In this article, we will go through 20 Useful Linux/Unix ssh-keygen command examples. ssh-keygen command is one of the most used Open source command in Linux Based Systems to generate Public/Private Key pair which can be used for authentication, passwordless login and in many more use cases. You will see this tool available by default with most of the Linux distros so you don’t have the overhead to install it separately. There are many other uses of ssh-keygen command in Linux which we will try to see in this article one by one.

Syntax

ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment] [-f output_keyfile]
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
ssh-keygen -i [-f input_keyfile]
ssh-keygen -e [-f input_keyfile]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
ssh-keygen -l [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D reader
ssh-keygen -F hostname [-f known_hosts_file]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -U reader [-f input_keyfile]
ssh-keygen -r hostname [-f input_keyfile] [-g]
ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
ssh-keygen -T output_file -f input_file [-v] [-a num_trials] [-W generator]

ssh-keygen command examples in Linux/Unix

Also Read: Passwordless ssh login using ssh keygen in 6 Easy Steps

Example 1: How to Search Key of Host from known_hosts file

If you want to search Key of some host from known_hosts file then you need to use -F option with ssh-keygen command as shown below. In this example, we are trying to find Key of Host 192.168.0.103 from known_hosts file using ssh-keygen -F 192.168.0.103 command.

[root@localhost ~]# ssh-keygen -F 192.168.0.103
# Host 192.168.0.103 found: line 1
192.168.0.103 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNqUWv4MFC3F1saxTSdfKq7hsQrpYnndhtYKS3o9mye18Wlj9eQVioFJfjklV+k2/tyh44edzobcBbxSRIsxvb8=

-F : Search for the specified hostname in a known_hosts file, listing any occurrences found.

Example 2: How to Generate Public/Private RSA Key Pair

If you want generate Public/Private RSA Key Pair then you need to use simple ssh-keygen command as shown below.

[root@localhost ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /home/admin/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/admin/.ssh/id_rsa.
Your public key has been saved in /home/admin/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:PUkUGJ/P/otkmduXLVtPEZywMQ8AWsreY+wBjFLoBQs root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
| E .o. .=+o.=    |
|  ..o.+ =o . O . |
|  .o.. * + . =   |
|   .. . +o + .   |
|      .S*+ o .   |
|       o oo o .  |
|        . * =    |
|         o =.++  |
|          o ==.  |
+----[SHA256]-----+

Example 3: How to show the Bubblebabble Digest of a Public/Private Key

If you want to show the Bubblebabble Digest of a Public/Private Key Pair then you need to use -B option with ssh-keygen command as shown below. In this example, we are trying to show the Bubblebabble digest of private key /home/admin/.ssh/id_rsa using ssh-keygen -B -f /home/admin/.ssh/id_rsa command.

[root@localhost ~]# ssh-keygen -B -f /home/admin/.ssh/id_rsa
2048 xoged-kokyh-dafit-gikyl-pebat-rytos-dygup-nakem-fyboz-vumyk-fexax root@localhost.localdomain (RSA)

-B : Show the bubblebabble digest of specified private or public key file.

-f : Specifies the filename of the key file. More info ssh-keygen command Man Page.

Example 4: How to Generate Public/Private RSA1 Key Pair

If you want to use different algorithm than the default RSA Algorithm to generate the Public/Private Key pair then you need to specify the algorithm using -t option with ssh-keygen command as shown below. In this example, we are trying to generate Public/Private Key Pair based on RSA1 algorithm using ssh-keygen -t rsa1 command.

[root@localhost ~]# ssh-keygen -t rsa1
Generating public/private rsa1 key pair.
Enter file in which to save the key (/root/.ssh/identity): /home/admin/.ssh/identity
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/admin/.ssh/identity.
Your public key has been saved in /home/admin/.ssh/identity.pub.
The key fingerprint is:
SHA256:EfBTrtmOMRLaZ43tOoDsZaoDoJpwrZjrYZNIONON8Kk root@localhost.localdomain
The key's randomart image is:
+---[RSA1 2048]---+
|      ... .      |
|       . +       |
|     . . + .     |
|o+ + o . X       |
|*.=oo.o S +      |
|*+o + ++ *       |
|E@ o + .. o      |
|* = o ..         |
|oo.o ..          |
+----[SHA256]-----+

-t : Specifies the type of key to create.

