- 10 examples to generate SSH key in Linux (ssh-keygen)
- Overview on ssh-keygen
- 1. Generate ssh key without any arguments
- 2. Define Key Type
- 3. Define Bit size
- 4. Assign Passphrase
- 5. Change passphrase of the private key
- 6. Create keys with custom filename
- 7. Add custom comment to the key
- 8. Change comment of the key
- 9. Hash the content of known_hosts file
- 10. Remove keys for hostname from known_hosts file
10 examples to generate SSH key in Linux (ssh-keygen)
We use ssh-keygen tool to generate SSH keys which are used for Public Key Based Authentication with SSH. As the time of writing this article, there are 6 different types of authentication methods possible with SSH. But Public key Authentication is one of the most used authentication methods used across production environment.
To use public key based authentication you would need a public and private key pair.
- The public key content must be added to the authorized_keys file of server
- The private key will be stored on the client
So when a client tries to make a secure connection, it will use this private and public key pair combination to establish the connection
Overview on ssh-keygen
- ssh-keygen is a utility provided by openssh rpm which should be installed by default on all the Linux distributions.
- ssh-keygen generates, manages and converts authentication keys for ssh version 2.0 and higher
- This tool supports different arguments which can be used to create keys as per the requirement
- If you wish to use SSH with public key authentication then use this once to create the authentication key in ~/.ssh/id_dsa , ~/.ssh/id_ecdsa , ~/.ssh/id_ed25519 or ~/.ssh/id_rsa
- If you forgot the passphrase then there is no way to reset the passphrase and you must recreate new passphrase and place they key pairs at respective locations to re-activate public key authentication
Let us explore the ssh-keygen tool to generate different types of key pairs in Linux
1. Generate ssh key without any arguments
- You can execute ssh-keygen without any arguments which will generate key pairs by default using RSA algorithm
- The tool will prompt for the location to store the RSA key pairs.
- The default location would be inside user’s home folder under .ssh i.e. ~/.ssh
- The tool will create ~/.ssh if the directory does not exists already
- The default naming syntax used for the private RSA key will be id_rsa and public key will be id_rsa.pub
- Next provided the passphrase, you can just press ENTER to create passphrase less key pair
2. Define Key Type
- By default ssh-keygen will create RSA type key
- You can create key with dsa , ecdsa , ed25519 , or rsa type
- Use -t argument to define the type of the key
- In this example I am creating key pair of ED25519 type
3. Define Bit size
By default ssh-keygen generates SSH key with 2048 bit size. You can also specify the number of bits to be used for the keys by using -b
In this example i will generate keys with 4096 bit size
4. Assign Passphrase
By default ssh-keygen will prompt for the passphrase before creating the key pairs. But we can also assign passphrase with using -P
5. Change passphrase of the private key
- You can also change the existing passphrase of your private key
- Use ssh-keygen with -p which will prompt you for the location of your private key file
- Next provide the existing passphrase of your private key
- If the provided passphrase is correct, you will get the prompt to assign new passphrase to your existing private key
# ssh-keygen -p Enter file in which the key is (/root/.ssh/id_rsa): Enter old passphrase: Key has comment 'root@rhel-8.example.com' Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase.
To automate this step you can use ssh-keygen with -f to provide the private key file, -P to define your old passphrase and -N to define new passphrase
# ssh-keygen -p -f ~/.ssh/id_rsa -P "old_password" -N "new_password" Key has comment 'root@rhel-8.example.com' Your identification has been saved with the new passphrase.
6. Create keys with custom filename
- By default ssh-keygen creates private key with the name id_rsa and public key as id_rsa.pub
- We can also create keys with custom filename using -f
- This will create and keep the certificates in the current location from where you execute ssh-keygen tool
- In this example my private key will be my-own-rsa-key and public key would be my-own-rsa-key.pub
7. Add custom comment to the key
You can also add custom comment to your private key for more identification. Use -C to generate keys with your custom comment
# ssh-keygen -C "This is for server1.example.com"
We can use -l to print the fingerprint and comment of the private key
# ssh-keygen -l Enter file in which the key is (/root/.ssh/id_rsa): 3072 SHA256:JxBpArCDsIVME0HDtQG7FqFQefaS9ommeohVoEmg39g This is for server1.example.com (RSA)
8. Change comment of the key
You can also change the existing comment of your private key using -c argument
# ssh-keygen -c Enter file in which the key is (/root/.ssh/id_rsa): Key now has comment 'This is for server1.example.com' Enter new comment: This is for rhel-8.example.com The comment in your key file has been changed.
