ssh-keygen — quick reference
Key generation
Create a key pair for passwordless SSH login or automation.
| When to use | Command |
|---|---|
Interactive key with default path (~/.ssh/id_ed25519 or id_rsa) |
ssh-keygen |
| Ed25519 key (recommended default on modern OpenSSH) | ssh-keygen -t ed25519 |
| RSA key with 4096-bit modulus | ssh-keygen -t rsa -b 4096 |
| Non-interactive: empty passphrase, custom path, comment | ssh-keygen -t ed25519 -f ~/.ssh/deploy_ed25519 -N "" -C "deploy@prod" |
| Quiet batch run (less console output) | ssh-keygen -t ed25519 -f KEY -N "" -q |
Passphrase and metadata
Change secrets or labels on an existing private key.
| When to use | Command |
|---|---|
| Change passphrase (prompts for paths and passwords) | ssh-keygen -p |
| Change passphrase non-interactively | ssh-keygen -p -f ~/.ssh/id_rsa -P "old" -N "new" |
| Set or change key comment at creation | ssh-keygen -t ed25519 -C "user@host" |
| Change comment on existing key | ssh-keygen -c -f ~/.ssh/id_ed25519 |
Inspection
Read fingerprints and public material from a private key.
| When to use | Command |
|---|---|
| Show fingerprint and comment | ssh-keygen -l -f ~/.ssh/id_ed25519 |
| Print public key from private key file | ssh-keygen -y -f ~/.ssh/id_ed25519 |
| Bubblebabble fingerprint | ssh-keygen -B -f ~/.ssh/id_ed25519 |
known_hosts maintenance
Fix host-key warnings after reinstalls or IP reuse.
| When to use | Command |
|---|---|
| Remove all keys for a host from known_hosts | ssh-keygen -R hostname |
| Hash plain hostnames in known_hosts | ssh-keygen -H -f ~/.ssh/known_hosts |
| Look up a host in known_hosts | ssh-keygen -F hostname |
ssh-keygen — command syntax
Synopsis from ssh-keygen usage text on Ubuntu 25.04 (OpenSSH 9.9p1):
ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile]
[-m format] [-N new_passphrase] [-O option]
[-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
ssh-keygen -p [-f keyfile] [-P old_passphrase] [-N new_passphrase]
ssh-keygen -l [-f input_keyfile]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-C comment] [-f keyfile] [-P passphrase]
ssh-keygen -R hostname [-f known_hosts_file]A new key writes two files: the private key (keep permissions 600) and filename.pub for authorized_keys. Certificate signing (-s, -I) and FIDO/sk key types need hardware or a CA setup — omitted here.
ssh-keygen — command examples
Essential Generate an Ed25519 key pair (recommended)
Ed25519 keys are short, fast, and the default choice on current OpenSSH releases.
Run the command (empty passphrase for lab; use a real passphrase in production):
ssh-keygen -t ed25519 -f ~/.ssh/lab_ed25519 -N "" -C "lab ed25519 key"Sample output:
Generating public/private ed25519 key pair.
Your identification has been saved in /root/.ssh/lab_ed25519
Your public key has been saved in /root/.ssh/lab_ed25519.pub
The key fingerprint is:
SHA256:K4diLvS+MLh+z7Sxn77b03RRlZw8VjfMeELAgAssa/4 lab ed25519 key
The key's randomart image is:
+--[ED25519 256]--+
| . ..o.o.*.O|
| . o . . o %o|
| o . . = .|
| o . . |
| o S . |
| ... . . . . |
|..o.+oo o o . |
| ..*+E+oo. . |
|o..o=*o*o.. |
+----[SHA256]-----+List the fingerprint and confirm the comment:
ssh-keygen -l -f ~/.ssh/lab_ed25519Sample output:
256 SHA256:K4diLvS+MLh+z7Sxn77b03RRlZw8VjfMeELAgAssa/4 lab ed25519 key (ED25519)Copy the .pub line to the server's ~/.ssh/authorized_keys. Remove lab keys with rm ~/.ssh/lab_ed25519 ~/.ssh/lab_ed25519.pub.
Essential Generate RSA 4096-bit key for legacy servers
Some older gear only accepts RSA. Use 4096 bits on modern systems.
Run the command:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/lab_rsa -N "oldpass" -q -C "lab rsa"Sample output (-q suppresses most lines):
Verify the key type and size:
ssh-keygen -l -f ~/.ssh/lab_rsaSample output:
4096 SHA256:… lab rsa (RSA)Remove test keys when finished: rm ~/.ssh/lab_rsa ~/.ssh/lab_rsa.pub.
Essential Print the public key from a private key (-y)
When you have the private key but lost the .pub file, -y recreates the public line.
Run the command:
ssh-keygen -y -f ~/.ssh/lab_ed25519Sample output (truncated):
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOJVcLLJ4EFpwbSXBOdJ5Yy…Append that single line to authorized_keys on the server you want to reach.
Common Change the passphrase on a private key
Rotate a passphrase without generating a new key — the public key on servers stays the same.
Run the command:
ssh-keygen -p -f ~/.ssh/lab_rsa -P "oldpass" -N "newpass"Sample output:
Key has comment 'lab rsa'
Your identification has been saved with the new passphrase.If you forgot the passphrase, you cannot recover it — generate a new key pair and replace the public key on every host.
Common Update the key comment (-c)
Comments help you tell keys apart in ssh-add -l output. They do not affect authentication.
Run the command:
ssh-keygen -c -f ~/.ssh/lab_ed25519 -C "updated comment" -N ""Sample output:
Old comment: lab ed25519 key
Comment 'updated comment' appliedConfirm:
ssh-keygen -l -f ~/.ssh/lab_ed25519Sample output:
256 SHA256:K4diLvS+MLh+z7Sxn77b03RRlZw8VjfMeELAgAssa/4 updated comment (ED25519)Common Custom filename with -f (multiple keys per user)
Separate keys per environment — production, staging, CI — by storing each pair under its own basename.
