SSH Key Formats

(Requires the SFTP module in EFT Express) EFT imports the PEM format, also called the SECSH Public Key File Format, and the OpenSSH format. Each format is illustrated below. Under the illustrations is a procedure for creating a PEM key on a Linux computer. See also Creating an SSH Key Pair on EFT.

PEM format:

---- BEGIN SSH2 PUBLIC KEY ----

Comment: "4096-bit RSA, converted from OpenSSH by don@untu-DSH"

AAAAB3NzaC1yc2EAAAABIwAAAgEAwrr66r8n6B8Y0zMF3dOpXEapIQD9DiYQ6D6/zwor9o

39jSkHNiMMER/GETBbzP83LOcekm02aRjo55ArO7gPPVvCXbrirJu9pkm4AC4BBre5xSLS

7soyzwbigFruM8G63jSXqpHqJ/ooi168sKMC2b0Ncsi+JlTfNYlDXJVLKEeZgZOInQyMmt

isaDTUQWTIv1snAizf4iIYENuAkGYGNCL77u5Y5VOu5eQipvFajTnps9QvUx/zdSFYn9e2

sulWM3Bxc/S4IJ67JWHVRpfJxGi3hinRBH8WQdXuUwdJJTiJHKPyYrrM7Q6Xq4TOMFtcRu

LDC6u3BXM1L0gBvHPNOnD5l2Lp5EjUkQ9CBf2j4A4gfH+iWQZyk08esAG/iwArAVxkl368

+dkbMWOXL8BN4x5zYgdzoeypQZZ2RKH780MCTSo4WQ19DP8pw+9q3bSFC9H3xYAxrKAJNW

jeTUJOTrTe+mWXXU770gYyQTxa2ycnYrlZucn1S3vsvn6eq7NZZ8NRbyv1n15Ocg+nHK4f

uKOrwPhU3NbKQwtjb0Wsxx1gAmQqIOLTpAdsrAauPxC7TPYA5qQVCphvimKuhQM/1gMV22

5JrnjspVlthCzuFYUjXOKC3wxz6FFEtwnXu3uC5bVVkmkNadJmD21gD23yk4BraGXVYpRM

IB+X+OTUUI8=

---- END SSH2 PUBLIC KEY ----

EFT looks for the BEGIN and END tags when importing.

OpenSSH format:

If you generated your key on a *nix box, it is most likely in this format.

ssh-rsa

AAAAB3NzaC1yc2EAAAABIwAAAgEAwrr66r8n6B8Y0zMF3dOpXEapIQD9DiYQ6D6/zwor9o

39jSkHNiMMER/GETBbzP83LOcekm02aRjo55ArO7gPPVvCXbrirJu9pkm4AC4BBre5xSLS

7soyzwbigFruM8G63jSXqpHqJ/ooi168sKMC2b0Ncsi+JlTfNYlDXJVLKEeZgZOInQyMmt

isaDTUQWTIv1snAizf4iIYENuAkGYGNCL77u5Y5VOu5eQipvFajTnps9QvUx/zdSFYn9e2

sulWM3Bxc/S4IJ67JWHVRpfJxGi3hinRBH8WQdXuUwdJJTiJHKPyYrrM7Q6Xq4TOMFtcRu

LDC6u3BXM1L0gBvHPNOnD5l2Lp5EjUkQ9CBf2j4A4gfH+iWQZyk08esAG/iwArAVxkl368

+dkbMWOXL8BN4x5zYgdzoeypQZZ2RKH780MCTSo4WQ19DP8pw+9q3bSFC9H3xYAxrKAJNW

jeTUJOTrTe+mWXXU770gYyQTxa2ycnYrlZucn1S3vsvn6eq7NZZ8NRbyv1n15Ocg+nHK4f

uKOrwPhU3NbKQwtjb0Wsxx1gAmQqIOLTpAdsrAauPxC7TPYA5qQVCphvimKuhQM/1gMV22

5JrnjspVlthCzuFYUjXOKC3wxz6FFEtwnXu3uC5bVVkmkNadJmD21gD23yk4BraGXVYpRM

IB+X+OTUUI8= don@untu-DSH

To make a key

  1. To generate the key, on a Linux computer, type:

    ssh-keygen -t rsa

  2. To convert to PEM format, on a Linux computer, type (assuming your public key is id_rsa.pub):

ssh-keygen -e -f id_rsa.pub > yourfilename.pub
-i is the inverse of the -e switch

I see the fingerprint in EFT. How do I see the fingerprint in Linux?

Assuming your public key is id_rsa.pub, on a Linux computer, type:

ssh-keygen -l -f id_rsa.pub

This will return three things:

  • the bit strength (4096 )

  • the fingerprint (18:9f:7d:8f:e0:ab:13:56:b7:49:89:b3:07:93:9f:da )

  • the filename (id_rsa.pub )

The string returned from this example public key is:

4096 18:9f:7d:8f:e0:ab:13:56:b7:49:89:b3:07:93:9f:da id_rsa.pub

Linux has standard folders/files for SSH:

  • The SSH files are stored in "~/.ssh"
    The tilde ~ is an alias for the user home folder, e.g., /home/<your username>

  • The public key filename is the private key filename with .pub as the extension.

  • Stored (known) server fingerprints are written to known_hosts
    This is used to detect "man in the middle" attacks. If the host fingerprint changes, SSH will report an error.

  • The file authorized_keys is used to store public keys
    This is used to allow the user to maintain a collection of identity keys in one place (easier to backup and restore). The authorized_keys file is a collection of public keys, created by simply echoing out (cat) the contents of a public key, appending it to the bottom of the existing authorized_keys file.

  • SSH keys must have 600 or more restrictive permissions in place
    If permissions are too open, SSH will report an error and refuse to run until you correct the security problem.