ssh-keygen Command in Linux: Generate, Inspect, and Manage SSH Keys

ssh-keygen from OpenSSH creates, inspects, and converts SSH key pairs for public-key login. It writes a private key and a .pub file you copy to a server authorized_keys file.

Published

Updated

Read time 9 min read

Reviewed byDeepak Prasad

ssh-keygen Command in Linux: Generate, Inspect, and Manage SSH Keys
About ssh-keygen from OpenSSH creates, inspects, and converts SSH key pairs for public-key login. It writes a private key and a .pub file you copy to a server authorized_keys file.
Tested on Ubuntu 25.04 (Plucky Puffin); OpenSSH 9.9p1; kernel 7.0.0-27-generic
Package openssh-client (apt/deb) · openssh-clients (dnf/rpm)
Man page ssh-keygen(1)
Privilege user (own keys) / root when managing other accounts
Distros

Any Linux distro that ships OpenSSH (Ubuntu, Debian, RHEL, Fedora, SUSE, Arch, and others).

Server-side authorized_keys setup: SSH command.

ssh-keygen — quick reference

Key generation

Create a key pair for passwordless SSH login or automation.

When to use Command
Interactive key with default path (~/.ssh/id_ed25519 or id_rsa) ssh-keygen
Ed25519 key (recommended default on modern OpenSSH) ssh-keygen -t ed25519
RSA key with 4096-bit modulus ssh-keygen -t rsa -b 4096
Non-interactive: empty passphrase, custom path, comment ssh-keygen -t ed25519 -f ~/.ssh/deploy_ed25519 -N "" -C "deploy@prod"
Quiet batch run (less console output) ssh-keygen -t ed25519 -f KEY -N "" -q

Passphrase and metadata

Change secrets or labels on an existing private key.

When to use Command
Change passphrase (prompts for paths and passwords) ssh-keygen -p
Change passphrase non-interactively ssh-keygen -p -f ~/.ssh/id_rsa -P "old" -N "new"
Set or change key comment at creation ssh-keygen -t ed25519 -C "user@host"
Change comment on existing key ssh-keygen -c -f ~/.ssh/id_ed25519

Inspection

Read fingerprints and public material from a private key.

When to use Command
Show fingerprint and comment ssh-keygen -l -f ~/.ssh/id_ed25519
Print public key from private key file ssh-keygen -y -f ~/.ssh/id_ed25519
Bubblebabble fingerprint ssh-keygen -B -f ~/.ssh/id_ed25519

known_hosts maintenance

Fix host-key warnings after reinstalls or IP reuse.

When to use Command
Remove all keys for a host from known_hosts ssh-keygen -R hostname
Hash plain hostnames in known_hosts ssh-keygen -H -f ~/.ssh/known_hosts
Look up a host in known_hosts ssh-keygen -F hostname

ssh-keygen — command syntax

Synopsis from ssh-keygen usage text on Ubuntu 25.04 (OpenSSH 9.9p1):

text
ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile]
           [-m format] [-N new_passphrase] [-O option]
           [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
ssh-keygen -p [-f keyfile] [-P old_passphrase] [-N new_passphrase]
ssh-keygen -l [-f input_keyfile]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-C comment] [-f keyfile] [-P passphrase]
ssh-keygen -R hostname [-f known_hosts_file]

A new key writes two files: the private key (keep permissions 600) and filename.pub for authorized_keys. Certificate signing (-s, -I) and FIDO/sk key types need hardware or a CA setup — omitted here.


ssh-keygen — command examples

Essential Generate an Ed25519 key pair (recommended)

Ed25519 keys are short, fast, and the default choice on current OpenSSH releases.

Run the command (empty passphrase for lab; use a real passphrase in production):

bash
ssh-keygen -t ed25519 -f ~/.ssh/lab_ed25519 -N "" -C "lab ed25519 key"

Sample output:

text
Generating public/private ed25519 key pair.
Your identification has been saved in /root/.ssh/lab_ed25519
Your public key has been saved in /root/.ssh/lab_ed25519.pub
The key fingerprint is:
SHA256:K4diLvS+MLh+z7Sxn77b03RRlZw8VjfMeELAgAssa/4 lab ed25519 key
The key's randomart image is:
+--[ED25519 256]--+
|    .   ..o.o.*.O|
|   . o .   . o %o|
|    o . .     = .|
|   o   .     .   |
|  o     S     .  |
| ...   . . . .   |
|..o.+oo o o .    |
| ..*+E+oo. .     |
|o..o=*o*o..      |
+----[SHA256]-----+

List the fingerprint and confirm the comment:

bash
ssh-keygen -l -f ~/.ssh/lab_ed25519

Sample output:

text
256 SHA256:K4diLvS+MLh+z7Sxn77b03RRlZw8VjfMeELAgAssa/4 lab ed25519 key (ED25519)

Copy the .pub line to the server's ~/.ssh/authorized_keys. Remove lab keys with rm ~/.ssh/lab_ed25519 ~/.ssh/lab_ed25519.pub.

