Cheat Sheet logoCheat Sheet Today

SSH Keys and Agent Cheat Sheet

SSHPermalink

SSH key generation, authorized_keys management, ssh-keyscan, host keys, ssh-agent, ssh-add, and certificate basics.

Sign in to save
View
StandardDetailedCompact
Export
Copy the compact sheet, download it, or print it.
Download
`D` dense toggle · `C` copy all

Key Generation

Create, inspect, and convert SSH keys.

Generate an Ed25519 key

Create a modern SSH key pair.

#
bashANYsshkeygened25519
bash
ssh-keygen -t ed25519 -C 'you@example.com'

Create a modern SSH key pair.

Generate an RSA key

Create an RSA key pair for compatibility when needed.

#
bashANYsshkeygenrsa
bash
ssh-keygen -t rsa -b 4096 -C 'you@example.com'

Create an RSA key pair for compatibility when needed.

Generate a key at a custom path

Write a key pair to a chosen file.

#
bashANYsshkeygenidentity
bash
ssh-keygen -t ed25519 -f ~/.ssh/id_work_ed25519 -C 'work key'

Write a key pair to a chosen file.

Generate a key without passphrase

Skip passphrase prompts, usually only for automation accounts.

#
bashANYsshkeygenautomation
bash
ssh-keygen -t ed25519 -N '' -f ~/.ssh/id_ci_ed25519

Skip passphrase prompts, usually only for automation accounts.

Change key passphrase

Update the passphrase on an existing private key.

#
bashANYsshkeygenpassphrase
bash
ssh-keygen -p -f ~/.ssh/id_ed25519

Update the passphrase on an existing private key.

Show a key fingerprint

Print the fingerprint of a public key file.

#
bashANYsshkeygenfingerprint
bash
ssh-keygen -lf ~/.ssh/id_ed25519.pub

Print the fingerprint of a public key file.

Show randomart for a key

Display a visual fingerprint representation.

#
bashANYsshkeygenfingerprint
bash
ssh-keygen -lvf ~/.ssh/id_ed25519.pub

Display a visual fingerprint representation.

Extract public key from private key

Regenerate the public half from a private key.

#
bashANYsshkeygenpublickey
bash
ssh-keygen -y -f ~/.ssh/id_ed25519 > ~/.ssh/id_ed25519.pub

Regenerate the public half from a private key.

Authorized Keys and Host Keys

Install keys and inspect remote host keys.

Install your public key on a server

Append your public key to a remote account's authorized_keys.

#
bashANYsshauthorized-keyscopy-id
bash
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@example.com

Append your public key to a remote account's authorized_keys.

Install key on custom port

Use ssh-copy-id with a non-default SSH port.

#
bashANYsshauthorized-keyscopy-id
bash
ssh-copy-id -i ~/.ssh/id_ed25519.pub -p 2222 user@example.com

Use ssh-copy-id with a non-default SSH port.

Scan a host key

Fetch a server host key without logging in.

#
bashANYsshhostkeykeyscan
bash
ssh-keyscan example.com

Fetch a server host key without logging in.

Add a host key to known_hosts

Append a scanned host key to your known_hosts file.

#
bashANYsshknown-hostskeyscan
bash
ssh-keyscan -H example.com >> ~/.ssh/known_hosts

Append a scanned host key to your known_hosts file.

Find a host in known_hosts

Search known_hosts for a specific host entry.

#
bashANYsshknown-hostsinspect
bash
ssh-keygen -F example.com

Search known_hosts for a specific host entry.

Remove a host from known_hosts

Delete stale host key entries for a host.

#
bashANYsshknown-hostscleanup
bash
ssh-keygen -R example.com

Delete stale host key entries for a host.

Hash known_hosts file

Hash hostnames in known_hosts for privacy.

#
bashANYsshknown-hostsprivacy
bash
ssh-keygen -H -f ~/.ssh/known_hosts

Hash hostnames in known_hosts for privacy.

Sign a host key with a CA

Create a host certificate from a host CA key.

#
bashANYsshcertificatehostkey
bash
ssh-keygen -s ~/.ssh/ca_host -I host-web01 -h -n web01.example.com /etc/ssh/ssh_host_ed25519_key.pub

Create a host certificate from a host CA key.

ssh-agent and ssh-add

Manage agent sockets and loaded identities.

Start ssh-agent in current shell

Start an agent and export its environment variables.

#
bashANYsshagentenvironment
bash
eval "$(ssh-agent -s)"

Start an agent and export its environment variables.

Add default key to agent

Load the default identity into ssh-agent.

#
bashANYsshagentssh-add
bash
ssh-add ~/.ssh/id_ed25519

Load the default identity into ssh-agent.

List loaded keys

Show fingerprints of identities currently loaded in the agent.

#
bashANYsshagentinspect
bash
ssh-add -l

Show fingerprints of identities currently loaded in the agent.

List public keys in agent

Print public keys currently loaded in the agent.

#
bashANYsshagentpublickey
bash
ssh-add -L

Print public keys currently loaded in the agent.

Remove one key from agent

Delete a specific key from the agent.

#
bashANYsshagentcleanup
bash
ssh-add -d ~/.ssh/id_ed25519

Delete a specific key from the agent.

Remove all keys from agent

Clear all identities from the agent.

#
bashANYsshagentcleanup
bash
ssh-add -D

Clear all identities from the agent.

Require confirmation before using a key

Load a key that prompts for confirmation on each use.

#
bashANYsshagentconfirmation
bash
ssh-add -c ~/.ssh/id_ed25519

Load a key that prompts for confirmation on each use.

Set agent key lifetime

Load a key that expires automatically from the agent.

#
bashANYsshagentlifetime
bash
ssh-add -t 1h ~/.ssh/id_ed25519

Load a key that expires automatically from the agent.

More in SSH

OpenSSH Server Admin Cheat Sheet
sshd administration, config validation, systemd control, logging, hardening, authorized keys, and certificates.
SSH Tunnels and Forwarding Cheat Sheet
Local, remote, and dynamic SSH forwarding with practical database, web, and bastion tunnel recipes.
SCP and SFTP Cheat Sheet
SSH-based file transfer with scp and sftp, including recursive copies, jump hosts, interactive commands, and batch mode.
SSH Config Cheat Sheet
Client-side SSH configuration examples for aliases, defaults, patterns, includes, ProxyJump, multiplexing, and effective config inspection.
SSH Cheat Sheet
Comprehensive SSH client commands for login, remote execution, auth, multiplexing, jump hosts, and practical options.

Recommended next

No recommendations yet.
Browse all sheets →