How do you test a public/private DSA keypair?

Question

Is there an easy way to verify that a given private key matches a given public key? I have a few *.puband a few *.key files, and I need to check which go with which.

Again, these are pub/key files, DSA.

I would really prefer a one-liner of some sort...

Answer 1

I found a way that seems to work better for me:

ssh-keygen -y -f <private key file>

That command will output the public key for the given private key, so then just compare the output to each *.pub file.

Answer 2

I always compare an MD5 hash of the modulus using these commands:

Certificate: openssl x509 -noout -modulus -in server.crt | openssl md5
Private Key: openssl rsa -noout -modulus -in server.key | openssl md5
CSR: openssl req -noout -modulus -in server.csr | openssl md5

If the hashes match, then those two files go together.

Answer 3

For DSA keys, use

 openssl dsa -pubin -in dsa.pub -modulus -noout

to print the public keys, then

 openssl dsa -in dsa.key -modulus -noout

to display the public keys corresponding to a private key, then compare them.

Answer 4

The check can be made easier with diff:

diff <(ssh-keygen -y -f $private_key_file) $public_key_file

The only odd thing is that diff says nothing if the files are the same, so you'll only be told if the public and private don't match.

Answer 5

Assuming you have the public keys inside X.509 certificates, and assuming they are RSA keys, then for each public key, do

    openssl x509 -in certfile -modulus -noout

For each private key, do

    openssl rsa -in keyfile -modulus -noout

Then match the keys by modulus.

Answer 6

Enter the following command to check if a private key and public key are a matched set (identical) or not a matched set (differ) in $USER/.ssh directory. The cut command prevents the comment at the end of the line in the public key from being compared, allowing only the key to be compared.

ssh-keygen -y -f ~/.ssh/id_rsa | diff -s - <(cut -d ' ' -f 1,2 ~/.ssh/id_rsa.pub)

Output will look like either one of these lines.

Files - and /dev/fd/63 are identical

Files - and /dev/fd/63 differ

I wrote a shell script that users use to check file permission of their ~/.ssh/files and matched key set. It solves my challenges with user incidents setting up ssh. It may help you. https://github.com/BradleyA/docker-security-infrastructure/tree/master/ssh

Note: My previous answer (in Mar 2018) no longer works with the latest releases of openssh. Previous answer: diff -qs <(ssh-keygen -yf ~/.ssh/id_rsa) <(cut -d ' ' -f 1,2 ~/.ssh/id_rsa.pub)

Answer 7

Delete the public keys and generate new ones from the private keys. Keep them in separate directories, or use a naming convention to keep them straight.

Answer 8

If you are in Windows and want use a GUI, with puttygen you can import your private key into it:

Once imported, you can save its public key and compare it to yours.

Answer 9

The easiest is to compare fingerprints as the public and private keys have the same. Visual comparison is pretty easy by putting the two commands on same line:

ssh-keygen -l -f PRIVATE_KEY; ssh-keygen -l -f PUBLIC_KEY

Programmatically, you'll want to ignore the comment portion so

diff -s <(ssh-keygen -l -f PRIVATE_KEY | cut -d' ' -f2) <(ssh-keygen -l -f PUBLIC_KEY | cut -d' ' -f2)

Answer 10

Encrypt something with the public key, and see which private key decrypts it.

This Code Project article by none other than Jeff Atwood implements a simplified wrapper around the .NET cryptography classes. Assuming these keys were created for use with RSA, use the asymmetric class with your public key to encrypt, and the same with your private key to decrypt.

Answer 11

If it returns nothing, then they match:

cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys
ssh -i $HOME/.ssh/id_rsa localhost

Answer 12

This answer should contain a warning: https://stackoverflow.com/a/67423640/1312559

WARNING! If the public and private key are in the same directory, the fingerprint is calculated for the public key even though the private key is given as a parameter.

-l' Show fingerprint of specified public key file. Private RSA1 keys are also supported. For RSA and DSA keys ssh-keygen tries to find the matching public key file and prints its fingerprint.

Unfortunately I don't have the reputation to comment.

Answer 13

A simple script to check matching of the keys with 3 options:

 #!/bin/bash

 PRKEY=mysshkey
 PUKEY=mysshkey.pub

 echo "1. OUTPUT"
 diff <( ssh-keygen -y -e -f "${PRKEY}" ) <( ssh-keygen -y -e -f "${PUKEY}")
 echo -e "\n"

 echo "2. OUTPUT"
 diff <( cut -d' ' -f 2 ${PUKEY} ) <( ssh-keygen -y -f "${PRKEY}" | cut -d' ' -f 2)
 echo -e "\n"

 echo "3. OUTPUT"
 DIFF=$(diff <( cut -d' ' -f 2 ${PUKEY} ) <( ssh-keygen -y -f "${PRKEY}" | cut -d' ' -f 2) )
 if [ "$DIFF" != "" ]; then
  echo "ERROR KEY"
 else
  echo "TRUE KEY"
 fi

If they keys not match you will get an output for output 1 and 2.

If they keys match you get no output.

Output 3 show's a message if keys fit or not.

Answer 14

Just use puttygen and load your private key into it. It offers different options, e.g. exporting the corresponding public key.