Essential Generate RSA 4096-bit key for legacy servers

Some older gear only accepts RSA. Use 4096 bits on modern systems.

Run the command:

bash
ssh-keygen -t rsa -b 4096 -f ~/.ssh/lab_rsa -N "oldpass" -q -C "lab rsa"

Sample output (-q suppresses most lines):

Verify the key type and size:

bash
ssh-keygen -l -f ~/.ssh/lab_rsa

Sample output:

text
4096 SHA256:… lab rsa (RSA)

Remove test keys when finished: rm ~/.ssh/lab_rsa ~/.ssh/lab_rsa.pub.

Essential Print the public key from a private key (-y)

When you have the private key but lost the .pub file, -y recreates the public line.

Run the command:

bash
ssh-keygen -y -f ~/.ssh/lab_ed25519

Sample output (truncated):

text
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOJVcLLJ4EFpwbSXBOdJ5Yy…

Append that single line to authorized_keys on the server you want to reach.

Common Change the passphrase on a private key

Rotate a passphrase without generating a new key — the public key on servers stays the same.

Run the command:

bash
ssh-keygen -p -f ~/.ssh/lab_rsa -P "oldpass" -N "newpass"

Sample output:

text
Key has comment 'lab rsa'
Your identification has been saved with the new passphrase.

If you forgot the passphrase, you cannot recover it — generate a new key pair and replace the public key on every host.

Common Update the key comment (-c)

Comments help you tell keys apart in ssh-add -l output. They do not affect authentication.

Run the command:

bash
ssh-keygen -c -f ~/.ssh/lab_ed25519 -C "updated comment" -N ""

Sample output:

text
Old comment: lab ed25519 key
Comment 'updated comment' applied

Confirm:

bash
ssh-keygen -l -f ~/.ssh/lab_ed25519

Sample output:

text
256 SHA256:K4diLvS+MLh+z7Sxn77b03RRlZw8VjfMeELAgAssa/4 updated comment (ED25519)
Common Custom filename with -f (multiple keys per user)

Separate keys per environment — production, staging, CI — by storing each pair under its own basename.

Run the command:

bash
ssh-keygen -t ed25519 -f ./deploy_key -N "" -C "ci deploy"
ls -l deploy_key deploy_key.pub

Sample output:

text
Generating public/private ed25519 key pair.
-rw------- 1 root root  … deploy_key
-rw-r--r-- 1 root root  … deploy_key.pub

Use ssh -i ./deploy_key user@host or an IdentityFile line in ~/.ssh/config. Delete test files with rm deploy_key deploy_key.pub.

Common Remove stale host key after server reinstall (-R)

SSH refuses to connect when the server's host key changes. -R deletes the old entry from known_hosts.

Add a test line, then remove it:

bash
echo "127.0.0.1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFakeKeyForTestOnly" >> ~/.ssh/known_hosts
ssh-keygen -R 127.0.0.1 -f ~/.ssh/known_hosts

Sample output:

text
# Host 127.0.0.1 found: line 1
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old

On the next connection, SSH prompts you to trust the new host key.

Advanced Interactive run — default path and prompts

Running ssh-keygen alone walks through path, passphrase, and comment — the path most desktop users take once per machine.

Start the tool (press Enter at prompts to accept defaults in a lab):

bash
ssh-keygen -t ed25519

Sample prompts:

text
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

If ~/.ssh/id_ed25519 already exists, you get an overwrite warning — answer n unless you intend to replace the key. Back up old keys before replacing.

Advanced Hash hostnames in known_hosts (-H)

Hashing hides plain hostnames from anyone reading ~/.ssh/known_hosts on disk. OpenSSH still matches entries at connect time.

