< Cryptography
New keys with OpenSSH private key format can be converted using ssh-keygen utility to the old PEM format. Ssh-keygen -p -m PEM -f /.ssh/idrsa There is no need to downgrade to older OpenSSH just to achieve this result. Generating Public and Private Keys with openssl.exe To perform the following actions for Windows or Linux, you must have OpenSSL installed on your system. Generating the Private Key - Windows In Windows: 1. Open the Command Prompt (Start Programs Accessories Command Prompt). Navigate to the following folder. Sep 26, 2019 Generating an SSH key. To generate an SSH key with PuTTYgen, follow these steps: Open the PuTTYgen program. For Type of key to generate, select SSH-2 RSA. Click the Generate button. Move your mouse in the area below the progress bar. When the progress bar is full, PuTTYgen generates your key pair. Type a passphrase in the Key passphrase field. Generate RSA keys with SSH by using PuTTYgen. Last updated on: 2016-06-23; Authored by: Rackspace Support; One effective way of securing SSH access to your cloud server is to use a public-private key pair. This means that a public key is placed on the server and a private key is placed on your local workstation. Using a key pair makes it. From the Public key for pasting into OpenSSH authorizedkeys file field at the top of the window, copy all the text (starting with ssh-rsa) to your clipboard by pressing Ctrl-C. You need this key available on your clipboard to paste either into the public key tool in the Control Panel or directly into the authorized keys on your cloud server.
Download and install the OpenSSL runtimes. If you are running Windows, grab the Cygwin package.
OpenSSL can generate several kinds of public/private keypairs.RSA is the most common kind of keypair generation.[1]
Other popular ways of generating RSA public key / private key pairs include PuTTYgen and ssh-keygen.[2][3]
Generate an RSA keypair with a 2048 bit private key[edit]
Execute command: 'openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048'[4] (previously “openssl genrsa -out private_key.pem 2048”)
e.g.
Make sure to prevent other users from reading your key by executing chmod go-r private_key.pem afterward.
Extracting the public key from an RSA keypair[edit]
Execute command: 'openssl rsa -pubout -in private_key.pem -out public_key.pem'
e.g.
A new file is created, public_key.pem, with the public key.
It is relatively easy to do some cryptographic calculations to calculate the public key from the prime1 and prime2 values in the public key file.However, OpenSSL has already pre-calculated the public key and stored it in the private key file.So this command doesn't actually do any cryptographic calculation -- it merely copies the public key bytes out of the file and writes the Base64 PEM encoded version of those bytes into the output public key file.[5]
Viewing the key elements[edit]
Execute command: 'openssl rsa -text -in private_key.pem'
All parts of private_key.pem are printed to the screen. This includes the modulus (also referred to as public key and n), public exponent (also referred to as e and exponent; default value is 0x010001), private exponent, and primes used to create keys (prime1, also called p, and prime2, also called q), a few other variables used to perform RSA operations faster, and the Base64 PEM encoded version of all that data.[6](The Base64 PEM encoded version of all that data is identical to the private_key.pem file).
Password-less login[edit]
Often a person will set up an automated backup process that periodically backs up all the content on one 'working' computer onto some other 'backup' computer.
Because that person wants this process to run every night, even if no human is anywhere near either one of these computers, using a 'password-protected' private key won't work -- that person wants the backup to proceed right away, not wait until some human walks by and types in the password to unlock the private key.Many of these people generate 'a private key with no password'.[7]Some of these people, instead, generate a private key with a password,and then somehow type in that password to 'unlock' the private key every time the server reboots so that automated toolscan make use of the password-protected keys.[8][3]
Further reading[edit]
- ↑Key Generation
- ↑Michael Stahnke.'Pro OpenSSH'.p. 247.
- ↑ ab'SourceForge.net Documentation: SSH Key Overview'
- ↑'genpkey(1) - Linux man page'
- ↑'Public – Private key encryption using OpenSSL'
- ↑'OpenSSL 1024 bit RSA Private Key Breakdown'
- ↑'DreamHost: Personal Backup'.
