- How to list keys added to ssh-agent with ssh-add?
- Example
- Mechanics of function
- References
- Checking for existing SSH keys
- About SSH keys
- Checking for existing SSH keys
- Help and support
- Help us make these docs great!
- How to view all SSH authorized_keys for a unix server
- 3 Answers 3
- How to Find SSH Public Key
- How to Generate an SSH Key
- How to View an SSH Key
- Conclusion
- About the author
- John Otieno
How to list keys added to ssh-agent with ssh-add?
@gertvdijk I was in fact talking about naming. From the name ssh-add it sounds like this command should only add keys to agent. And then ssh-agent should know what keys its holding. My perspective was different.
Surprisingly the MacOS version of ssh-add at some point stopped showing the filename’s as with the Linux variant. I wrote this script which does the same for fingerprints that have a corresponding file in ~/.ssh/ .
I call the function ssh-add_wf , wf = with file. The details on the function are below:
$ type ssh-add_wf ssh-add_wf is a function ssh-add_wf () < while read -r line; do for file in ~/.ssh/*.pub; do printf "%s %s\n" "$(ssh-keygen -lf "$file" | awk '1')" "$file"; done | column -t | grep --color=auto "$line" || echo "$line"; done < <(ssh-add -l | awk '') >
Example
$ ssh-add_wf SHA256:mwvSCr2CXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX myuser@mydom.lan (RSA) /Users/myuser/.ssh/ssh_myuser@mydom.lan_id_rsa.pub SHA256:qInIrnKcXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX myuser@mydom.com (RSA) /Users/myuser/.ssh/github_myuser@mydom.com_id_rsa.pub SHA256:tX+AAJA0XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX SHA256:EyNkhTLQXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX myuser@mydom.com (RSA) /Users/myuser/.ssh/ssh_myuser@mydom.com_id_rsa.pub SHA256:KKKVwtvFXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX SHA256:tr0hZP52XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Above, any keys within ssh-add ‘s output that match to a file in ~/.ssh/ directory will include the file’s name in the output in the 4th column. Any keys that do not will have that column empty. In this output we have 3 keys which have files that match.
Mechanics of function
The script uses 2 loops. The outside loop is a while which takes the output of ssh-add . This output is all the fingerprints of SSH keys loaded into ssh-agent .
The interior loop is a for loop which goes thru the contents of all the files matching this pattern, ~/.ssh/*.pub . For each file we interrogate it with ssh-keygen -lf and then drop the first column of this output:
4096 SHA256:mwvSCr2CXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX myuser@mydom.lan
This string is then printed along with the name of the file:
At the end of the execution of this loop is the following:
This formats the output so that it’s column formatted ( column -t ).
At this point we look at this output for the fingerprint from ssh-add via the grep «$line» . If a match is found we print our printf output, otherwise we fall back to just printing the original fingerprint from ssh-add , $line .
References
Checking for existing SSH keys
Before you generate an SSH key, you can check to see if you have any existing SSH keys.
About SSH keys
You can use SSH to perform Git operations in repositories on GitHub.com. For more information, see «About SSH.»
If you have an existing SSH key, you can use the key to authenticate Git operations over SSH.
Checking for existing SSH keys
Before you generate a new SSH key, you should check your local machine for existing keys.
Note: GitHub improved security by dropping older, insecure key types on March 15, 2022.
As of that date, DSA keys ( ssh-dss ) are no longer supported. You cannot add new DSA keys to your personal account on GitHub.com.
RSA keys ( ssh-rsa ) with a valid_after before November 2, 2021 may continue to use any signature algorithm. RSA keys generated after that date must use a SHA-2 signature algorithm. Some older clients may need to be upgraded in order to use SHA-2 signatures.
- Open Terminal Terminal Git Bash .
- Enter ls -al ~/.ssh to see if existing SSH keys are present.
$ ls -al ~/.ssh # Lists the files in your .ssh directory, if they exist
Tip: If you receive an error that ~/.ssh doesn’t exist, you do not have an existing SSH key pair in the default location. You can create a new SSH key pair in the next step.
- If you don’t have a supported public and private key pair, or don’t wish to use any that are available, generate a new SSH key.