Example 5: How to Change Your Comment in Key File

Sometimes you might want to change your comment in the Key File from default username@hostname format to something meaningful. You can easily do that by using -c option with ssh-keygen command as shown below. In this example we are trying to change the comment of RSA1 Key using ssh-keygen -c -f /home/admin/.ssh/identity command.

[root@localhost ~]# ssh-keygen -c -f /home/admin/.ssh/identity
Key now has comment 'root@localhost.localdomain'
Enter new comment: This is RSA1 Key
The comment in your key file has been changed.

-c : Requests changing the comment in the private and public key files.

Example 6: How to Provide Comment during Key Generation

If you want to provide some comment during key generation instead of using default one then you need to use -C option with ssh-keygen command as shown below. In this example, we are trying to generate a Public/Private RSA Key Pair with comment "Generating a Key".

[root@localhost ~]# ssh-keygen -C "Generating a Key"
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /home/admin/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/admin/.ssh/id_rsa.
Your public key has been saved in /home/admin/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:wxYL9NlL+FOHHzIiV1RwjdWQ93PugXmEhI71aohrNVw Generating a Key
The key's randomart image is:
+---[RSA 2048]----+
|      .  .=o+*o  |
|     . . + + +o +|
|      . * O B +..|
|       o O E B +o|
|        S * . =.o|
|       o * + o o.|
|          o o ...|
|              o .|
|               . |
+----[SHA256]-----+

-C : Provides a new comment.

Example 7: How to Show Public Key for a Given Private Key

If you want to show public key of a given private key then you need to use -y option as shown below. In this example, we have given input private key file location to check its public key by using below ssh-keygen command. Please note that in absence of input key file, it will try to use the key file from User home location.

[root@localhost ~]# ssh-keygen -y -f /home/admin/.ssh/id_rsa
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/4XiVwY+/F8F1h6Lf9lV6NUhIPQ1SQqtGJJSarmtHSmnyNiVvhsiBDezh6s9fIw1P6jRQ87oQw06Tkcg6UfAGDV84mEYDoDQxZ0i3r3NWKdGqYPFSF9bTnUaOtve5G/EYxVr/z2S8tDbUr2jFpyKYHWCGLo7dqELQYyiNEIuIRMc1xujFOOHsf6byo7SNlfpV6iyrRzpgsmXQ7lilZjefQJdsBJN/FlZ1o8rkf+XUzHXNz0PK/uKVUl016Pruw6QpWbPRss1Jr865GFCGJfxXv+PeTPa4KAJ/QqIqwosDwlxKtNUpRKBZEjKnjrEt/F1w3u7RmJVWLuW3sV91oyGr

-y : This option will read a private OpenSSH format file and print an OpenSSH public key to stdout.

Example 8: How to Generate Public/Private Key Pair Using MD5 Hashing

If you want to use different hashing instead of default SHA256 during Public/Private Key Pair generation then you need to specify the hashing type using -E option with ssh-keygen command as shown below. In this example, we are trying to use MD5 hashing during Public/Private Key Pair generation using ssh-keygen -E md5 command.

[root@localhost ~]# ssh-keygen -E md5
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /home/admin/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/admin/.ssh/id_rsa.
Your public key has been saved in /home/admin/.ssh/id_rsa.pub.
The key fingerprint is:
MD5:b4:f6:d4:94:69:02:b4:5a:2d:5c:98:8f:aa:23:21:6e root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
|      .oo.       |
|           .o= o |
|           *oo = |
|           +.o.= |
|         ..S . . |
|. . .. o         |
|.. . . .         |
| E. o            |
|. . .            |
+------[MD5]------+

-E : Specifies the hash algorithm used when displaying key fingerprints.

Example 9: How to Generate 4096 bits RSA Public/Private Key Pair

If you want to generate RSA Public/Private key pair of different length than the default 2048 bits then you need to specify the length of the key using -b option with ssh-keygen command as shown below. In this example, we are trying to generate RSA Public/Private Key Pair of length 4096 bits using ssh-keygen -b 4096 command.

