$ cheat ssh-keygen # To generate an SSH key: ssh-keygen -t rsa # To generate a 4096-bit SSH key: ssh-keygen -t rsa -b 4096 # To generate a FIDO/U2F token-backed key: ssh-keygen -t ed25519-sk # To generate a FIDO2 resident key: ssh-keygen -t ed25519-sk -O resident # To update a passphrase on a key: ssh-keygen -p -P <old-passphrase> -N <new-passphrase> -f
# To remove a passphrase on a key: ssh-keygen -p -P <old-passphrase> -N '' -f # To generate a 4096 bit RSA key with a passphase and comment containing the user and hostname: ssh-keygen -t rsa -b 4096 -C "$USER@$HOSTNAME" -P <passphrase> # To print the fingerprint of a public key: ssh-keygen -lf <keyfile> # To print the Github-style (MD5) fingerprint of a public key: ssh-keygen -E md5 -lf <keyfile> # To download resident keys from a FIDO2 authenticator to the current directory: ssh-keygen -K
$ tldr ssh-keygen ssh-keygen Generate ssh keys used for authentication, password-less logins, and other things. - Generate a key interactively: ssh-keygen - Specify file in which to save the key: ssh-keygen -f ~/.ssh/filename - Generate an ed25519 key with 100 key derivation function rounds: ssh-keygen -t ed25519 -a 100 - Generate an RSA 4096 bit key with email as a comment: ssh-keygen -t rsa -b 4096 -C "email" - Retrieve the key fingerprint from a host (useful for confirming the authenticity of the host when first connecting to it via SSH): ssh-keygen -l -F remote_host - Remove the keys of a host from the known_hosts file (useful when a known host has a new key): ssh-keygen -R remote_host - Retrieve the fingerprint of a key in MD5 Hex: ssh-keygen -l -E md5 -f ~/.ssh/filename - Change the password of a key: ssh-keygen -p -f ~/.ssh/filename
$ man ssh-keygen SSH-KEYGEN(1) BSD General Commands Manual SSH-KEYGEN(1) NAME ssh-keygen -- authentication key generation, management and conversion SYNOPSIS ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format] [-N new_passphrase] [-t dsa | ecdsa | ed25519 | rsa] ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase] [-P old_passphrase] ssh-keygen -i [-f input_keyfile] [-m key_format] ssh-keygen -e [-f input_keyfile] [-m key_format] ssh-keygen -y [-f input_keyfile] ssh-keygen -c [-C comment] [-f keyfile] [-P passphrase] ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile] ssh-keygen -B [-f input_keyfile] ssh-keygen -D pkcs11 ssh-keygen -F hostname [-lv] [-f known_hosts_file] ssh-keygen -H [-f known_hosts_file] ssh-keygen -R hostname [-f known_hosts_file] ssh-keygen -r hostname [-g] [-f input_keyfile] ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point] ssh-keygen -f input_file -T output_file [-v] [-a rounds] [-J num_lines] [-j start_line] [-K checkpt] [-W generator] ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider] [-n principals] [-O option] [-V validity_interval] [-z serial_number] file ... ssh-keygen -L [-f input_keyfile] ssh-keygen -A [-f prefix_path] ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] file ... ssh-keygen -Q -f krl_file file ... ssh-keygen -Y check-novalidate -n namespace -s signature_file ssh-keygen -Y sign -f key_file -n namespace file ... ssh-keygen -Y verify -f allowed_signers_file -I signer_identity -n namespace -s signature_file [-r revocation_file] DESCRIPTION ssh-keygen generates, manages and converts authentication keys for ssh(1). ssh-keygen can create keys for use by SSH protocol ver- sion 2. The type of key to be generated is specified with the -t option. If invoked without any arguments, ssh-keygen will generate an RSA key. ssh-keygen is also used to generate groups for use in Diffie-Hellman group exchange (DH-GEX). See the MODULI GENERATION section for details. Finally, ssh-keygen can be used to generate and update Key Revocation Lists, and to test whether given keys have been revoked by one. See the KEY REVOCATION LISTS section for details.
$ cheat ssh-add # To add private key: ssh-add <keyfile> # To load resident keys from FIDO2 authenticator: ssh-add -K # To list all public keys: ssh-add -L # To list fingerprints of all keys: ssh-add -l # To delete key: ssh-add -d <keyfile> # To delete all keys: ssh-add -D
$ tldr ssh-add ssh-add Manage loaded ssh keys in the ssh-agent. Ensure that ssh-agent is up and running for the keys to be loaded in it. - Add the default ssh keys in "~/.ssh" to the ssh-agent: ssh-add - Add a specific key to the ssh-agent: ssh-add path/to/private_key - List fingerprints of currently loaded keys: ssh-add -l - Delete a key from the ssh-agent: ssh-add -d path/to/private_key - Delete all currently loaded keys from the ssh-agent: ssh-add -D - Add a key to the ssh-agent and the keychain: ssh-add -K path/to/private_key
$ man ssh-add SSH-ADD(1) BSD General Commands Manual SSH-ADD(1) NAME ssh-add -- adds private key identities to the authentication agent SYNOPSIS ssh-add [-cDdkLlqvXx] [-E fingerprint_hash] [-t life] [file ...] ssh-add -s pkcs11 ssh-add -e pkcs11 ssh-add -T pubkey ... DESCRIPTION ssh-add adds private key identities to the authentication agent, ssh-agent(1). When run without argu- ments, it adds the files ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, and ~/.ssh/id_ed25519. After loading a private key, ssh-add will try to load corresponding certificate information from the filename obtained by appending -cert.pub to the name of the private key file. Alternative file names can be given on the command line. If any file requires a passphrase, ssh-add asks for the passphrase from the user. The passphrase is read from the user's tty. ssh-add retries the last passphrase if multiple identity files are given.
$ ssh-add --help ssh-add: illegal option -- - usage: ssh-add [options] [file ...] Options: -l List fingerprints of all identities. -E hash Specify hash algorithm used for fingerprints. -L List public key parameters of all identities. -k Load only keys and not certificates. -c Require confirmation to sign using identities -m minleft Maxsign is only changed if less than minleft are left (for XMSS) -M maxsign Maximum number of signatures allowed (for XMSS) -t life Set lifetime (in seconds) when adding identities. -d Delete identity. -D Delete all identities. -x Lock agent. -X Unlock agent. -s pkcs11 Add keys from PKCS#11 provider. -e pkcs11 Remove keys provided by PKCS#11 provider. -T pubkey Test if ssh-agent can access matching private key. -q Be quiet after a successful operation. -A Add all identities stored in your keychain. -K Store passphrases in your keychain. With -d, remove passphrases from your keychain.