SSH Key Cheatsheet

Related Posts

• Ubuntu - Sharing SSH Keys
• SSH Agent Cheatsheet
• Key File Formats

Table of Contents

• General
  • Create Key
  • Add Passphrase
  • Remove Passphrase
  • Generate public key from private key
  • Add Key To Remote Server
  • Get Key Fingerprint
  • Public Host Key
  • Regenerate Host Key (Identity)
• Conversions
  • Convert PEM To OpenSSH
  • Convert OpenSSH To PEM
    • Convert Public Key
    • Convert Private Key
• References

General

For the cheats below, you may replace $KEY_PATH with ~/.ssh/id_rsa if you are concerned with just your own computers key rather than a key file.

Create Key

ssh-keygen

PEM Format

If you want to create a PEM key, instead of an OpenSSH key, then do the following:

ssh-keygen -t rsa -m PEM

You need to manually add the .pem extension to the generated private key file.

Eliptic Curve Type

If you want to generate an elliptic curve key, which results in a much shorter public key to add to remote servers, then you can use:

ssh-keygen -t ed25519

The Ed25519 was introduced on OpenSSH version 6.5. It’s the EdDSA implementation using the Twisted Edwards curve. It’s using elliptic curve cryptography that is said to offer better security with faster performance compared to DSA or ECDSA.

Add Passphrase

If you were given an unencrypted SSH key, such as from AWS, then you probably want to add a
passphrase to it with the following command:

ssh-keygen -p -f my-private-key.pem

Remove Passphrase

Just do the same again as adding passphrase, this time enter the current passphrase and then don't enter anything for the new one.

ssh-keygen -p -f my-private-key.pem

Generate public key from private key

ssh-keygen -f $KEY_PATH -y > $KEY_PATH.pub

Add Key To Remote Server

Refer here if you wish to see how to easily add this key to a remote server so that you can use it to log in.

Get Key Fingerprint

If you wish to get the fingerprint of a (public) key then do the following:

ssh-keygen -l -E MD5 -f /etc/ssh/ssh_host_rsa_key.pub

Remove the -E MD5 if you want the fingerprint in SHA256 format instead of MD5.

Public Host Key

If you are interested in your server's public fingerprint that it will identify itself to others with (e.g. when they try to connect via SSH), then you want to use your host key at /etc/ssh/ssh_host_rsa_key.pub. E.g.

ssh-keygen -l -E MD5 -f /etc/ssh/ssh_host_rsa_key.pub

Regenerate Host Key (Identity)

Refer here.

Conversions

Convert PEM To OpenSSH

The following command will convert the PEM key file in place to the OpenSSH format, so be sure to make a copy if you want to keep the original format too.

ssh-keygen \
  -f $INPUT_FILE \
  -i \
  -mPEM \
  > $OUTPUT_FILE

• The -f stands for filename, and allows us to specify the input file. This input file can be either a public or private key, and will generate the corresponding public/private output key.
• The -mPEM tells the tool that the input file is expected to be in the PEM format. Some users may find that they need to specify PKCS8 instead.
• The -i option tells the tool to read an unencrypted private (or public) key file in the format specified by the -m option and print an OpenSSH compatible pri‐vate (or public) key to stdout.

Convert OpenSSH To PEM

Convert Public Key

The following command will create a new PEM key from an inputted OpenSSH key.

$INPUT_FILE="my-key.pub"

ssh-keygen \
  -f $INPUT_FILE \
  -m 'PEM' \
  -e \
  > output.pem

• The -f stands for filename, and allows us to specify the input file. This input file can be either a public or private OpenSSH key, and will generate the corresponding public/private output key.
• The -m PEM tells the tool to output in the PEM format.
• The -e tells the tool to output to stdout, rather than to the file.

Convert Private Key

Unfortunately, with a private key, we cannot create a new key, but have to end up replacing the key file in place. Thus I suggest you firstly create a backup of the original like so:

PRIVATE_KEY_FILE="my-key"
cp $PRIVATE_KEY_FILE "${PRIVATE_KEY_FILE}.bak"

# Convert the key
ssh-keygen -f $PRIVATE_KEY_FILE  -m 'PEM' -p

# Rename files to make sense
mv -i $PRIVATE_KEY_FILE "${PRIVATE_KEY_FILE}.pem"
mv -i "${PRIVATE_KEY_FILE}.bak" $PRIVATE_KEY_FILE

If you want it in a single command for convenience:

PRIVATE_KEY_FILE="test-key"

cp $PRIVATE_KEY_FILE "${PRIVATE_KEY_FILE}.bak" \
  && ssh-keygen -f $PRIVATE_KEY_FILE  -m 'PEM' -p \
  && mv -i $PRIVATE_KEY_FILE "${PRIVATE_KEY_FILE}.pem" \
  && mv -i "${PRIVATE_KEY_FILE}.bak" $PRIVATE_KEY_FILE

References

• ServerFault - Create a public SSH key from the private key?
• Unix & Linux - How can I determine if someone's SSH key contains an empty passphrase?
• Remove passphrase (password) from private RSA key
• Stack Overflow - How do I add a password to an OpenSSH private key that was generated without a password?
• Stack Overflow - Convert RSA to OPENSSH
• medium.com - Upgrade Your SSH Key to Ed25519