ssh-keygen

authentication key generation, management and conversion

ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment] [-f output_keyfile]
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
ssh-keygen -i|e [-f keyfile]
import|export

ssh-keygen -y [-f keyfile] (yank private OpenSSH, output public key)
ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]

ssh-keygen -l [-f keyfile]
(list fingerprint)
ssh-keygen -B [-f keyfile]
(show bubblebabble)
ssh-keygen -F hostname [-f known_hosts_file] [-l]
(find host)

ssh-keygen -H [-f known_hosts_file]
(hash it)
ssh-keygen -R hostname [-f known_hosts_file]
(remove host)
ssh-keygen -D|U reader
download|Upload to reader
ssh-keygen -r hostname [-f input_keyfile] [-g]
(reveal fingerprint)

Generates the key and asks for a file for the private key, the public key is stored in a file with .pub appended.

WARNING: With SSH keys, if someone gains access to your computer, they also gain access to every system that uses that key.
To add an extra layer of security, add a passphrase .
Use ssh-agent to securely save the passphrase so you don't have to reenter it.
Passphrase may be a string of arbitrary length, changed using -p. Similar to a password can be a phrase of words, punctuation, numbers, whitespace, or any string.

For RSA1 keys a comment field helps identify the key, changed using -c .

-t RSA|DSA|ECDSA
   Ed25519|
RSA vs DSA (when in doubt pick DSA IMHO ) Digital Signature Algorithm vs Ron Rivest, Adi Shamir, and Leonard Adleman.
Gory details can be found here
-a rounds When saving PrivateKey, number of KDF rounds. default: 16. Higher slower passphrase verification and more resistant to bruteForce attacks.
-b bits number of bits in the key For RSA minimum 768 and default: 2048 bits. DSA 1024, ECDSA 256| 384 | 521
-C comment Provide comment for RSA1
-cchange comment. Prompts for details.
-D reader
-U reader
Download the RSA public key to a smartcard in reader.
Upload an existing RSA private key into the smartcard in reader.
-e export key in RFC 4716 SSH Public Key File Format to stdout
ssh-keygen -e
Enter file in which the key is (/Volumes/DATA/username/.ssh/id_rsa): 
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by username@smacpro from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDWb/oxOZjP0NE9x3WXylzw8qdUMExmw776i+84mJ
jzBOM8skMaR2j4xXD+Dt3UFS1ZUzh4oRkFIx7LR6nKt5xm4Yd5uZVB/Yj3K7b6FDjSoJcO
ld02toxP46NT87dYIhNazH2J0kDW9tym5thxbUqC3gltxGJmuJo9WT6ySLqqC5HyPF5i/v
g/b00FBldllze9Wb6o2nLV9i7aeADMY3prFxPV1w33qOxGJGQTLwYvRmu893TVuLCJj9IK
ptJp/n+SellVr0pf9aNimyfDb9Sq3HFpOZGxMwgWjsyWx4Xjwy9r66bvuznfYqECoJKvCS
yEJMFUGpSx0y0v8dUl9C1T
---- END SSH2 PUBLIC KEY ----
-F hostname Find hostname in known_hosts Useful to find hashed host names or addresses and may also be used with -H
-H Hash known_hosts the original is moved to .old .
-R hostname Removes keys from known_hosts file useful to delete hashed hosts
-i Reads an unencrypted private key file or RFC4716 Public Key and outputs an OpenSSH to stdout.
-f filename key file.
-l list fingerprint of specified public key file.
With -v, an ASCII art representation of the key output:
-B file Show the bubblebabble digest
-p file Requests changing the passphrase of a private key file instead of creating a new private key. Prompts for the file containing the private key, for the old passphrase, and twice for the new passphrase.
-N new‑passphrase
-P current passphrase
-q quite (Used by /etc/rc when creating a new key.)
-r hostname reveal the SSHFP fingerprint resource record named hostname for the specified public key file. More at StackExchange
Default .ssh/id_rsa
 > ssh-keygen -r midphase.com
no keys found.

