Key Management

Lee Painter

The key management commands can be used by individual users to manage their own authorized keys or by an Administrator or user with authorizedKeys.assign permission.

Generating a New Key

The command used to generate new keys is ssh-keygen

# ssh-keygen

The system will then prompt you for a name, and a passphrase to encrypt the key.

Name: My Key
Passphrase: **********
Confirm Passphrase: **********

The key is then generated and printed out to the shell. You should copy and paste this into a file on your local machine. The key will not be saved anywhere else, so if you fail to do this you will lose access to the key and will have to generate a new one.

Your private has been created and has been printed below.
There is no other record of the private key on this server.
Therefore please copy this to a safe location or it will be lost.




Changing the Key Type and Size

To change the key type from the default ssh-ed25519 you can pass the --type or -t parameter. The supported values are rsa, ecdsa or ed25519.

# ssh-keygen -t rsa 


You can optionally pass the bit size you want using --bits or -b parameters

# ssh-keygen -t rsa -b 4096

Writing the Private Key to File

The default behavior of ssh-keygen is to print out the private key to the console so you can copy this and store it securely. When using this method the private key is never stored on the server. If you want to write the private key out to a file on the server you can by adding the --file, or -f parameter.

# ssh-keygen -f myprivatekey

You should ensure you download the key and remove it from the server to keep it secure.

Creating a Key for Another User

If you are an Administrator or have the necessary permission you can create a key for another user by adding the --assign argument with the username of the User.

# ssh-keygen --assign lee

The same process is followed as above and the same command-line arguments are supported to change the type or size of the key.


Uploading an Existing Key

If you have an existing key that you would rather use, then you should upload it using SFTP or SCP. Once uploaded, go back to the shell and use the import-key command. You can upload just the public key or the private key part (the private key will not be stored on the server so you should remove it after importing the key). 

import-key <filename>

The system will then prompt you for a name for this key.

Name: My Key

If the key is a private key and is protected by a passphrase you will be prompted to enter the passphrase.

Passphrase: **********

Your key has now been imported. 

Uploading a Key for Another User

To import a public key for another user you can pass the --assign or -a parameter with the username of the User you want to assign the key to

# import-key -a lee <filename>

You will be asked to provide a name for the key, or you can pass --name, or -n parameters to provide it on the command line.

Listing Keys

A user can list their own keys using the authorized-keys command.

# authorized-keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORvho3qf1bXJhgT9jZpjz1C7fTOfFO23lZPL3i6+EAC My Key

To list another user's key pass the username of the user as an argument.

# authorized-keys lee
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJp6gLkn82WiSmWvwdA4nm+s1jSA0zo/NZ0fK+T86K6p Lee's Key

Deleting Keys

To delete your own key use delete-key command passing the name of the key you want to delete. Remember to use quotes if the key contains spaces.

# delete-key "My Key"

Similarly, if you have permission, you can delete another user's key by passing the --assign or -a parameter along with the username of the User.

# delete-key --assign lee "Lee's Key"