Check the new comment of your private key
# ssh-keygen -l Enter file in which the key is (/root/.ssh/id_rsa): 3072 SHA256:JxBpArCDsIVME0HDtQG7FqFQefaS9ommeohVoEmg39g This is for rhel-8.example.com (RSA)
9. Hash the content of known_hosts file
- Every time you do SSH to another server, the SSH fingerprint for the secure connection is added to the client’s ~/.ssh/known_hosts file
- This is used to verify the authenticity of the SSH connection
- The content of known_hosts file would be in this format
# cat .ssh/known_hosts 10.10.10.10 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGlXmWjH3Ly6ty9O3hYeg8p/ld7Isl65DaoxqTclbPrAdvDKrsB12MJlJS7oNur2TNUKfU24N+UKn7fqyUeEGWZrIh2DIaPC2Msq132x2P3IBeposynhfBmk6ZoJi58WjddIInQnaAJ/OJZB2waOp+RdtW53lP7zkPTny6yOUYUmFuC93mEMTAf6CpHEoBsNB/OH8km11kpjbbZ4QUx/1shXNnXo5El0/2Cqn7g/s0hi1EuDysDxAj2BkH8fsNyHitNhattf6NIL4akKagcZUhY/9Oj3TikM05MR5Jf72w8EQTtr9vNMTkxlaz/G66GeJR0TAd7CUCux+7KJ8KSH6r 192.168.43.22 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCGtytDuWTzCZJ4FGy5OBKTgYwllftrmgZ3Z+mSTTRmNVlTCEDygSzALLdtC7MEilv/ezTN2uA3HIC72jYegrMc=
- Any intruder can use this information to get the fingerprint details of individual hostname .
- You can use ssh-keygen to hash the hostname entries in the known_hosts file using -H argument
- This option will not modify existing hashed hostname and is therefore safe to use on files that mix hashed and non-hashed names.
- This will create a backup file with .old extension in the same location
Next check the content of known_hosts file
# cat .ssh/known_hosts |1|DnQfHwXX0E78Kqd9sM+jhKICLhM=|A7gki0vPIUajFlROxDljIxE6rGM= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGlXmWjH3Ly6ty9O3hYeg8p/ld7Isl65DaoxqTclbPrAdvDKrsB12MJlJS7oNur2TNUKfU24N+UKn7fqyUeEGWZrIh2DIaPC2Msq132x2P3IBeposynhfBmk6ZoJi58WjddIInQnaAJ/OJZB2waOp+RdtW53lP7zkPTny6yOUYUmFuC93mEMTAf6CpHEoBsNB/OH8km11kpjbbZ4QUx/1shXNnXo5El0/2Cqn7g/s0hi1EuDysDxAj2BkH8fsNyHitNhattf6NIL4akKagcZUhY/9Oj3TikM05MR5Jf72w8EQTtr9vNMTkxlaz/G66GeJR0TAd7CUCux+7KJ8KSH6r |1|RK+RdFcebk+2EK81Rs16e9Im6Hk=|b7QKZly3lm6mBEzIvsLDps4x44I= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCGtytDuWTzCZJ4FGy5OBKTgYwllftrmgZ3Z+mSTTRmNVlTCEDygSzALLdtC7MEilv/ezTN2uA3HIC72jYegrMc=
As you see now the hostname can not be understood as they are hashed. A backup file is also created at the same location
# ls -l ~/.ssh/known_hosts* -rw------- 1 root root 664 May 23 18:37 /root/.ssh/known_hosts -rw-r--r-- 1 root root 568 Mar 27 13:09 /root/.ssh/known_hosts.old
10. Remove keys for hostname from known_hosts file
- Every time you do SSH, the RSA key for the SSH connection for respective hostname is stored inside ~/.ssh/known_hosts file
- But if you re-install the target server and attempt to do SSH then it is possible the SSH may fail due to mis-match in the fingerprint
- So you can either manually search and delete the RSA fingerprint of your server from known_hosts file or you can use ssh-keygen to do the job
- Use -R to automatically search and delete all fingerprint and RSA key entries for the provided hostname from known_hosts file
- For example to delete all the keys related to 192.168.43.22 host from known_hosts file
# ssh-keygen -R 192.168.43.22 # Host 192.168.43.22 found: line 2 /root/.ssh/known_hosts updated. Original contents retained as /root/.ssh/known_hosts.old