     
-g Use generic DNS format when outputing fingerprint resource records using -r
-y yank private file and output public key to stdout.
ssh-keygen -y
Enter file in which the key is (/Volumes/DATA/username/.ssh/id_rsa): 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB
SellVr0pf9aNixxxxx9Sq3HFpOZGmMwnfYqECoJKvCSyEJMFUGpSx0y0v8dUl9C1T 

 > ssh-keygen    
Generating public/private rsa key pair.
Enter file in which to save the key (/Volumes/DATA/username/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Volumes/DATA/username/.ssh/id_rsa.
Your public key has been saved in /Volumes/DATA/username/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:oTvL+IaG8Hpe1D862lBRr7RMsqfEZtMaUymJVX/OLdY username@smacpro
The key's randomart image is:
+---[RSA 2048]----+
|      ..o        |
|     o o +       |
|    . = * o .    |
|     o % + + o   |
|    . & S   = E  |
|.  . = X   . .   |
| . o..= o        |
|  +.==o+ .       |
|.+..o+*.         |
+----[SHA256]-----+

> ssh-keygen -B
Enter file in which the key is (/Volumes/DATA/username/.ssh/id_rsa): 
2048 xugel-tymes-mopal-vyzoz-xxxxx-yyyyy-zzzzz-fucyc-kehip-nelef-vuxyx username@clienthost (RSA) 

> sh-keygen -l
Enter file in which the key is (/Volumes/DATA/username/.ssh/id_rsa): 
2048 SHA256:oTvL+xxxxxxxxxx62yyyyyyyyyyEZtMaUymJVX/OLdY username@clienthost (RSA)/pre>

Next copy the key to the server see ssh

FILES

~/.ssh/identity version 1 RSA authentication identity of the user. Must be not be readable by by group or others. It is possible to specify a passphrase when generating the key which is used to encrypt the private part using 3DES. Not automatically accessed by ssh-keygen but is the default file for the private key. Read by ssh at login
~/.ssh/identity.pub version 1 RSA public key
. Add to ~/.ssh/authorized_keys
~/.ssh/id_dsa version 2 DSA authentication identity of the user. Must be not be readable by by group or others. It is possible to specify a passphrase when generating the key is used to encrypt the private part of this file using 3DES. Not automatically accessed by ssh-keygen but default is the file for the private key. Read by ssh at login made.
~/.ssh/id_dsa.pub version 2 DSA public key.
Add to ~/.ssh/authorized_keys
~/.ssh/id_rsa version 2 RSA authentication identity of the user.
Must be not be readable by by group or others. A passphrase when generating the key used to encrypt the private part of this file using 3DES. Not automatically accessed by ssh-keygen default file for the private key. Read by ssh at login
~/.ssh/id_rsa.pub version 2 RSA public key . Added to ~/.ssh/authorized_keys
/etc/ssh/moduli for DH-GEX. See moduli

ssh-agent

ssh-agent [-c | -s ] [-Dd] [-a bind_address] [-E fingerprint_hash ] [-P pkcs11_whitelist ] [-t lifetime]
                                                            [command [arg]]
ssh-agent [-c | -s] -k

Outputs private keys used for public key authentication used when logging in to other machines using ssh. Started in the beginning of a login session or an X-session .

Keys are added or removed using ssh-add (see AddKeysToAgent in ssh_config(5) for details) ssh-add(1).

-a bind_address Bind to socket. Default $TMPDIR/ssh-XXXXXXXXXX/agent.ppid.
-D Don't fork, Foreground .
-d debug
-E md5|sha256 default sha256.
-k Kill the current agent from $SSH_AGENT_PID
-P pkcs11_whitelist a pattern-list of acceptable paths for PKCS#11 shared libraries that may be added using -s to ssh-add(1).
Default: allow loading PKCS#11 libraries from /usr/lib/*,/usr/local/lib/*.
PKCS#11 libraries that do not match the whitelist will be refused. See PATTERNS in ssh_config(5) for pattern-list syntax.
-c Generate C-shell commands on stdout. default if SHELL looks like it's a csh style of shell.
-s Generate Bourne shell commands on stdout. default if SHELL does not look like it's a csh style of shell.
-t lifetime maximum lifetime of identities added to the agent in seconds or in a time format specified in sshd_config(5).
A lifetime specified for an identity with ssh-add overrides this value.
Default forever.
With command executed as a subprocess of the agent. When the command dies, so does the agent.