Run the command:
ssh-keygen -t ed25519 -f ./deploy_key -N "" -C "ci deploy"
ls -l deploy_key deploy_key.pubSample output:
Generating public/private ed25519 key pair.
…
-rw------- 1 root root … deploy_key
-rw-r--r-- 1 root root … deploy_key.pubUse ssh -i ./deploy_key user@host or an IdentityFile line in ~/.ssh/config. Delete test files with rm deploy_key deploy_key.pub.
Common Remove stale host key after server reinstall (-R)
SSH refuses to connect when the server's host key changes. -R deletes the old entry from known_hosts.
Add a test line, then remove it:
echo "127.0.0.1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFakeKeyForTestOnly" >> ~/.ssh/known_hosts
ssh-keygen -R 127.0.0.1 -f ~/.ssh/known_hostsSample output:
# Host 127.0.0.1 found: line 1
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.oldOn the next connection, SSH prompts you to trust the new host key.
Advanced Interactive run — default path and prompts
Running ssh-keygen alone walks through path, passphrase, and comment — the path most desktop users take once per machine.
Start the tool (press Enter at prompts to accept defaults in a lab):
ssh-keygen -t ed25519Sample prompts:
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:If ~/.ssh/id_ed25519 already exists, you get an overwrite warning — answer n unless you intend to replace the key. Back up old keys before replacing.
Advanced Hash hostnames in known_hosts (-H)
Hashing hides plain hostnames from anyone reading ~/.ssh/known_hosts on disk. OpenSSH still matches entries at connect time.
Run on a copy in a lab directory:
cp ~/.ssh/known_hosts /tmp/lab_known_hosts
ssh-keygen -H -f /tmp/lab_known_hosts
head -1 /tmp/lab_known_hostsSample output (first line becomes hashed):
|1|DnQfHwXX0E78Kqd9sM+jhKICLhM=|A7gki0vPIUajFlROxDljIxE6rGM= ssh-ed25519 AAAA…A .old backup is created beside the file. Remove /tmp/lab_known_hosts* when done.
ssh-keygen — when to use / when not
| Use ssh-keygen when | Use something else when |
|---|---|
|
|
ssh-keygen vs openssl genrsa
| ssh-keygen | openssl genrsa | |
|---|---|---|
| Purpose | SSH authentication keys | General-purpose RSA crypto |
| Output format | OpenSSH private key + .pub |
PEM/DER; needs conversion for SSH |
| Ed25519 | Native -t ed25519 |
Not applicable |
| Best for | SSH and authorized_keys |
TLS certificates, non-SSH RSA |
For SSH login, always prefer ssh-keygen — authorized_keys expects OpenSSH public key lines.
Related commands
| Command | One line |
|---|---|
| ssh-keygen | Create and manage key pairs (this page) |
| pssh | Run commands on many hosts with one key |
Browse the full index in our Linux commands reference.
ssh-keygen — interview corner
Why use Ed25519 instead of RSA for SSH keys?
Ed25519 keys are smaller and faster than RSA at similar security levels. OpenSSH has listed Ed25519 first in examples for years.
ssh-keygen -t ed25519 -f /tmp/demo -N "" -q
ssh-keygen -l -f /tmp/demo
rm /tmp/demo /tmp/demo.pubSample fingerprint line:
256 SHA256:… (ED25519)Keep RSA 4096 only when a legacy server or appliance rejects Ed25519.
A strong answer is:
"I default to ed25519 via ssh-keygen -t ed25519 for new keys; I fall back to rsa -b 4096 only when the remote side does not support modern algorithms."
Which file goes on the server — private or public key?
Never copy the private key to the server. The server gets one line from the .pub file in ~/.ssh/authorized_keys. The private key stays on the client (permissions 600).
A strong answer is:
"Only the public key (.pub) goes in authorized_keys on the server. The private key never leaves the client except encrypted backups."
What happens if you lose the key passphrase?
OpenSSH cannot decrypt the private key without the passphrase. You must generate a new pair and distribute the new public key everywhere the old one was trusted.
A strong answer is:
"There is no recovery — I create a new key with ssh-keygen, roll authorized_keys on all systems, and retire the old public key."
Why does SSH warn about REMOTE HOST IDENTIFICATION HAS CHANGED?
The server presented a different host key than the one stored in ~/.ssh/known_hosts — common after reinstall, clone, or man-in-the-middle attack.
ssh-keygen -R hostnameThen verify the new fingerprint out-of-band before connecting again.
A strong answer is:
"The host key changed or there is a MITM risk. I compare the new fingerprint with the admin, then ssh-keygen -R to drop the stale entry if the change is expected."
How do you compare key fingerprints safely?
Use ssh-keygen -l -f keyfile on the client and ask the server admin for the same SHA256 fingerprint from their side — do not trust email alone.
A strong answer is:
"I run ssh-keygen -l on the public or private key and compare SHA256 out-of-band with the server operator before first connect or after a host key rotation."
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
Permission denied (publickey) |
Public key not in authorized_keys or wrong private key |
Install .pub on server; use ssh -i / IdentityFile |
Load key … incorrect passphrase |
Wrong -P value in scripts |
Retry interactively with ssh-keygen -p |
Saving key … failed: Permission denied |
Cannot write target directory | chmod 700 ~/.ssh; run as the owning user |
Overwrite (y/n)? |
Key file already exists | Back up or choose -f path with a new name |
| Host key warning after rebuild | Stale known_hosts entry |
ssh-keygen -R hostname after verifying the new fingerprint |