Run on a copy in a lab directory:

bash
cp ~/.ssh/known_hosts /tmp/lab_known_hosts
ssh-keygen -H -f /tmp/lab_known_hosts
head -1 /tmp/lab_known_hosts

Sample output (first line becomes hashed):

text
|1|DnQfHwXX0E78Kqd9sM+jhKICLhM=|A7gki0vPIUajFlROxDljIxE6rGM= ssh-ed25519 AAAA…

A .old backup is created beside the file. Remove /tmp/lab_known_hosts* when done.


ssh-keygen — when to use / when not

Use ssh-keygen when Use something else when
  • You need a new SSH key pair for login or Git over SSH
  • You must change a passphrase or comment on an existing private key
  • You want a fingerprint (ssh-keygen -l) before trusting a key
  • A server was rebuilt and known_hosts blocks the connection (-R)
  • You are connecting to a host → ssh
  • You are copying files with the same keys → scp
  • You need short-lived certificates signed by an SSH CA → ssh-keygen -s (CA workflow; not covered here)
  • You want hardware-backed FIDO keys → ssh-keygen -t ed25519-sk with a compatible token
  • Secrets should live in a vault agent, not on disk → consider ssh-agent / platform keychain integration

ssh-keygen vs openssl genrsa

ssh-keygen openssl genrsa
Purpose SSH authentication keys General-purpose RSA crypto
Output format OpenSSH private key + .pub PEM/DER; needs conversion for SSH
Ed25519 Native -t ed25519 Not applicable
Best for SSH and authorized_keys TLS certificates, non-SSH RSA

For SSH login, always prefer ssh-keygenauthorized_keys expects OpenSSH public key lines.


Command One line
ssh-keygen Create and manage key pairs (this page)
pssh Run commands on many hosts with one key

Browse the full index in our Linux commands reference.


ssh-keygen — interview corner

Why use Ed25519 instead of RSA for SSH keys?

Ed25519 keys are smaller and faster than RSA at similar security levels. OpenSSH has listed Ed25519 first in examples for years.

bash
ssh-keygen -t ed25519 -f /tmp/demo -N "" -q
ssh-keygen -l -f /tmp/demo
rm /tmp/demo /tmp/demo.pub

Sample fingerprint line:

text
256 SHA256:… (ED25519)

Keep RSA 4096 only when a legacy server or appliance rejects Ed25519.

A strong answer is:

"I default to ed25519 via ssh-keygen -t ed25519 for new keys; I fall back to rsa -b 4096 only when the remote side does not support modern algorithms."

Which file goes on the server — private or public key?

Never copy the private key to the server. The server gets one line from the .pub file in ~/.ssh/authorized_keys. The private key stays on the client (permissions 600).

A strong answer is:

"Only the public key (.pub) goes in authorized_keys on the server. The private key never leaves the client except encrypted backups."

What happens if you lose the key passphrase?

OpenSSH cannot decrypt the private key without the passphrase. You must generate a new pair and distribute the new public key everywhere the old one was trusted.

A strong answer is:

"There is no recovery — I create a new key with ssh-keygen, roll authorized_keys on all systems, and retire the old public key."

Why does SSH warn about REMOTE HOST IDENTIFICATION HAS CHANGED?

The server presented a different host key than the one stored in ~/.ssh/known_hosts — common after reinstall, clone, or man-in-the-middle attack.

bash
ssh-keygen -R hostname

Then verify the new fingerprint out-of-band before connecting again.

A strong answer is:

"The host key changed or there is a MITM risk. I compare the new fingerprint with the admin, then ssh-keygen -R to drop the stale entry if the change is expected."

How do you compare key fingerprints safely?

Use ssh-keygen -l -f keyfile on the client and ask the server admin for the same SHA256 fingerprint from their side — do not trust email alone.

A strong answer is:

"I run ssh-keygen -l on the public or private key and compare SHA256 out-of-band with the server operator before first connect or after a host key rotation."


Troubleshooting

Symptom Likely cause Fix
Permission denied (publickey) Public key not in authorized_keys or wrong private key Install .pub on server; use ssh -i / IdentityFile
Load key … incorrect passphrase Wrong -P value in scripts Retry interactively with ssh-keygen -p
Saving key … failed: Permission denied Cannot write target directory chmod 700 ~/.ssh; run as the owning user
Overwrite (y/n)? Key file already exists Back up or choose -f path with a new name
Host key warning after rebuild Stale known_hosts entry ssh-keygen -R hostname after verifying the new fingerprint

Deepak Prasad

R&D Engineer

Founder of GoLinuxCloud with more than 15 years of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive …