Key Management

Lee Painter

The key management commands can be used by individual users to manage their own authorized keys or by an Administrator or user with authorizedKeys.assign permission.

Generating a New Key

The command used to generate new keys is ssh-keygen

# ssh-keygen

The system will then prompt you for a name, and a passphrase to encrypt the key.

Name: My Key
Passphrase: **********
Confirm Passphrase: **********


The key is then generated and printed out to the shell. You should copy and paste this into a file on your local machine. The key will not be saved anywhere else, so if you fail to do this you will lose access to the key and will have to generate a new one.

*** IMPORTANT ***
Your private has been created and has been printed below.
There is no other record of the private key on this server.
Therefore please copy this to a safe location or it will be lost.

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACFFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAG
CdrWy8zLwloDzZNrsyotAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIK0D
rEYxSL3bpz4drRUdt76CJ1ZsSdPAh0VrjyFtnnFUAAAAkNaWKUIn9vbaEJ/2jIhu
r1hfay/b1XQ7t5W624d7BbwNcaYPOsKK7s5UkI3R0qLxGCEYP2ocGtPpT7H+kzKM
OCzSTK2NBh941GKCfm+jKIW60aa17Ae4Pf6am6xkiA+ZXgYM5uDjZVyPlI04Vvdb
UeAS1BLJzrT01ULIIVKPzberjGqItN2hzgFL7B+sgy3/Jg==
-----END OPENSSH PRIVATE KEY-----

SHA256:0wvYB/w9v38vapxOC+6ZRDSU9VGSQoxHK/dRjfgshyc

xivip-mecup-mepeb-ralel-fobyr-zelyf-rusyz-zofah-fovub-gimoz-tixix


Changing the Key Type and Size

To change the key type from the default ssh-ed25519 you can pass the --type or -t parameter. The supported values are rsa, ecdsa or ed25519.

# ssh-keygen -t rsa 

 

You can optionally pass the bit size you want using --bits or -b parameters

# ssh-keygen -t rsa -b 4096


Writing the Private Key to File

The default behavior of ssh-keygen is to print out the private key to the console so you can copy this and store it securely. When using this method the private key is never stored on the server. If you want to write the private key out to a file on the server you can by adding the --file, or -f parameter.

# ssh-keygen -f myprivatekey


You should ensure you download the key and remove it from the server to keep it secure.


Creating a Key for Another User

If you are an Administrator or have the necessary permission you can create a key for another user by adding the --assign argument with the username of the User.

# ssh-keygen --assign lee


The same process is followed as above and the same command-line arguments are supported to change the type or size of the key.

 

Uploading an Existing Key

If you have an existing key that you would rather use, then you should upload it using SFTP or SCP. Once uploaded, go back to the shell and use the import-key command. You can upload just the public key or the private key part (the private key will not be stored on the server so you should remove it after importing the key). 

import-key <filename>


The system will then prompt you for a name for this key.

Name: My Key

If the key is a private key and is protected by a passphrase you will be prompted to enter the passphrase.

Passphrase: **********


Your key has now been imported. 


Uploading a Key for Another User

To import a public key for another user you can pass the --assign or -a parameter with the username of the User you want to assign the key to

# import-key -a lee <filename>


You will be asked to provide a name for the key, or you can pass --name, or -n parameters to provide it on the command line.


Listing Keys

A user can list their own keys using the authorized-keys command.

# authorized-keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORvho3qf1bXJhgT9jZpjz1C7fTOfFO23lZPL3i6+EAC My Key


To list another user's key pass the username of the user as an argument.

# authorized-keys lee
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJp6gLkn82WiSmWvwdA4nm+s1jSA0zo/NZ0fK+T86K6p Lee's Key

Deleting Keys

To delete your own key use delete-key command passing the name of the key you want to delete. Remember to use quotes if the key contains spaces.

# delete-key "My Key"


Similarly, if you have permission, you can delete another user's key by passing the --assign or -a parameter along with the username of the User.

# delete-key --assign lee "Lee's Key"