[root@localhost ~]# ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /home/admin/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/admin/.ssh/id_rsa.
Your public key has been saved in /home/admin/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:IuXTyhuWuS/xiStfJT8cXB8FLV9El7uLCr68E9nuI+4 root@localhost.localdomain
The key's randomart image is:
+---[RSA 4096]----+
|               .=*|
|               .o+|
|           . . .oo|
|      o. . . .  o.|
|      .  + S * . .|
|      o . * B o . |
|      B + . o *. .|
|      ..o==o.+ .. |
|      o =++  E*oo |
+----[SHA256]-----+

-b : Specifies the number of bits in the key to create.

Example 10: How to Change your Private Key Passphrase 

If you want to change your private key passphrase then you need to use -p option with ssh-keygen command as shown below. In this example we are trying to change the passphrase of /home/admin/.ssh/id_rsa private key using ssh-keygen -p -f /home/admin/.ssh/id_rsa command.

[root@localhost ~]# ssh-keygen -p -f /home/admin/.ssh/id_rsa
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.

-p : Requests changing the passphrase of a private key file instead of creating a new private key.

Example 11: How to Generate Candidate Primes for DH-GEX

If you want to generate Candidate Primes for DH-GEX using 2048 bits key length then you need to use ssh-keygen -G moduli-2048.candidates -b 2048 command as shown below.

[root@localhost ~]# ssh-keygen -G moduli-2048.candidates -b 2048
Sun May 24 00:21:55 2020 Sieve next 67043328 plus 2047-bit
Sun May 24 00:27:40 2020 Sieved with 203277289 small primes in 345 seconds
Sun May 24 00:27:44 2020 Found 56812 candidates

-G : Generate candidate primes for DH-GEX.

Example 12:  How to Specify the amount of memory to be used for Generating Candidate Primes for DH-GEX

Somtimes you might want to increase the amount of memory to be used for Generating Candidate Primes for DH-GEX. This can be done by passing amount of memory (in MB) using -M option with ssh-keygen command as shown below. In this example, we are trying to use 10 MB memory to generate Candidate Primes for DH-GEX using ssh-keygen -G moduli-2048.candidate -M 10 -b 2048 command.

[root@localhost ~]# ssh-keygen -G moduli-2048.candidates -M 10 -b 2048
Increased memory: 10 MB; need 4190208 bytes
Sun May 24 00:38:49 2020 Sieve next 167772160 plus 2047-bit
Sun May 24 00:44:43 2020 Sieved with 203277289 small primes in 354 seconds
Sun May 24 00:44:54 2020 Found 140611 candidates

-M : Specify the amount of memory to use (in megabytes) when generating candidate moduli for DH-GEX.

Example 13: How to remove all the Keys belonging to a Specific Host from Known_hosts file

If you want to remove all the keys for a host from known_hosts file then you need to use -R option with ssh-keygen command as shown below. In this example, we are trying to remove all the keys of host 192.168.0.103 from known_hosts file using ssh-keygen -f /home/admin/.ssh/known_hosts -R 192.168.0.103 command.

[root@localhost ~]# ssh-keygen -f /home/admin/.ssh/known_hosts -R 192.168.0.103
# Host 192.168.0.103 found: line 1
/home/admin/.ssh/known_hosts updated.
Original contents retained as /home/admin/.ssh/known_hosts.old

-R hostname : Removes all keys belonging to hostname from a known_hosts file.

Example 14: How to Hash known_hosts file

If you want to hash known_hosts file then you need to use -H option with ssh-keygen command as shown below. In this example, we are hashing known_hosts file using ssh-keygen -H command.

[root@localhost ~]# ssh-keygen -H
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
WARNING: /root/.ssh/known_hosts.old contains unhashed entries
Delete this file to ensure privacy of hostnames

-H : Hash a known_hosts file.

Example 15: How to Convert SSH2 Key to OpenSSH Format

If you want to convert ssh2 key to openssh key then you need to use -i option with ssh-keygen command as shown below. In this example, we are trying to convert ssh2 key to openssh key using ssh-keygen -i -f /home/admin/.ssh/id_rsa.pub > key.pub command. This command will save the converted openssh key to key.pub file.

