![]() | ![]() |
$ ssh-keygen1 -b 2048
$ ssh-keygen1 -f mykey Creates mykey and mykey.pub $ ssh-keygen1 Enter file in which to save the key (/home/barrett/.ssh/identity): mykey
$ ssh-keygen1 -N secretword $ ssh-keygen1 Enter passphrase: [nothing is echoed] Enter the same passphrase again: [nothing is echoed]
$ ssh-keygen1 -C "my favorite key"
You might use this technique to automate generation of a large number of keys for some purpose. Use it carefully, though, on a secure machine. The password on the command line is probably visible to other users on the same Unix machine via ps or similar programs, and if you're scripting with this technique, obviously the passphrases shouldn't be kept in files for long. In addition to creating keys, ssh-keygen1 can modify existing keys in the following ways:$ ssh-keygen1 -f mykey -N secretword
but if you omit them, you are prompted:$ ssh-keygen1 -p -f mykey -P secretword -N newword
Note that this changes the passphrase but doesn't change the key, it just re-encrypts the key with the new passphrase. So, the corresponding public key file doesn't change or need to be replaced on the SSH server machines to which you've copied it.$ ssh-keygen1 -p Enter file key is in (/home/barrett/.ssh/identity): mykey Enter old passphrase: [nothing is echoed] Key has comment 'my favorite key' Enter new passphrase: [nothing is echoed] Enter the same passphrase again:
WARNING: Before using any option that places your passphrase on the shell command line, such as -N or -P, carefully consider the security implications. Because the passphrase appears on your screen, it may be visible to onlookers, and while running, it may be visible in the machine's process list. Because it is on the command line, it is visible to other users on the same host using the ps command. In addition, if your shell creates history files of the commands you type, the passphrase is inserted into a history file where it can be read by a third party. Also, if you think have a good reason to just type Return and give your key no passphrase, think again. Doing that is essentially equivalent to putting your password in a file in your home directory named MY-PASSWORD.PLEASE-STEAL-ME. If you don't want to have to type a passphrase, the right thing to do is to use ssh-agent, trusted-host authentication, or Kerberos. There are very limited circumstances having to do with unattended usage (e.g., cron jobs) where a plaintext, passphrase-less client key might be acceptable. [Section 11.1, "Unattended SSH: Batch or cron Jobs"]
$ ssh-keygen -c -f mykey -P secretword -C "my second-favorite key" $ ssh-keygen -c Enter file key is in (/home/barrett/.ssh/identity): mykey Enter passphrase: [nothing is echoed] Key now has comment 'my favorite key' Enter new comment: my second-favorite key The comment in your key file has been changed.
$ ssh-keygen1 -u -f mykey -P secretword $ ssh-keygen1 -u Enter file key is in (/home/barrett/.ssh/identity): mykey Enter passphrase: [nothing is echoed] Key's cipher has been updated.
The name is relative to your current directory, and as usual, the public key file is named after the private one with .pub appended. If you omit this option, the key is saved in the directory ~/.ssh2, in a file whose name indicates the encryption algorithm and number of bits. An example is id_dsa_1024_a, which was generated by the DSA algorithm with 1024 bits. You also may indicate the following with command-line options:$ ssh-keygen2 mykey creates mykey and mykey.pub
$ ssh-keygen2 -b 2048
[79]F-Secure SSH2 Server adds support for RSA (argument "rsa") but only in a limited sense. [Section 3.9, "Algorithms Used by SSH"]
$ ssh-keygen2 -t dsa
$ ssh-keygen2 -c "my favorite SSH2 key"
"1024-bit dsa, barrett@server.example.com, Tue Feb 22 2000 02:03:36"
You can also designate an empty password using -P. This shouldn't be done in general but is appropriate in some special cases. [Section 11.1.2.2, "Using a plaintext key"]$ ssh-keygen2 -p secretword
$ ssh-keygen2 -P
As with ssh-keygen1, changes are applied to the key files but not propagated to the copies currently loaded in an agent. (So if you do an ssh-add2 -l to list the keys, for example, you see the old comment.)$ ssh-keygen2 -e mykey Passphrase needed for key "my favorite SSH2 key" Passphrase : [nothing is echoed] Do you want to edit key "my favorite SSH2 key" (yes or no)? yes Your key comment is "my favorite SSH2 key". Do you want to edit it (yes or no)? yes New key comment: this is tedious Do you want to edit passphrase (yes or no)? yes New passphrase : [nothing is echoed] Again : [nothing is echoed] Do you want to continue editing key "this is tedious" (yes or no)? god no (yes or no)? no Do you want to save key "this is tedious" to file mykey (yes or no)? yes
$ ssh-keygen2 -D mykeyfile Passphrase : ******** Public key saved to mykeyfile.pub
$ ssh-keygen2 -1 ssh1key
# SSH2 only $ ssh-keygen2 -F stevekey.pub Fingerprint for key: xitot-larit-gumet-fyfim-sozev-vyned-cigeb-sariv-tekuk-badus-bexax
$ ssh-keygen2 -V ssh2: SSH Secure Shell 2.1.0 (noncommercial version)
$ ssh-keygen2 -h $ ssh-keygen2 -\? Escaping the question mark
$ ssh-keygen2 Generating 1024-bit dsa key pair .oOo.oOo.oOo.oOo Key generated. $ ssh-keygen2 -q Generating 1024-bit dsa key pair Key generated.
This isn't currently implemented.$ ssh-keygen2 -i mykey
$ ssh-keygen2 -r I am stirring the random pool. blah blah blah ^D Stirred in 46 bytes.
# OpenSSH only $ ssh-keygen -d
Option | Extract/Convert from... | To... |
---|---|---|
-x | OpenSSH DSA private key file | SSH2 public key |
-X | SSH2 public key file | OpenSSH DSA public key |
-y | OpenSSH DSA private key file | OpenSSH DSA public key |
An OpenSSH "private" key file actually contains both the public and private keys of a pair, so the -x and -y options simply extract the public key and print it out in the desired format. Use -x to add an OpenSSH public key to your ~/.ssh2/authorization file on an SSH2 server host and -X to do the opposite. The -y option is useful if you accidentally delete your OpenSSH public key file and need to restore it.
A function that's missing is converting the private keys as well. This is useful if you have an OpenSSH server host on which you also want to also run SSH2, and you want the two SSH servers to share a host key.# OpenSSH only $ ssh-keygen -l -f stevekey.pub 1024 5c:f6:e2:15:39:14:1a:8b:4c:93:44:57:6b:c6:f4:17 steve@sshbook.com
# OpenSSH only, with RSA support $ ssh-keygen -R; echo $? 0 # OpenSSH only, without RSA support $ ssh-keygen -R; echo $? 1
![]() | ![]() | ![]() |
6. Key Management and Agents | ![]() | 6.3. SSH Agents |
Copyright © 2002 O'Reilly & Associates. All rights reserved.