SSH Public Key Format

Question

I have a public key in the format:

---- BEGIN SSH2 PUBLIC KEY ----

Comment: "somename-20060227"
AAAAB3NzaC1yc2EAAAABJQAAAIBmhLUTJiP[and so on]==

---- END SSH2 PUBLIC KEY ----

Usually I see keys in the format like this:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAqof[and so on]

Can I just copy the first key in the authorized_keys file or do I have to modify it somehow so it looks like the second one? I think the first one was generated by PUTTYgen while the second one was generated by ssh-keygen.

alexus · Accepted Answer · 2015-02-04T17:22:12.767

19

use ssh-keygen -i to convert SSH2-compatible format to OpenSSH compatible format.

from man ssh-keygen:

-i This option will read an unencrypted private (or public) key file in SSH2-compatible format and print an OpenSSH compatible private (or public) key to stdout. ssh-keygen also reads the RFC 4716 SSH Public Key File Format. This option allows importing keys from several commercial SSH implementations.

edited Feb 04 '15 at 17:22

answered Apr 18 '12 at 14:49

alexus

13,112
32
117
174

partial answer, does not help at all. – karatedog Mar 17 '21 at 10:19
Incomplete answer, one might try `ssh-key -i the-file.pub` but that doesn't work. – kizzx2 Mar 02 '23 at 08:02

score 12 · Answer 2 · edited Dec 27 '19 at 15:36

12

This is the complete, correct answer:

ssh-keygen -i -m PKCS8 -f public-key.pem

edited Dec 27 '19 at 15:36

John Deters

103
3

answered Mar 28 '18 at 14:55

Boeboe

247
2
3

1

"RFC4716" is the default key_format, and -m does appear to be for specifying the format of the INPUT in this instance, not the output, so you are correct. – JimNim Mar 28 '18 at 15:42
Technically alexus' "correct" answer is NOT wrong though, as that answer is not spelling out full syntax - only pointing to which primary flag should be used, leaving the need to check -i syntax/usage in the man page. – JimNim Mar 28 '18 at 15:48

score 4 · Answer 3 · answered Apr 18 '12 at 14:45

4

You do have to convert the public key to openssh convention:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBmhLUTJiP[and so on]== somename-20060227

Also make sure that the key occupies exactly one line and no line breaks were introduced while copying.

answered Apr 18 '12 at 14:45

Dima Chubarov

2,316
1
17
28

score 3 · Answer 4 · answered Apr 18 '12 at 14:43

3

Just rewrite your key in format suited for authorized_keys:

keytype keybody keyname

Keep in mind that trailing "==" are necessary placeholders to keep keylength equal to desired length.

answered Apr 18 '12 at 14:43

Kondybas

6,964
2
20
24

6

The trailing "==" are [Base64 padding](http://en.wikipedia.org/wiki/Base64#Padding) – Andrew Apr 18 '12 at 14:46
how do I know if its RSA or DSA? – Björn Apr 18 '12 at 16:07

sastorsl · Answer 5 · 2023-01-16T11:36:02.793

To create public keys for a number of password encrypted private keys the following script will:

Read the private key with ssh-keygen -e and output a public key - and ask for the private key password
Create a PEM based public key and store in an environment variable
Use ssh-keygen -i to create and OpenSSH compatible public key
And write to a .pub output file

for i in $(ls -1 id_rsa_* | grep -v "\.pub$")  # Ignore .pub files
do
  PEM=$(ssh-keygen -e -f $i -m PEM)  # Will ask for the private key password
  echo $(ssh-keygen -i -m PEM -f <(echo "$PEM")) KEY-ALIAS > $i.pub
done

A side note, seahorse, the Ubuntu "Passwords and keys" agent, requires the public keys to be able to store the private keys.

SSH Public Key Format

5 Answers5