SSH Key Cheatsheet
Related Posts
Table of Contents
General
$KEY_PATH with ~/.ssh/id_rsa if you are concerned
with just your own computers key rather than a key file.
Create Key
ssh-keygen
PEM Format
If you want to create a PEM key, instead of an OpenSSH key, then do the following:
ssh-keygen -t rsa -m PEM
.pem extension to the generated private key file.
Add Passphrase
If you were given an unencrypted SSH key, such as from AWS, then you probably want to add a
passphrase to it with the following command:
ssh-keygen -p -f my-private-key.pem
Remove Passphrase
Just do the same again as adding passphrase, this time enter the current passphrase and then don't enter anything for the new one.
ssh-keygen -p -f my-private-key.pem
Generate public key from private key
ssh-keygen -f $KEY_PATH -y > $KEY_PATH.pub
Add Key To Remote Server
Refer here if you wish to see how to easily add this key to a remote server so that you can use it to log in.
Get Key Fingerprint
If you wish to get the fingerprint of a (public) key then do the following:
ssh-keygen -l -E MD5 -f /etc/ssh/ssh_host_rsa_key.pub
-E MD5 if you want the fingerprint in SHA256 format instead of MD5.
Public Host Key
If you are interested in your server's public fingerprint that it will identify itself to others with (e.g. when they try to connect via SSH), then you want to use your
host key at /etc/ssh/ssh_host_rsa_key.pub. E.g.
ssh-keygen -l -E MD5 -f /etc/ssh/ssh_host_rsa_key.pub
Conversions
Convert PEM To OpenSSH
The following command will convert the PEM key file in place to the OpenSSH format, so be sure to make a copy if you want to keep the original format too.
ssh-keygen \
-f $INPUT_FILE \
-i \
-mPEM \
> $OUTPUT_FILE
- The
-fstands for filename, and allows us to specify the input file. This input file can be either a public or private key, and will generate the corresponding public/private output key. - The
-mPEMtells the tool that the input file is expected to be in thePEMformat. Some users may find that they need to specifyPKCS8instead. - The
-ioption tells the tool to read an unencrypted private (or public) key file in the format specified by the-moption and print an OpenSSH compatible priāvate (or public) key to stdout.
Convert OpenSSH To PEM
Convert Public Key
The following command will create a new PEM key from an inputted OpenSSH key.
$INPUT_FILE="my-key.pub"
ssh-keygen \
-f $INPUT_FILE \
-m 'PEM' \
-e \
> output.pem
- The
-fstands for filename, and allows us to specify the input file. This input file can be either a public or private OpenSSH key, and will generate the corresponding public/private output key. - The
-m PEMtells the tool to output in the PEM format. - The
-etells the tool to output to stdout, rather than to the file.
Convert Private Key
Unfortunately, with a private key, we cannot create a new key, but have to end up replacing the key file in place. Thus I suggest you firstly create a backup of the original like so:
PRIVATE_KEY_FILE="my-key"
cp $PRIVATE_KEY_FILE "${PRIVATE_KEY_FILE}.bak"
# Convert the key
ssh-keygen -f $PRIVATE_KEY_FILE -m 'PEM' -p
# Rename files to make sense
mv -i $PRIVATE_KEY_FILE "${PRIVATE_KEY_FILE}.pem"
mv -i "${PRIVATE_KEY_FILE}.bak" $PRIVATE_KEY_FILE
If you want it in a single command for convenience:
PRIVATE_KEY_FILE="test-key"
cp $PRIVATE_KEY_FILE "${PRIVATE_KEY_FILE}.bak" \
&& ssh-keygen -f $PRIVATE_KEY_FILE -m 'PEM' -p \
&& mv -i $PRIVATE_KEY_FILE "${PRIVATE_KEY_FILE}.pem" \
&& mv -i "${PRIVATE_KEY_FILE}.bak" $PRIVATE_KEY_FILE
References
- ServerFault - Create a public SSH key from the private key?
- Unix & Linux - How can I determine if someone's SSH key contains an empty passphrase?
- Remove passphrase (password) from private RSA key
- Stack Overflow - How do I add a password to an OpenSSH private key that was generated without a password?
- Stack Overflow - Convert RSA to OPENSSH
First published: 16th August 2018