are the same. We can safely accept it on the client.

Convert the openssh-key into SSH2-format

dr@gallifrey:~# ssh-keygen -e -f newkey.pub 
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by dr@gallifrey from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDt0TJIKdV20EAAefpdRke6ei7AeaahPqndCFX5JV
8lVtiswtK2qmxIPgIOv/dpOh4qFMNdkqVXa7JgpjEaXArCuTlKw4qw56GzFldqq7V9j4H4
wJbG53/EDqdNzAuOkM+1TApljn1RFJaAmkrBnr2l8ssE5w7R2Hg7KS+TykJd9v1XF/NvfU
RqKlI+iOFwsK544Q9JSlPFe4GzRr3ZgvvhQQHnsGnmEIsshnRWB2Yycd8JwC1M7iIWOfTO
FiYaFB1XiYfOs5CTEqpD6w6DgYQQslTRb9YKerE2Wwu7zeaOcsgA89j+u4/Esh9i/8TfZN
gC5KpxSTjSJx6MOJ7gSa65
---- END SSH2 PUBLIC KEY ----

Convert the SSH2-format into openssh-format

dr@gallifrey:~# ssh-keygen -i -f newkey_ssh2.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDt0TJIKdV20EAAefpdRke6ei7AeaahPqndCFX5JV8lVtiswtK2qmxIPgIOv/dpOh4qFMNdkqVXa7JgpjEaXArCuTlKw4qw56GzFldqq7V9j4H4wJbG53/EDqdNzAuOkM+1TApljn1RFJaAmkrBnr2l8ssE5w7R2Hg7KS+TykJd9v1XF/NvfURqKlI+iOFwsK544Q9JSlPFe4GzRr3ZgvvhQQHnsGnmEIsshnRWB2Yycd8JwC1M7iIWOfTOFiYaFB1XiYfOs5CTEqpD6w6DgYQQslTRb9YKerE2Wwu7zeaOcsgA89j+u4/Esh9i/8TfZNgC5KpxSTjSJx6MOJ7gSa65
[ Linux  Sysadmin  Security  Tricks  Shell  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti