SSH Key Formats
(Requires the SFTP module in EFT Express) EFT imports the PEM format, also called the SECSH Public Key File Format, and the OpenSSH format. Each format is illustrated below. Under the illustrations is a procedure for creating a PEM key on a Linux computer. See also Creating an SSH Key Pair on EFT.
PEM format:
---- BEGIN SSH2 PUBLIC KEY ---- Comment: "4096-bit RSA, converted from OpenSSH by don@untu-DSH" AAAAB3NzaC1yc2EAAAABIwAAAgEAwrr66r8n6B8Y0zMF3dOpXEapIQD9DiYQ6D6/zwor9o 39jSkHNiMMER/GETBbzP83LOcekm02aRjo55ArO7gPPVvCXbrirJu9pkm4AC4BBre5xSLS 7soyzwbigFruM8G63jSXqpHqJ/ooi168sKMC2b0Ncsi+JlTfNYlDXJVLKEeZgZOInQyMmt isaDTUQWTIv1snAizf4iIYENuAkGYGNCL77u5Y5VOu5eQipvFajTnps9QvUx/zdSFYn9e2 sulWM3Bxc/S4IJ67JWHVRpfJxGi3hinRBH8WQdXuUwdJJTiJHKPyYrrM7Q6Xq4TOMFtcRu LDC6u3BXM1L0gBvHPNOnD5l2Lp5EjUkQ9CBf2j4A4gfH+iWQZyk08esAG/iwArAVxkl368 +dkbMWOXL8BN4x5zYgdzoeypQZZ2RKH780MCTSo4WQ19DP8pw+9q3bSFC9H3xYAxrKAJNW jeTUJOTrTe+mWXXU770gYyQTxa2ycnYrlZucn1S3vsvn6eq7NZZ8NRbyv1n15Ocg+nHK4f uKOrwPhU3NbKQwtjb0Wsxx1gAmQqIOLTpAdsrAauPxC7TPYA5qQVCphvimKuhQM/1gMV22 5JrnjspVlthCzuFYUjXOKC3wxz6FFEtwnXu3uC5bVVkmkNadJmD21gD23yk4BraGXVYpRM IB+X+OTUUI8= ---- END SSH2 PUBLIC KEY ---- |
EFT looks for the BEGIN and END tags when importing.
OpenSSH format:
If you generated your key on a *nix box, it is most likely in this format.
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAwrr66r8n6B8Y0zMF3dOpXEapIQD9DiYQ6D6/zwor9o 39jSkHNiMMER/GETBbzP83LOcekm02aRjo55ArO7gPPVvCXbrirJu9pkm4AC4BBre5xSLS 7soyzwbigFruM8G63jSXqpHqJ/ooi168sKMC2b0Ncsi+JlTfNYlDXJVLKEeZgZOInQyMmt isaDTUQWTIv1snAizf4iIYENuAkGYGNCL77u5Y5VOu5eQipvFajTnps9QvUx/zdSFYn9e2 sulWM3Bxc/S4IJ67JWHVRpfJxGi3hinRBH8WQdXuUwdJJTiJHKPyYrrM7Q6Xq4TOMFtcRu LDC6u3BXM1L0gBvHPNOnD5l2Lp5EjUkQ9CBf2j4A4gfH+iWQZyk08esAG/iwArAVxkl368 +dkbMWOXL8BN4x5zYgdzoeypQZZ2RKH780MCTSo4WQ19DP8pw+9q3bSFC9H3xYAxrKAJNW jeTUJOTrTe+mWXXU770gYyQTxa2ycnYrlZucn1S3vsvn6eq7NZZ8NRbyv1n15Ocg+nHK4f uKOrwPhU3NbKQwtjb0Wsxx1gAmQqIOLTpAdsrAauPxC7TPYA5qQVCphvimKuhQM/1gMV22 5JrnjspVlthCzuFYUjXOKC3wxz6FFEtwnXu3uC5bVVkmkNadJmD21gD23yk4BraGXVYpRM IB+X+OTUUI8= don@untu-DSH |
-
To generate the key, on a Linux computer, type:
ssh-keygen -t rsa
-
To convert to PEM format, on a Linux computer, type (assuming your public key is id_rsa.pub):
ssh-keygen
-e -f id_rsa.pub > yourfilename.pub
-i is the inverse of the -e switch
I see the fingerprint in EFT. How do I see the fingerprint in Linux?
Assuming your public key is id_rsa.pub, on a Linux computer, type:
ssh-keygen -l -f id_rsa.pub
This will return three things:
-
the bit strength (4096 )
-
the fingerprint (18:9f:7d:8f:e0:ab:13:56:b7:49:89:b3:07:93:9f:da )
-
the filename (id_rsa.pub )
The string returned from this example public key is:
4096 18:9f:7d:8f:e0:ab:13:56:b7:49:89:b3:07:93:9f:da id_rsa.pub
Linux has standard folders/files for SSH:
-
The SSH files are stored in "~/.ssh"
The tilde ~ is an alias for the user home folder, e.g., /home/<your username> -
The public key filename is the private key filename with .pub as the extension.
-
Stored (known) server fingerprints are written to known_hosts
This is used to detect "man in the middle" attacks. If the host fingerprint changes, SSH will report an error. -
The file authorized_keys is used to store public keys
This is used to allow the user to maintain a collection of identity keys in one place (easier to backup and restore). The authorized_keys file is a collection of public keys, created by simply echoing out (cat) the contents of a public key, appending it to the bottom of the existing authorized_keys file. -
SSH keys must have 600 or more restrictive permissions in place
If permissions are too open, SSH will report an error and refuse to run until you correct the security problem.