ssh key maintenance
ssh-keygen provides authentication key generation, management and conversion; the default files it generates and utilizes are located in ~/.ssh.
~/.ssh/config ~/.ssh/id_rsa # be mindful of ownership, r/w access ~/.ssh/id_rsa.pub ~/.ssh/known_hosts
generating a key
ssh-keygen is an interactive program; in it's default form, it will ask for that which was not provided on the command line.
ssh-keygen -t ed25519 \ -a 100 \ -f ~/.ssh/id_ed25519
The generated key, of type ed25519 is the current latest addition to OpenSSH; it features significantly more compact, and faster keys. The -a [count] option specifies the number of KDF (key derivation function) rounds used. Higher numbers result in slower passphrase verification and increased resistance to brute-force password cracking (should the keys be stolen).
With the -f option, the path of the output file can be specified; this comes in handy when you want to specify which key to use when connecting to a remote server.
ssh -i -f ~/.ssh/id_SERVER user@server
Host SERVER IdentityFile ~/.ssh/id_ed25519_SERVER
The contents of a *.pub file is what one uploads to services like github, or appends to each remote server's ~/.ssh/authorized_keys file.
ssh-keygen -y -f ~/.ssh/id_ed25519 \ | pbcopy # output public key
On the local end, if the optional pass-phrase was added to the key, ssh-add can set keys for a running ssh-agent to cache - on osx, they can also be stored in the user's Keychain, with the appropriate settings in ~/.ssh/config.
Host SERVER UseKeychain yes AddKeysToAgent yes
ssh-add -K ~/.ssh/id_ed25519 # osx specific, enter pass-phrase only once ssh-add -l|-L # list currently loaded ssh-add -K -d ~/.ssh/id_ed25519 # remove, from Keychain as well ssh-add -D # remove all ssh-add -x|-X # lock|unlock currently loaded ssh-add -t 300 # auto-expire in 5 minutes
The private key's passphrase can be changed (without affecting the key itself).
ssh-keygen -p -a 100 -f ~/.ssh/id_ed25519 # change password ssh-keygen -c -C "X" -f ~/.ssh/id_ed25519 # set comment
cleaning up known-hosts
ssh-keygen -F host -l # search known_hosts file for host ssh-keygen -R host # remove all keys belonging to host from known_hosts
ssh-keyscan -t rsa server # fetch current key for verification
Keys can also be quickly compared with their graphic representation.
ssh-keygen -lv -f ~/.ssh/known_hosts | less
2018 - Élő László hello at bald dot cat