ssh-keygen Command Cheat Sheet

ssh-keygen generates, manages, and converts authentication keys for ssh.

Synopsis

ssh-keygen [options]

Generating Keys

Interactive (Default)

Creates RSA key (mostly default on older systems).

ssh-keygen

Ed25519 (Recommended)

Modern, secure, and fast.

ssh-keygen -t ed25519 -C "myemail@example.com"

RSA 4096-bit

If you need legacy compatibility but want security.

ssh-keygen -t rsa -b 4096 -C "comment"

Managing Known Hosts

Remove a Host (-R)

If a server was re-imaged and you get the "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" error.

ssh-keygen -R hostname
ssh-keygen -R 192.168.1.50

Hash Known Hosts (-H)

Protect privacy by hashing hostnames in ~/.ssh/known_hosts.

ssh-keygen -H -f ~/.ssh/known_hosts

Viewing Keys

Show Fingerprint (-l)

Check the fingerprint of a public key.

ssh-keygen -l -f ~/.ssh/id_rsa.pub

Show ASCII Art (-v)

Visual fingerprint (Randomart).

ssh-keygen -lv -f ~/.ssh/id_rsa.pub

Changing Passphrase (-p)

Change the password of a private key without regenerating it.

ssh-keygen -p -f ~/.ssh/id_rsa

Extract Public Key from Private (-y)

If you lost your .pub file but have the private key.

ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

Notes

• Permissions: Private keys generally need 600 permissions.
• Algorithms: Avoid dsa (deprecated/insecure). Use ed25519 or rsa (>= 3072 bits).