What exactly does `ssh-keygen -A` do?

Question

$ ssh-keygen --help
ssh-keygen: unrecognized option: -
usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]
              [-N new_passphrase] [-C comment] [-f output_keyfile]
   ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
   ssh-keygen -i [-m key_format] [-f input_keyfile]
   ssh-keygen -e [-m key_format] [-f input_keyfile]
   ssh-keygen -y [-f input_keyfile]
   ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
   ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
   ssh-keygen -B [-f input_keyfile]
   ssh-keygen -D pkcs11
   ssh-keygen -F hostname [-f known_hosts_file] [-l]
   ssh-keygen -H [-f known_hosts_file]
   ssh-keygen -R hostname [-f known_hosts_file]
   ssh-keygen -r hostname [-f input_keyfile] [-g]
   ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
   ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]
              [-j start_line] [-K checkpt] [-W generator]
   ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]
              [-O option] [-V validity_interval] [-z serial_number] file ...
   ssh-keygen -L [-f input_keyfile]
   ssh-keygen -A
   ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
              file ...
   ssh-keygen -Q -f krl_file file ...

You may notice that ssh-keygen -A is conspicuously missing documentation.

$ ssh-keygen -A
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519 

It appears to be generating (A)ll the key files, but I don't see any keys in /root/.ssh/. Just to confirm, I ran ssh-keygen with no options, entered through all the prompts, and I had keys as expected.

So the question is, "What exactly is happening?"

Answer 1

This is documented in the ssh-keygen manual:

-A

For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This is used by system administration scripts to generate new host keys.

So, if your system does not already have host keys, ssh-keygen -A will create them. Recreating the host keys will cause your SSH client to complain about the key fingerprint for the host having changed the next time you connect to the machine, and ...

Are you sure you want to continue connecting (yes/no)? 

(assuming you have previously connected successfully to the machine with SSH)

Answer 2

I suspect that part of the question being asked is where ssh-keygen -A stores the result, a question I was trying to ask myself, and think I've answered.

You can fairly quickly see where the results are stored on your system by running the "ssh-keygen -A" command as a regular user (NOT ROOT): then the permissions will stop you actually re-writing anything:

user> ssh-keygen -A
ssh-keygen: generating new host keys: RSA1 open /etc/ssh/ssh_host_key failed: Permission denied.
Saving the key failed: /etc/ssh/ssh_host_key.
ssh-keygen: generating new host keys: ED25519 open /etc/ssh/ssh_host_ed25519_key failed: Permission denied.
Saving the key failed: /etc/ssh/ssh_host_ed25519_key.

showing that the system wide keys are stored in /etc/ssh. This is configurable via the sshd_config file:

user> grep etc/ssh /etc/ssh/sshd_config 
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key