We use ssh-keygen tool to generate SSH keys which are used for Public Key Based Authentication with SSH. As the time of writing this article, there are 6 different types of authentication methods possible with SSH. But Public key Authentication is one of the most used authentication methods used across production environment.
To use public key based authentication you would need a public and private key pair.
- The public key content must be added to the
authorized_keys
file of server - The private key will be stored on the client
So when a client tries to make a secure connection, it will use this private and public key pair combination to establish the connection
Overview on ssh-keygen
ssh-keygen
is a utility provided byopenssh
rpm which should be installed by default on all the Linux distributions.ssh-keygen
generates, manages and converts authentication keys for ssh version 2.0 and higher- This tool supports different arguments which can be used to create keys as per the requirement
- If you wish to use SSH with public key authentication then use this once to create the authentication key in
~/.ssh/id_dsa
,~/.ssh/id_ecdsa
,~/.ssh/id_ed25519
or~/.ssh/id_rsa
- If you forgot the passphrase then there is no way to reset the passphrase and you must recreate new passphrase and place they key pairs at respective locations to re-activate public key authentication
Let us explore the ssh-keygen
tool to generate different types of key pairs in Linux
1. Generate ssh key without any arguments
- You can execute
ssh-keygen
without any arguments which will generate key pairs by default using RSA algorithm - The tool will prompt for the location to store the RSA key pairs.
- The default location would be inside user's home folder under
.ssh
i.e.~/.ssh
- The tool will create
~/.ssh
if the directory does not exists already - The default naming syntax used for the private RSA key will be
id_rsa
and public key will beid_rsa.pub
- Next provided the passphrase, you can just press
ENTER
to create passphrase less key pair
# ssh-keygen
Snippet from my terminal
2. Define Key Type
- By default
ssh-keygen
will create RSA type key - You can create key with
dsa
,ecdsa
,ed25519
, orrsa
type - Use
-t <key>
argument to define the type of the key - In this example I am creating key pair of
ED25519
type
# ssh-keygen -t ed25519
Snippet from my terminal
3. Define Bit size
By default ssh-keygen generates SSH key with 2048
bit size. You can also specify the number of bits to be used for the keys by using -b <bit_size>
In this example i will generate keys with 4096 bit size
# ssh-keygen -b 4096
Snippet from my terminal
4. Assign Passphrase
By default ssh-keygen
will prompt for the passphrase before creating the key pairs. But we can also assign passphrase with using -P <your_password>
# ssh-keygen -P "MyPassw0rd"
Snippet from my terminal
5. Change passphrase of the private key
- You can also change the existing passphrase of your private key
- Use
ssh-keygen
with-p
which will prompt you for the location of your private key file - Next provide the existing passphrase of your private key
- If the provided passphrase is correct, you will get the prompt to assign new passphrase to your existing private key
# ssh-keygen -p Enter file in which the key is (/root/.ssh/id_rsa): Enter old passphrase: Key has comment 'root@rhel-8.example.com' Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase.
-f
to provide the private key file, -P
to define your old passphrase and -N
to define new passphrase
# ssh-keygen -p -f ~/.ssh/id_rsa -P "old_password" -N "new_password" Key has comment 'root@rhel-8.example.com' Your identification has been saved with the new passphrase.
6. Create keys with custom filename
- By default
ssh-keygen
creates private key with the nameid_rsa
and public key asid_rsa.pub
- We can also create keys with custom filename using
-f <file_name>
- This will create and keep the certificates in the current location from where you execute ssh-keygen tool
- In this example my private key will be
my-own-rsa-key
and public key would bemy-own-rsa-key.pub
# ssh-keygen -f my-own-rsa-key
Snippet from my terminal
7. Add custom comment to the key
You can also add custom comment to your private key for more identification. Use -C <comment>
to generate keys with your custom comment
# ssh-keygen -C "This is for server1.example.com"
We can use -l to print the fingerprint and comment of the private key
# ssh-keygen -l Enter file in which the key is (/root/.ssh/id_rsa): 3072 SHA256:JxBpArCDsIVME0HDtQG7FqFQefaS9ommeohVoEmg39g This is for server1.example.com (RSA)
8. Change comment of the key
You can also change the existing comment of your private key using -c argument
# ssh-keygen -c Enter file in which the key is (/root/.ssh/id_rsa): Key now has comment 'This is for server1.example.com' Enter new comment: This is for rhel-8.example.com The comment in your key file has been changed.
