The ssh-keygen command is used to create a public certificate and private key pair. The key pair is intended to be used for making a connection to an SSH server. By default, an RSA keypair will be created.
~]# ssh-keygen
Generating public/private rsa key pair.
Or, the following one liner can be used so that you are not prompted for input.
- -t (type) such as rsa or dsa or ed25519
- -b (bits) such as 1024 or 2048 or 4096
- -N (no passphrase)
- -C (comment)
- -f (key file) such as /home/john.doe/.ssh/id_rsa
- <<< id_rsa.pub is used to not overwrite id_rsa and id_rsa.pub if they already exist
- 2>&1 >/dev/null suppresses output
ssh-keygen -t rsa -b 4096 -N '' -C $(whoami)@$(hostname) -f $HOME/.ssh/id_rsa 2>&1 >/dev/null
If you do not include the -m PEM option, line 1 of the private key file (id_rsa) will contain the following.
-----BEGIN OPENSSH PRIVATE KEY-----
If you include the -m PEM option, line 1 of the private key file will contain the following.
-----BEGIN RSA PRIVATE KEY-----
If the private key already exists, such as id_rsa, you can create the public certificate using the private key, like this.
ssh-keygen -y -f /home/john.doe/.ssh/id_rsa > /home/john.doe/.ssh/id_rsa.pub
It is always recommended to secure the keypair with a strong, unique passphrase.
Created directory '/home/john.doe/.ssh'.
Enter passphrase (empty for no passphrase):
The public certificate and private key are created.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
a6:4e:fd:17:67:69:19:b5:22:0a:16:53:cf:47:b3:b3 root@server1
The key's randomart image is:
+--[ RSA 2048]----+
| .. o |
| o o . o .|
| o o + ..|
| o ...+. |
| . S . .E.+ |
| + . . * |
| o . = |
| o . . |
| . .. |
+-----------------+
Configure the .ssh directory to only the directory owner (john.doe in this example) has read/write/execute permission, and configure the public/private key pair so that only the onwer has read/write permission.
chmod 700 /home/john.doe/.ssh
chmod 600 /home/john.doe/.ssh/id_rsa
chmod 600 /home/john.doe/.ssh/id_rsa.pub
Optionally, use the ssh-add command to store your identity in the keychain.
eval `ssh-agent -s`
ssh-add /home/john.doe/.ssh/id_rsa
The content of id_rsa.pub will be something like this (without the line breaks).
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqphOmkv0RPMn48EwCRED/eSSYsbyrRlxymWdEA/
rYuq4eqZAVzTYxJxnTuCTLnrr5hvVMYstcEnwFB+uXZut8UoCtOlrqA7gyy0EjdRh1qay1YXIbB
QZxpHDmAy9D3aSDoa5sVwrC1GQzNN4nH58pGnoGF+Df/A76LlZeBfmO1hP/a7hLIf8L+2o4LfKM
NBvqf37tlYDOKUA+mU+XSCmBbMk3/4UgYxuQ3HdE8w5RhFZf9Mbvb5GqubCy7N8zp6v/hRRfT0j
pWqR8kr2qauQttd9+q1n5pKCCjUO+/+jeLDdhtJ7Pls8O7motxJoNsqxKof1lJKvtt44VxYpdoY
K6w== john.doe@client
If your SSH server is OpenSSH, you can add the public certificate to the authorized_keys file on the OpenSSH server. If the OpenSSH server is configured to accept connection using a public / private key pair, you should be able to connect to the OpenSSH server with the public / private key pair you just created.
Did you find this article helpful?
If so, consider buying me a coffee over at