- ↑Troy Johnson.'Using Rsync and SSH: Keys, Validating, and Automation'.
- Internet_Technologies/SSH describes how to use 'ssh-keygen' and 'ssh-copy-id' on your local machine so you can quickly and securely ssh from your local machine to a remote host.
Retrieved from 'https://en.wikibooks.org/w/index.php?title=Cryptography/Generate_a_keypair_using_OpenSSL&oldid=3622149'
- This module allows one to (re)generate OpenSSH private and public keys. It uses ssh-keygen to generate keys. One can generate
rsa
,dsa
,rsa1
,ed25519
orecdsa
private keys.
The below requirements are needed on the host that executes this module.
Openssl Generate Ssh-rsa Key Download
- ssh-keygen
Parameter | Choices/Defaults | Comments |
---|---|---|
attributes string | The attributes the resulting file or directory should have. To get supported flags look at the man page for chattr on the target system. This string should contain the attributes in the same order as the one displayed by lsattr. The = operator is assumed as default, otherwise + or - operators need to be included in the string. | |
comment added in 2.9 | Provides a new comment to the public key. When checking if the key is in the correct state this will be ignored. | |
force boolean |
| Should the key be regenerated even if it already exists |
group string | Name of the group that should own the file/directory, as would be fed to chown. | |
mode string | The permissions the resulting file or directory should have. For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must either add a leading zero so that Ansible's YAML parser knows it is an octal number (like 0644 or 01777 ) or quote it (like '644' or '1777' ) so Ansible receives a string and can do its own conversion from string into number.Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results. As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, u+rwx or u=rw,g=r,o=r ).As of Ansible 2.6, the mode may also be the special string preserve .When set to preserve the file will be given the same permissions as the source file. | |
owner string | Name of the user that should own the file/directory, as would be fed to chown. | |
path path / required | Name of the files containing the public and private key. The file containing the public key will have the extension .pub . | |
selevel string | Default: | The level part of the SELinux file context. This is the MLS/MCS attribute, sometimes known as the range .When set to _default , it will use the level portion of the policy if available. |
serole string | When set to _default , it will use the role portion of the policy if available. | |
setype string | When set to _default , it will use the type portion of the policy if available. | |
seuser string | By default it uses the system policy, where applicable.When set to _default , it will use the user portion of the policy if available. | |
size integer | Specifies the number of bits in the private key to create. For RSA keys, the minimum size is 1024 bits and the default is 4096 bits. Generally, 2048 bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, size determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will cause this module to fail. Ed25519 keys have a fixed length and the size will be ignored. | |
state string |
| Whether the private and public keys should exist or not, taking action if the state is different from what is stated. |
type string |
| The algorithm used to generate the SSH private key. rsa1 is for protocol version 1. rsa1 is deprecated and may not be supported by every version of ssh-keygen. |
unsafe_writes boolean |
| Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target file. By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target files, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted files, which cannot be updated atomically from inside the container and can only be written in an unsafe manner. This option allows Ansible to fall back to unsafe methods of updating files when atomic operations fail (however, it doesn't force Ansible to perform unsafe writes). IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. |
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
comment string | changed or success | Sample: |
filename | changed or success | Path to the generated SSH private key file /tmp/id_ssh_rsa |
fingerprint string | changed or success | Sample: SHA256:r4YCZxihVjedH2OlfjVGI6Y5xAYtdCwk8VxKyzVyYfM |
public_key string | changed or success | Sample: ssh-rsa AAAAB3Nza(...omitted...)veL4E3Xcw test_key |
size integer | changed or success | Sample: |
type | changed or success | Algorithm used to generate the SSH private key rsa |
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors¶
Generate Ssh Rsa Key Pair
- David Kainz (@lolcube)
Openssl Generate Ssh-rsa Public Key
Hint
Openssl Generate Key File
If you notice any issues in this documentation, you can edit this document to improve it.