[root@localhost ~]# ssh-keygen -i -f /home/admin/.ssh/id_rsa.pub > key.pub

-i : This option will read an unencrypted private (or public) key file in the format specified by the -m option and print an OpenSSH compatible private (or public) key to stdout.

Example 16: How to Convert OpenSSH Key to SSH2 Key

If you want to convert openssh key to ssh2 key then you need to use -e option with ssh-keygen command as shown below. In this example, we are trying to convert openssh key to ssh2 key using ssh-keygen -e -f key.pub >> ~/.ssh/authroized_keys command. This command will save the converted ssh2 key in authorized_keys file.

[root@localhost ~]# ssh-keygen -e -f key.pub >> ~/.ssh/authorized_keys

-e : This option will read a private or public OpenSSH key file and print to stdout the key in one of the formats specified by the -m option.

Example 17: How to Change Passphrase based on Old Passphrase

If you want to change passphrase based on Old passphrase then you need to provide old and new passphrase using -P and -N option with ssh-keygen command as shown below.

[root@localhost ~]# ssh-keygen -p -f /home/admin/.ssh/id_rsa -P Test@123 -N Test@123$
Your identification has been saved with the new passphrase.

-P : Provides the (old) passphrase.

-N : Provides the new passphrase.

Example 18: How to Test DH group exchange candidate primes for safety

If you want to test DH group exchange candidate primes for safety then you need to use -T option with ssh-keygen command as shown below.

[root@localhost ~]# ssh-keygen -T moduli-2048 -f moduli-2048.candidates

-T : Test DH group exchange candidate primes for safety.

Example 19 : How to Debug DH group exchange candidate primes for safety in Verbose Mode

If you want to debug group exchange candidate primes for safety in verbose mode then you need to use -v option with ssh-keygen command as shown below. In this example we are trying to debug DH group exchange candidate primes for safety using ssh-keygen -v -T moduli-2048 -f moduli-2048.candidates command.

[root@localhost ~]# ssh-keygen -v -T moduli-2048 -f moduli-2048.candidates
debug1: input file has 55792 lines
debug1: process from line 0 to line 55792
debug1: 1: q failed first possible prime test
debug1: 2: q failed first possible prime test
debug1: 3: q failed first possible prime test
debug1: 4: q failed first possible prime test
debug1: 5: q failed first possible prime test
debug1: 7: q failed first possible prime test
debug1: 8: q failed first possible prime test
debug1: 9: q failed first possible prime test
debug1: 10: q failed first possible prime test
debug1: 11: q failed first possible prime test
debug1: 12: q failed first possible prime test
debug1: 13: q failed first possible prime test
debug1: 14: q failed first possible prime test
debug1: 15: q failed first possible prime test

-v : Verbose mode.

Example 20 : How to Sign a Host’s Public Key to Create a Host Certificate

If you want to sign a host’s public key to create a host certificate then you need to pass source key and certificate identity using -s and -I option with ssh-keygen command as shown below. In this example, we are trying to sign host’s public key /home/admin/.ssh/id_rsa-cert.pub using ca key and certificate identity as mentioned in below output.

[root@localhost ~]# ssh-keygen -s /home/admin/.ssh/id_rsa -I cert_id -h /home/admin/.ssh/id_rsa.pub
Enter passphrase:
Signed host key /home/admin/.ssh/id_rsa-cert.pub: id "cert_id" serial 0 valid forever

-s ca_key : Certify (sign) a public key using the specified CA key.

-I certificate_Identity : Specify the key identity when signing a public key.

Recommended Posts:-

10 Useful iproute2 tools examples to Manage Network Connections in Linux

Popular firewalld examples to open a port on RedHat/CentOS 7

8 Most Popular mkdir command in Linux with Examples

26 Useful Firewall CMD Examples on RedHat/CentOS 7

12 Most Popular rm command in Linux with Examples

9 useful w command in Linux with Examples

Popular Apache Kafka Architecture Explained Using 4 Basic Components

5 Easy Steps to recover LVM2 Partition , PV , VG , LVM metadata in Linux

How to compare Numbers or Integers in Bash