Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What exactly does `ssh-keygen -A` do?

$ ssh-keygen --help
ssh-keygen: unrecognized option: -
usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]
              [-N new_passphrase] [-C comment] [-f output_keyfile]
   ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
   ssh-keygen -i [-m key_format] [-f input_keyfile]
   ssh-keygen -e [-m key_format] [-f input_keyfile]
   ssh-keygen -y [-f input_keyfile]
   ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
   ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
   ssh-keygen -B [-f input_keyfile]
   ssh-keygen -D pkcs11
   ssh-keygen -F hostname [-f known_hosts_file] [-l]
   ssh-keygen -H [-f known_hosts_file]
   ssh-keygen -R hostname [-f known_hosts_file]
   ssh-keygen -r hostname [-f input_keyfile] [-g]
   ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
   ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]
              [-j start_line] [-K checkpt] [-W generator]
   ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]
              [-O option] [-V validity_interval] [-z serial_number] file ...
   ssh-keygen -L [-f input_keyfile]
   ssh-keygen -A
   ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
              file ...
   ssh-keygen -Q -f krl_file file ...

You may notice that ssh-keygen -A is conspicuously missing documentation.

$ ssh-keygen -A
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519 

It appears to be generating (A)ll the key files, but I don't see any keys in /root/.ssh/. Just to confirm, I ran ssh-keygen with no options, entered through all the prompts, and I had keys as expected.

So the question is, "What exactly is happening?"

like image 485
Zak Avatar asked Feb 26 '18 08:02

Zak


People also ask

What does ssh-keygen do?

The ssh-keygen command is a component of most SSH implementations used to generate a public key pair for use when authenticating with a remote server. In the typical use case, users generate a new public key and then copy their public key to the server using SSH and their login credentials for the remote server.

Where are ssh-keygen stored?

SSH keys are typically configured in an authorized_keys file in . ssh subdirectory in the user's home directory. Typically a system administrator would first create a key using ssh-keygen and then install it as an authorized key on a server using the ssh-copy-id tool.

What is Flag in ssh-keygen?

The -Q flag will query an existing KRL, testing each key specified on the command line. If any key listed on the command line has been revoked (or an error encountered) then ssh-keygen will exit with a non-zero exit status. A zero exit status will only be returned if no key was revoked.


2 Answers

This is documented in the ssh-keygen manual:

-A

For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This is used by system administration scripts to generate new host keys.

So, if your system does not already have host keys, ssh-keygen -A will create them. Recreating the host keys will cause your SSH client to complain about the key fingerprint for the host having changed the next time you connect to the machine, and ...

Are you sure you want to continue connecting (yes/no)? 

(assuming you have previously connected successfully to the machine with SSH)

like image 192
Kusalananda Avatar answered Sep 27 '22 20:09

Kusalananda


I suspect that part of the question being asked is where ssh-keygen -A stores the result, a question I was trying to ask myself, and think I've answered.

You can fairly quickly see where the results are stored on your system by running the "ssh-keygen -A" command as a regular user (NOT ROOT): then the permissions will stop you actually re-writing anything:

user> ssh-keygen -A
ssh-keygen: generating new host keys: RSA1 open /etc/ssh/ssh_host_key failed: Permission denied.
Saving the key failed: /etc/ssh/ssh_host_key.
ssh-keygen: generating new host keys: ED25519 open /etc/ssh/ssh_host_ed25519_key failed: Permission denied.
Saving the key failed: /etc/ssh/ssh_host_ed25519_key.

showing that the system wide keys are stored in /etc/ssh. This is configurable via the sshd_config file:

user> grep etc/ssh /etc/ssh/sshd_config 
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
like image 30
David Avatar answered Sep 27 '22 20:09

David