ssh-keygen is a standard component of the

Secure Shell The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. SSH applications are based on a ...

(SSH) protocol suite found on

Unix Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and ot ...

Unix-like A Unix-like (sometimes referred to as UN*X or *nix) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Unix-li ...

and

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

computer systems used to establish secure shell sessions between remote computers over insecure

network Network, networking and networked may refer to: Science and technology * Network theory, the study of graphs as a representation of relations between discrete objects * Network science, an academic field that studies complex networks Mathematics ...

s, through the use of various

cryptographic Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or '' -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adve ...

techniques. The ssh-keygen utility is used to generate, manage, and convert authentication keys.

Overview

ssh-keygen is able to generate a key using one of three different

digital signature A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created b ...

algorithms. With the help of the ssh-keygen tool, a user can create

passphrase A passphrase is a sequence of words or other text used to control access to a computer system, program or data. It is similar to a password in usage, but a passphrase is generally longer for added security. Passphrases are often used to control ...

keys for any of these key types. To provide for unattended operation, the passphrase can be left empty, albeit at increased risk. These keys differ from keys used by the related tool

GNU Privacy Guard GNU Privacy Guard (GnuPG or GPG) is a free-software replacement for Symantec's PGP cryptographic software suite. The software is compliant with RFC 4880, the IETF standards-track specification of OpenPGP. Modern versions of PGP are interoperable ...

OpenSSH OpenSSH (also known as OpenBSD Secure Shell) is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture. Network Working Gr ...

-based client and server programs have been included in

Windows 10 Windows 10 is a major release of Microsoft's Windows NT operating system. It is the direct successor to Windows 8.1, which was released nearly two years earlier. It was released to manufacturing on July 15, 2015, and later to retail on J ...

since version 1803. The SSH client and key agent are enabled and available by default and the SSH server is an optional Feature-on-Demand.

Key formats supported

Originally, with SSH protocol

version 1 Version 1 is an Irish company specializing in international management consulting, software asset management, software development, cloud computing, and outsourcing company. On July 13, 2022, Partners Group completed the acquisition of a maj ...

(now deprecated) only the RSA algorithm was supported. As of 2016, RSA is still considered strong, but the recommended key length has increased over time. The SSH protocol

version 2 Version may refer to: Computing * Software version, a set of numbers that identify a unique evolution of a computer program * VERSION (CONFIG.SYS directive), a configuration directive in FreeDOS Music * Cover version * Dub version * Remix * ' ...

additionally introduced support for the DSA algorithm. DSA is now considered weak and was disabled in OpenSSH 7.0. Subsequently,

added support for a third digital signature algorithm,

ECDSA In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic-curve cryptography. Key and signature-size As with elliptic-curve cryptography in general, the b ...

(this key format no longer uses the previous PEM file format for private keys, nor does it depend upon the

OpenSSL OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTT ...

library to provide the cryptographic implementation). A fourth format is supported using

ed25519 In public-key cryptography, Edwards-curve Digital Signature Algorithm (EdDSA) is a digital signature scheme using a variant of Schnorr signature based on twisted Edwards curves. It is designed to be faster than existing digital signature schemes ...

, originally developed by independent cryptography researcher Daniel J. Bernstein.

Command syntax

The syntax of the ssh-keygen command is as follows: ssh-keygen ptions Some important options of the ssh-keygen command are as follows:

Files used by the ssh-keygen utility

The ssh-keygen utility uses various files for storing public and private keys. The files used by ssh-keygen utility are as follows: *$HOME/.ssh/identity: The $HOME/.ssh/identity file contains the RSA private key when using the SSH protocol version 1. *$HOME/.ssh/identity.pub: The $HOME/.ssh/identity.pub file contains the RSA public key for authentication when you are using the SSH protocol version 1. A user should copy its contents in the $HOME/.ssh/authorized_keys file of the remote system where a user wants to log in using RSA authentication. *$HOME/.ssh/id_dsa: The $HOME/.ssh/id_dsa file contains the protocol version 2 DSA authentication identity of the user. *$HOME/.ssh/id_dsa.pub: The $HOME/.ssh/id_dsa.pub file contains the DSA public key for authentication when you are using the SSH protocol version 2. A user should copy its contents in the $HOME/.ssh/authorized_keys file of the remote system where a user wants to log in using DSA authentication. *$HOME/.ssh/id_rsa: The $HOME/.ssh/id_rsa file contains the protocol version 2 RSA authentication identity of the user. This file should not be readable by anyone but the user. *$HOME/.ssh/id_rsa.pub: The $HOME/.ssh/id_rsa.pub file contains the protocol version 2 RSA public key for authentication. The contents of this file should be added to $HOME/.ssh/authorized_keys on all computers where a user wishes to log in using public key authentication.

References

External links

Generating an SSH key
a guide from

GitHub GitHub, Inc. () is an Internet hosting service for software development and version control using Git. It provides the distributed version control of Git plus access control, bug tracking, software feature requests, task management, continuous ...

ssh-keygen manual
from the

OpenBSD OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. According to the website, the OpenBSD project em ...

project
Linux man page
fro
die.net

Generating SSH Key Pair on Linux and Mac
fro
ifixlinux.com
{{Windows commands Operating system security Unix network-related software Secure Shell