- If you see an existing public and private key pair listed (for example, id_rsa.pub and id_rsa) that you would like to use to connect to GitHub, you can add the key to the ssh-agent. For more information about generation of a new SSH key or addition of an existing key to the ssh-agent, see «Generating a new SSH key and adding it to the ssh-agent.»
Help and support
Help us make these docs great!
All GitHub docs are open source. See something that’s wrong or unclear? Submit a pull request.
How to view all SSH authorized_keys for a unix server
How would I view all the authorised SSH clients from a unix server? I know that cat ~/.ssh/authorized_keys shows authorised keys if logged in from root. Can other users set their own authorised keys too? In which case, how would I view all system authorised keys?
3 Answers 3
To answer your questions in order:
- You can see all authorized keys by running the following script with root privileges.
#!/bin/bash for X in $(cut -f6 -d ':' /etc/passwd |sort |uniq); do if [ -s "$/.ssh/authorized_keys" ]; then echo "### $: " cat "$/.ssh/authorized_keys" echo "" fi done
S.L. Barth makes an excellent point about root access. It is considered a risk to allow root access through ssh. The generally accepted practice is create a user account, grant it root access with sudo or a similar tool, and disable root logins through ssh by adding the following line to /etc/ssh/sshd_config and restarting sshd.
Chances are almost 100% that if your machine is on the Internet that the «Hail Mary Cloud» will be knocking at your door. For Linux, iptables, and sshd where you allow password based logins, you will probably want to install and configure something like fail2ban so it’s harder for attackers to brute force your machine.
And, since we’re already talking about ssh keys, and because this was posted today, you probably want to add UseRoaming no to the Host * section in your /etc/ssh/ssh_config
OpenSSH’s sshd uses the AuthorizedKeysFile setting, which defaults to %h/.ssh/authorized_keys but can be overridden in the config file ( /etc/ssh/sshd_config on my system) or on the command-line. A robust script should probably verify that setting hasn’t been changed (and that only OpenSSH is providing sshd).
You’re right! You could probably add in some code to check sshd_config and even go as far as to use netstat or ss to see what’s listening on port 22. My answer does assume the default setting for AuthorizedKeysFile is unchanged and that sshd in question is OpenSSH.
The cat ~/.ssh/authorized_keys command shows you the authorized_keys file of the currently logged in user. When logged in as root, or using sudo , this will give you the authorized_keys file of the root user.
The authorized_keys file, at least on Ubuntu, is usually owned by the user. So the currently logged in user (root or not) can see it.
The .ssh directory is in the user’s home directory, and usually owned by them with read, write and execute privileges; so normally a user should be able to indeed add their own authorized_keys file.
To see all authorized keys, you could just create a script that iterates over all home directories and /root, and prints the .ssh/authorized_keys file. Obviously this script will require sudo privileges.
As a side note, on Ubuntu the root account is usually disabled, because it is a favorite target of attackers. It may not contain an authorized_keys file for this reason.
How to Find SSH Public Key
In some situations, you may need to view the contents of your SSH keys. For example, you may need to view the contents of a public key to add it to remote services requiring SSH authentication, such as Google Cloud. This article shows you how to view SSH key contents using a simple cat command in Linux.
How to Generate an SSH Key
The first step to setting up an SSH key is to generate a pair. An SSH-key pair contains a public and private key. Using the public and private pair, you can authenticate a user to a remote host.
In Linux, use the following command to generate an SSH key pair:
The above command will require you to input information to set up and create the keys. If you are on unsecured networks or critical systems, be sure to encrypt your keys with a passphrase.
Generating public / private rsa key pair.
Enter file in which to save the key ( / home / ubuntu / .ssh / id_rsa ) :
Created directory ‘/home/ubuntu/.ssh’ .
