Openssh Keygen

| 01-05-2021
[RAND-1-100] Comments



  • Ssh-keygen generates, manages and converts authentication keys for ssh(1). Ssh-keygen can create keys for use by SSH protocol version 2. The type of key to be generated is specified with the -t option.
  • Before adding a new SSH key to the ssh-agent to manage your keys, you should have checked for existing SSH keys and generated a new SSH key. When adding your SSH key to the agent, use the default macOS ssh-add command, and not an application installed by macports, homebrew, or some other external source.

Ssh: this starts the SSH client program on your local machine and enables secure connection to the SSH server on a remote computer.-L 5901:localhost:5901: states that the local port for the client on the local machine is to be forwarded to the specified host and port of the remote machine. In this case, local port 5901 on the local client is.

Traditionally OpenSSH has used the OpenSSL-compatible formats PKCS#1 (for RSA)and SEC1 (for EC) for Private keys.

This week I discovered that it now has its own format too,which is the default output format for some installations of ssh-keygen.

After peeking at the binary I found, much to my dismay - and very much unlikethe ssh public key format (RFC 4253) - that OpenSSH private key format isnot intuitively obvious, I headed to les googles.

I searched high and low (or at least past page 2, which is a distinguished markof true dedication), but found no useful information to assauge my curiosity(and habit).

In lieu of the docs I turned to the source. With a combination of theconcentrated efforts of my best code sluething and reverse engineering skills,I believe I have (here below) produced the most complete documentation theInternet has to offer on the subject.

So, without further ado...

Openssh Keygen

OpenSSH Private Keys

On the outside it's PEM encoded. It looks like this:

But, unlike most PEMs, there's no DER inside.

Instead it's the 'proprietary' OpenSSH format, which looks like this:

As you can see (maybe) there's

  • A format ID prefix
  • Encryption headers
  • An unused number for number of keys in the block
  • An rfc4253-style ssh public key
  • An private key somewhat modeled after the rfc4253 style
  • A comment
  • Padding for aligning private key to the blocksize

Note that the blocksize is 8 (for unencrypted keys, at least).

The RFC 4253 SSH Public Key format,is used for both the embedded public key and embedded private key key,with the caveat that the private key has a header and footer that must be sliced:

  • RSA private keys swap e and n for n and e.
  • 8 bytes of unused checksum bytes as a header
  • n bytes (between 0 and 7) of padding
    • bytes > 0x00 and < 0x08 must be trimmed (from the right)
    • the padding must be a (right-trimmed) substring of 0x01020304050607
    • (that includes the empty substring)
    • if the last byte isn't padding, it's part of the comment (0x21 to 0x7e)

Reference Material

The canonical source codeis only available via tarball (.tar.gz).

However, there's also a well-maintained fork (Portable OpenSSH)which has perfectly linkable source code and among them I foundthis to be the file of greatest interest:

Even more particularly, these were the most interesting functions:

  • sshkey_parse_private2
  • sshkey_private_deserialize
  • sshkey_private_serialize_opt
Openssh keygen windowsOpenssh

I don't quite remember where, but another piece of information Idiscovered is that when the key isn't encrypted (cipher and kdfvalues are 'none' and 'none') the blocksize is 8 bytes and thevalue of CLFLAG_NONE is also 8:

Openssh Keygen


By AJ ONeal
Thanks! It's really motivating to know that people like you are benefiting from what I'm doing and want more of it. :)

Did I make your day?

(you can learn about the bigger picture I'm working towards on my patreon page )

Please enable JavaScript to view the comments powered by Disqus.-->

OpenSSH is the open-source version of the Secure Shell (SSH) tools used by administrators of Linux and other non-Windows for cross-platform management of remote systems.OpenSSH has been added to Windows as of autumn 2018, and is included in Windows 10 and Windows Server 2019.

Openssh Keygen Windows

SSH is based on a client-server architecture where the system the user is working on is the client and the remote system being managed is the server.OpenSSH includes a range of components and tools designed to provide a secure and straightforward approach to remote system administration, including:

Openssh Keygen 2019

  • sshd.exe, which is the SSH server component that must be running on the system being managed remotely
  • ssh.exe, which is the SSH client component that runs on the user's local system
  • ssh-keygen.exe generates, manages and converts authentication keys for SSH
  • ssh-agent.exe stores private keys used for public key authentication
  • ssh-add.exe adds private keys to the list allowed by the server
  • ssh-keyscan.exe aids in collecting the public SSH host keys from a number of hosts
  • sftp.exe is the service that provides the Secure File Transfer Protocol, and runs over SSH
  • scp.exe is a file copy utility that runs on SSH

Documentation in this section focuses on how OpenSSH is used on Windows, including installation, and Windows-specific configuration and use cases. Here are the topics:

Additional detailed documentation for common OpenSSH features is available online at OpenSSH.com.

Openssh Authentication Agent

The master OpenSSH open source project is managed by developers at the OpenBSD Project.The Microsoft fork of this project is in GitHub.Feedback on Windows OpenSSH is welcomed and can be provided by creating GitHub issues in our OpenSSH GitHub repo.