ssh key maintenance

ssh-keygen provides authentication key generation, management and conversion; the default files it generates and utilizes are located in ~/.ssh.

~/.ssh/id_rsa                   # be mindful of ownership, r/w access

generating a key

ssh-keygen is an interactive program; in it's default form, it will ask for that which was not provided on the command line.

ssh-keygen -t ed25519 \
	   -a 100 \
	   -f ~/.ssh/id_ed25519

The generated key, of type ed25519 is the current latest addition to OpenSSH; it features significantly more compact, and faster keys. The -a [count] option specifies the number of KDF (key derivation function) rounds used. Higher numbers result in slower passphrase verification and increased resistance to brute-force password cracking (should the keys be stolen).

With the -f option, the path of the output file can be specified; this comes in handy when you want to specify which key to use when connecting to a remote server.

ssh -i -f ~/.ssh/id_SERVER user@server
    IdentityFile ~/.ssh/id_ed25519_SERVER

password-less authentication

The contents of a *.pub file is what one uploads to services like github, or appends to each remote server's ~/.ssh/authorized_keys file.

ssh-keygen -y -f ~/.ssh/id_ed25519 \
    | pbcopy                    # output public key

On the local end, if the optional pass-phrase was added to the key, ssh-add can set keys for a running ssh-agent to cache - on osx, they can also be stored in the user's Keychain, with the appropriate settings in ~/.ssh/config.

    UseKeychain yes
    AddKeysToAgent yes
ssh-add -K ~/.ssh/id_ed25519    # osx specific, enter pass-phrase only once
ssh-add -l|-L                   # list currently loaded
ssh-add -K -d ~/.ssh/id_ed25519 # remove, from Keychain as well
ssh-add -D                      # remove all
ssh-add -x|-X                   # lock|unlock currently loaded
ssh-add -t 300                  # auto-expire in 5 minutes

The private key's passphrase can be changed (without affecting the key itself).

ssh-keygen -p -a 100 -f ~/.ssh/id_ed25519 # change password
ssh-keygen -c -C "X" -f ~/.ssh/id_ed25519 # set comment

cleaning up known-hosts

ssh-keygen -F host -l           # search known_hosts file for host
ssh-keygen -R host              # remove all keys belonging to host from known_hosts
ssh-keyscan -t rsa server       # fetch current key for verification

Keys can also be quickly compared with their graphic representation.

ssh-keygen -lv -f ~/.ssh/known_hosts | less

2018 - Élő László hello at bald dot cat