Enter passphrase ( empty for no passphrase ) :
Enter same passphrase again:
Your identification has been saved in / home / ubuntu / .ssh / id_rsa
Your public key has been saved in / home / ubuntu / .ssh / id_rsa.pub
The key fingerprint is:
SHA256:hVkOnzk7nLWx3j4vqLv / B83tYN7w3juLAbFw610xh7Q ubuntu @ CSALEM
The key ‘s randomart image is:
+—[RSA 3072]—-+
| . . . |
| B o . o |
| o.Boo Eo.|
| oo=++ +|
| S =+o +.|
| .oo.* +|
| ..*.B |
| ..*.*|
| +=.ooOB|
+—-[SHA256]——+
NOTE: You must have the OpenSSH package installed on your system to use the ssh-keygen command.
How to View an SSH Key
The first method that you can use to view your SSH key is by using a simple cat command. This command will print the file’s contents, which you can copy and paste to the remote host. By default, SSH keys are stored in the /home/$USER/.ssh
The above command will print the contents of your SSH public key. The following is an example key:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4P7J4iUnK+lbKeBxEJqgBaapI6 / tr2we9Ipr9QzYvAIzOyS396uYRhUldTL0sios0BlCes9k9FEU8 / ZFABaPlvr / UcM / vBlVpEv1uCkq1Rg48bK8nWuCBcLmy2B+MUoiXT / 0W51qT2fSYRUk0fafnxvBnqRidRdOpRZtxMKjvsSua+tU5AciEuYJ+L4X32UF2sHe6o+GzAyItK5ZzpneiEPfoHUSJ4N7+wUcrTI52NPrHmH11jzLPpMHxoqiDBzF2IIVxxU1GSioGAij7T5Sf6aWDOnBHnpeJBFujChg+p2WPlha+B2NaCt25eBtwPMMFQqmJ38xoPr1BCtF6ViOR1e2e7rk / +XML3ypZU8mawhJbl6IqfzRtn5C8dP6vGqMg30kW9vIp4GqlbGLMeAyuBsA45rNnVqxtiMXdKcHPvA+Mmbm+7YSXzoyQcuRUzJY9K+Y+ty7XQPmwYgvT7bvtFvC5B9wWAqt5qgmTToLp7qHLCXK+m / 6 rpJp7d57tGv0 = ubuntu @ UBUNTU
Another method that you can use to view the contents of your SSH key is by using the Open-SSH authentication tool with the command shown below:
This command will prompt you for an authentication password for the passphrase if one is assigned, as follows:
Enter passphrase for / home / ubuntu / .ssh / id_rsa:
Identity added: / home / ubuntu / .ssh / id_rsa ( ubuntu @ CSALEM )
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4P7J4iUnK+lbKeBxEJqgBaapI6 / tr2we9Ipr9QzYvAIzOyS396uYRhUldTL0sios0BlCes9k9FEU8 / ZFABaPlvr / UcM / vBlVpEv1uCkq1Rg48bK8nWuCBcLmy2B+MUoiXT / 0W51qT2fSYRUk0fafnxvBnqRidRdOpRZtxMKjvsSua+tU5AciEuYJ+L4X32UF2sHe6o+GzAyItK5ZzpneiEPfoHUSJ4N7+wUcrTI52NPrHmH11jzLPpMHxoqiDBzF2IIVxxU1GSioGAij7T5Sf6aWDOnBHnpeJBFujChg+p2WPlha+B2NaCt25eBtwPMMFQqmJ38xoPr1BCtF6ViOR1e2e7rk / +XML3ypZU8mawhJbl6IqfzRtn5C8dP6vGqMg30kW9vIp4GqlbGLMeAyuBsA45rNnVqxtiMXdKcHPvA+Mmbm+7YSXzoyQcuRUzJY9K+Y+ty7XQPmwYgvT7bvtFvC5B9wWAqt5qgmTToLp7qHLCXK+m / 6 rpJp7d57tGv0 = ubuntu @ UBUNTU
Conclusion
This article showed you how to generate an SSH key, as well as two methods that you can use to view the content of an SSH key. For the most part, you will only need to view the content within public keys, and not private keys. Always make sure to protect your SSH keys at all times. Secure your Shell!
About the author
John Otieno
My name is John and am a fellow geek like you. I am passionate about all things computers from Hardware, Operating systems to Programming. My dream is to share my knowledge with the world and help out fellow geeks. Follow my content by subscribing to LinuxHint mailing list