The ssh-keygen command is a tool used to generate, manage, and convert authentication keys for ssh. It is a part of the OpenSSH suite of tools used for secure communication between two untrusted hosts over an insecure network.
Overview
Generating a new key pair
To generate a new key pair, run the ssh-keygen command with the -t option to specify the type of key to create. The most commonly used key types are RSA and Ed25519.
ssh-keygen -t rsa
This command will prompt you to enter a file name to save the key pair. By default, the key pair will be saved in the .ssh directory in your home directory with the file names id_rsa and id_rsa.pub.
Specifying key file name and location
To specify a different file name and location for the key pair, use the -f option followed by the file name and location.
ssh-keygen -t rsa -f /path/to/key
Changing the passphrase for a key
To change the passphrase for an existing key, use the -p option followed by the file name of the key.
ssh-keygen -p -f /path/to/key
Converting a key to a different format
To convert a key from one format to another, use the -p option followed by the file name of the key and the -m option followed by the desired format.
ssh-keygen -p -m pkcs8 -f /path/to/key
Importing keys from other formats
To import a key from another format, use the -i option followed by the file name of the key and the -m option followed by the format of the key.
ssh-keygen -i -m pkcs8 -f /path/to/key
Exporting keys to other formats
To export a key to another format, use the -e option followed by the file name of the key and the -m option followed by the format to export to.
ssh-keygen -e -m pkcs8 -f /path/to/key
Options
The following table lists all available options for the ssh-keygen command:
| Option | Description |
|---|---|
-t |
Specifies the type of key to create. |
-f |
Specifies the file name and location for the key. |
-p |
Changes the passphrase for an existing key or outputs the public key for a private key. |
-m |
Specifies the key format for import, export, or conversion. |
-i |
Imports a key from another format. |
-e |
Exports a key to another format. |
-C |
Adds a comment to the key. |
-N |
Specifies the new passphrase for the key. |
-b |
Specifies the number of bits in the key. |
-q |
Quiet mode. Suppresses all warning and diagnostic messages. |
-y |
Outputs the public key for a private key. |
Troubleshooting Tips
- If you are having trouble connecting to a remote host using ssh and you have recently changed your key pair, ensure that you have added your public key to the remote host’s authorized keys file.
- If you are having trouble generating a key pair, ensure that you have permission to write to the directory where the key pair will be saved.
- If you are having trouble using a key pair, ensure that the file permissions are set correctly. The private key file should have permissions of 600 (
-rw-------) and the public key file should have permissions of 644 (-rw-r--r--).
Notes
- It is important to keep your private key secure and not share it with anyone. Anyone with access to your private key can impersonate you and gain access to any systems that trust your public key.
- When generating a new key pair, it is recommended to use at least 2048 bits for RSA keys and 256 bits for Ed25519 keys.
- When changing the passphrase for a key, it is recommended to use a strong passphrase that is at least 12 characters long and contains a mix of uppercase and lowercase letters, numbers, and symbols.