Generating SSH key and Using SSH Agent on macOS


$ cheat ssh-keygen

# To generate an SSH key:
ssh-keygen -t rsa

# To generate a 4096-bit SSH key:
ssh-keygen -t rsa -b 4096

# To generate a FIDO/U2F token-backed key:
ssh-keygen -t ed25519-sk

# To generate a FIDO2 resident key:
ssh-keygen -t ed25519-sk -O resident

# To update a passphrase on a key:
ssh-keygen -p -P <old-passphrase> -N <new-passphrase> -f 

# To remove a passphrase on a key:
ssh-keygen -p -P <old-passphrase> -N '' -f 

# To generate a 4096 bit RSA key with a passphase and comment containing the user and hostname:
ssh-keygen -t rsa -b 4096 -C "$USER@$HOSTNAME" -P <passphrase>

# To print the fingerprint of a public key:
ssh-keygen -lf <keyfile>

# To print the Github-style (MD5) fingerprint of a public key:
ssh-keygen -E md5 -lf <keyfile>

# To download resident keys from a FIDO2 authenticator to the current directory:
ssh-keygen -K
$ tldr ssh-keygen


  Generate ssh keys used for authentication, password-less logins, and other things.

  - Generate a key interactively:

  - Specify file in which to save the key:
    ssh-keygen -f ~/.ssh/filename

  - Generate an ed25519 key with 100 key derivation function rounds:
    ssh-keygen -t ed25519 -a 100

  - Generate an RSA 4096 bit key with email as a comment:
    ssh-keygen -t rsa -b 4096 -C "email"

  - Retrieve the key fingerprint from a host (useful for confirming the authenticity of the host when first connecting to it via SSH):
    ssh-keygen -l -F remote_host

  - Remove the keys of a host from the known_hosts file (useful when a known host has a new key):
    ssh-keygen -R remote_host

  - Retrieve the fingerprint of a key in MD5 Hex:
    ssh-keygen -l -E md5 -f ~/.ssh/filename

  - Change the password of a key:
    ssh-keygen -p -f ~/.ssh/filename

$ man ssh-keygen

SSH-KEYGEN(1)             BSD General Commands Manual            SSH-KEYGEN(1)

     ssh-keygen -- authentication key generation, management and conversion

     ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format] [-N new_passphrase] [-t dsa | ecdsa | ed25519 | rsa]
     ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase] [-P old_passphrase]
     ssh-keygen -i [-f input_keyfile] [-m key_format]
     ssh-keygen -e [-f input_keyfile] [-m key_format]
     ssh-keygen -y [-f input_keyfile]
     ssh-keygen -c [-C comment] [-f keyfile] [-P passphrase]
     ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
     ssh-keygen -B [-f input_keyfile]
     ssh-keygen -D pkcs11
     ssh-keygen -F hostname [-lv] [-f known_hosts_file]
     ssh-keygen -H [-f known_hosts_file]
     ssh-keygen -R hostname [-f known_hosts_file]
     ssh-keygen -r hostname [-g] [-f input_keyfile]
     ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
     ssh-keygen -f input_file -T output_file [-v] [-a rounds] [-J num_lines] [-j start_line] [-K checkpt] [-W generator]
     ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider] [-n principals] [-O option] [-V validity_interval]
                [-z serial_number] file ...
     ssh-keygen -L [-f input_keyfile]
     ssh-keygen -A [-f prefix_path]
     ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] file ...
     ssh-keygen -Q -f krl_file file ...
     ssh-keygen -Y check-novalidate -n namespace -s signature_file
     ssh-keygen -Y sign -f key_file -n namespace file ...
     ssh-keygen -Y verify -f allowed_signers_file -I signer_identity -n namespace -s signature_file [-r revocation_file]

     ssh-keygen generates, manages and converts authentication keys for ssh(1).  ssh-keygen can create keys for use by SSH protocol ver-
     sion 2.

     The type of key to be generated is specified with the -t option.  If invoked without any arguments, ssh-keygen will generate an RSA

     ssh-keygen is also used to generate groups for use in Diffie-Hellman group exchange (DH-GEX).  See the MODULI GENERATION section for

     Finally, ssh-keygen can be used to generate and update Key Revocation Lists, and to test whether given keys have been revoked by
     one.  See the KEY REVOCATION LISTS section for details.


$ cheat ssh-add
# To add private key:
ssh-add <keyfile>

# To load resident keys from FIDO2 authenticator:
ssh-add -K

# To list all public keys:
ssh-add -L

# To list fingerprints of all keys:
ssh-add -l

# To delete key:
ssh-add -d <keyfile>

# To delete all keys:
ssh-add -D
$ tldr ssh-add


  Manage loaded ssh keys in the ssh-agent.
  Ensure that ssh-agent is up and running for the keys to be loaded in it.

  - Add the default ssh keys in "~/.ssh" to the ssh-agent:

  - Add a specific key to the ssh-agent:
    ssh-add path/to/private_key

  - List fingerprints of currently loaded keys:
    ssh-add -l

  - Delete a key from the ssh-agent:
    ssh-add -d path/to/private_key

  - Delete all currently loaded keys from the ssh-agent:
    ssh-add -D

  - Add a key to the ssh-agent and the keychain:
    ssh-add -K path/to/private_key
$ man ssh-add

SSH-ADD(1)                BSD General Commands Manual               SSH-ADD(1)

     ssh-add -- adds private key identities to the authentication agent

     ssh-add [-cDdkLlqvXx] [-E fingerprint_hash] [-t life] [file ...]
     ssh-add -s pkcs11
     ssh-add -e pkcs11
     ssh-add -T pubkey ...

     ssh-add adds private key identities to the authentication agent, ssh-agent(1).  When run without argu-
     ments, it adds the files ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, and ~/.ssh/id_ed25519.  After
     loading a private key, ssh-add will try to load corresponding certificate information from the filename
     obtained by appending to the name of the private key file.  Alternative file names can be
     given on the command line.

     If any file requires a passphrase, ssh-add asks for the passphrase from the user.  The passphrase is
     read from the user's tty.  ssh-add retries the last passphrase if multiple identity files are given.

$ ssh-add --help
ssh-add: illegal option -- -
usage: ssh-add [options] [file ...]
  -l          List fingerprints of all identities.
  -E hash     Specify hash algorithm used for fingerprints.
  -L          List public key parameters of all identities.
  -k          Load only keys and not certificates.
  -c          Require confirmation to sign using identities
  -m minleft  Maxsign is only changed if less than minleft are left (for XMSS)
  -M maxsign  Maximum number of signatures allowed (for XMSS)
  -t life     Set lifetime (in seconds) when adding identities.
  -d          Delete identity.
  -D          Delete all identities.
  -x          Lock agent.
  -X          Unlock agent.
  -s pkcs11   Add keys from PKCS#11 provider.
  -e pkcs11   Remove keys provided by PKCS#11 provider.
  -T pubkey   Test if ssh-agent can access matching private key.
  -q          Be quiet after a successful operation.
  -A          Add all identities stored in your keychain.
  -K          Store passphrases in your keychain.
              With -d, remove passphrases from your keychain.

Also See

Leave a Comment

Your email address will not be published. Required fields are marked *