Check the new comment of your private key
# ssh-keygen -l Enter file in which the key is (/root/.ssh/id_rsa): 3072 SHA256:JxBpArCDsIVME0HDtQG7FqFQefaS9ommeohVoEmg39g This is for rhel-8.example.com (RSA)
9. Hash the content of known_hosts file
- Every time you do SSH to another server, the SSH fingerprint for the secure connection is added to the client's ~/.ssh/known_hosts file
- This is used to verify the authenticity of the SSH connection
- The content of
known_hosts
file would be in this format
# cat .ssh/known_hosts 10.10.10.10 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGlXmWjH3Ly6ty9O3hYeg8p/ld7Isl65DaoxqTclbPrAdvDKrsB12MJlJS7oNur2TNUKfU24N+UKn7fqyUeEGWZrIh2DIaPC2Msq132x2P3IBeposynhfBmk6ZoJi58WjddIInQnaAJ/OJZB2waOp+RdtW53lP7zkPTny6yOUYUmFuC93mEMTAf6CpHEoBsNB/OH8km11kpjbbZ4QUx/1shXNnXo5El0/2Cqn7g/s0hi1EuDysDxAj2BkH8fsNyHitNhattf6NIL4akKagcZUhY/9Oj3TikM05MR5Jf72w8EQTtr9vNMTkxlaz/G66GeJR0TAd7CUCux+7KJ8KSH6r 192.168.43.22 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCGtytDuWTzCZJ4FGy5OBKTgYwllftrmgZ3Z+mSTTRmNVlTCEDygSzALLdtC7MEilv/ezTN2uA3HIC72jYegrMc=
- Any intruder can use this information to get the fingerprint details of individual
hostname
. - You can use
ssh-keygen
to hash thehostname
entries in theknown_hosts
file using-H
argument - This option will not modify existing hashed
hostname
 and is therefore safe to use on files that mix hashed and non-hashed names. - This will create a backup file with
.old
extension in the same location
# ssh-keygen -H
Next check the content of known_hosts file
# cat .ssh/known_hosts |1|DnQfHwXX0E78Kqd9sM+jhKICLhM=|A7gki0vPIUajFlROxDljIxE6rGM= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGlXmWjH3Ly6ty9O3hYeg8p/ld7Isl65DaoxqTclbPrAdvDKrsB12MJlJS7oNur2TNUKfU24N+UKn7fqyUeEGWZrIh2DIaPC2Msq132x2P3IBeposynhfBmk6ZoJi58WjddIInQnaAJ/OJZB2waOp+RdtW53lP7zkPTny6yOUYUmFuC93mEMTAf6CpHEoBsNB/OH8km11kpjbbZ4QUx/1shXNnXo5El0/2Cqn7g/s0hi1EuDysDxAj2BkH8fsNyHitNhattf6NIL4akKagcZUhY/9Oj3TikM05MR5Jf72w8EQTtr9vNMTkxlaz/G66GeJR0TAd7CUCux+7KJ8KSH6r |1|RK+RdFcebk+2EK81Rs16e9Im6Hk=|b7QKZly3lm6mBEzIvsLDps4x44I= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCGtytDuWTzCZJ4FGy5OBKTgYwllftrmgZ3Z+mSTTRmNVlTCEDygSzALLdtC7MEilv/ezTN2uA3HIC72jYegrMc=
As you see now the hostname can not be understood as they are hashed. A backup file is also created at the same location
# ls -l ~/.ssh/known_hosts*
-rw------- 1 root root 664 May 23 18:37 /root/.ssh/known_hosts
-rw-r--r-- 1 root root 568 Mar 27 13:09 /root/.ssh/known_hosts.old
10. Remove keys for hostname from known_hosts file
- Every time you do SSH, the RSA key for the SSH connection for respective
hostname
is stored inside~/.ssh/known_hosts
file - But if you re-install the target server and attempt to do SSH then it is possible the SSH may fail due to mis-match in the fingerprint
- So you can either manually search and delete the RSA fingerprint of your server from
known_hosts
file or you can use ssh-keygen to do the job - Use
-R <hostname>
to automatically search and delete all fingerprint and RSA key entries for the providedhostname
fromknown_hosts
file - For example to delete all the keys related to
192.168.43.22
host fromknown_hosts
file
# ssh-keygen -R 192.168.43.22 # Host 192.168.43.22 found: line 2 /root/.ssh/known_hosts updated. Original contents retained as /root/.ssh/known_hosts.old
Conclusion
ssh-keygen
is a very vast tool which can do much more than generating SSH keys. It also supports signing of keys to produce certificates that may be used for user or host authentication. In this article we learned about different arguments which can be used to generate SSH keys for Public key Authentication with SSH
You can also combine all the arguments from this tutorial to automate the process. Lastly I hope the steps from the article to understand about ssh-keygen tool in more detail with different examples on Linux was helpful. So, let me know your suggestions and feedback using the comment section.
References
I have used below external references for this tutorial guide
man page for ssh-keygen