8
$ ssh-keygen --help
ssh-keygen: unrecognized option: -
usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]
              [-N new_passphrase] [-C comment] [-f output_keyfile]
   ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
   ssh-keygen -i [-m key_format] [-f input_keyfile]
   ssh-keygen -e [-m key_format] [-f input_keyfile]
   ssh-keygen -y [-f input_keyfile]
   ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
   ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
   ssh-keygen -B [-f input_keyfile]
   ssh-keygen -D pkcs11
   ssh-keygen -F hostname [-f known_hosts_file] [-l]
   ssh-keygen -H [-f known_hosts_file]
   ssh-keygen -R hostname [-f known_hosts_file]
   ssh-keygen -r hostname [-f input_keyfile] [-g]
   ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
   ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]
              [-j start_line] [-K checkpt] [-W generator]
   ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]
              [-O option] [-V validity_interval] [-z serial_number] file ...
   ssh-keygen -L [-f input_keyfile]
   ssh-keygen -A
   ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
              file ...
   ssh-keygen -Q -f krl_file file ...

You may notice that ssh-keygen -A is conspicuously missing documentation. 

$ ssh-keygen -A
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519

It appears to be generating (A)ll the key files, but I don't see any keys in /root/.ssh/. Just to confirm, I ran ssh-keygen with no options, entered through all the prompts, and I had keys as expected.

So the question is, "What exactly is happening?"

Zak
  • 12,213
  • 21
  • 59
  • 105
  • `For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys....` – David C. Rankin Feb 26 '18 at 08:11
  • @DavidC.Rankin I guess I don't understand the concept of host keys. So maybe you could expand your answer / comment. Thanks! – Zak Feb 26 '18 at 08:13
  • No problem. The host keys are the 'private' (and 'public') key pairs the system will use for authentication in whatever (`ssh, rsync, scp, etc..`) transactions that make use of the *system* keys instead of individual *user* keys you would generate for non-root users. You can generate all keys for the user that way as well, but I believe this is more a system setup option. (it is basically a generate all default keys, instead of having to do them one-at-a-time option) – David C. Rankin Feb 26 '18 at 08:16
  • 2
    This question is more appropriate for the StackExchange sites [**Super User**](http://superuser.com/) or [**Unix & Linux**](http://unix.stackexchange.com/). (it's not "programming", e.g. coding, related) – David C. Rankin Feb 26 '18 at 08:18
  • 1
    https://explainshell.com/explain?cmd=ssh-keygen+-A – Biffen Feb 26 '18 at 13:39
  • `-A` isn't ‘missing documentation’ any more than the other options. `ssh-keygen --help` only prints options and their parameters, not their *documentation*. `man ssh-keygen` shows you more, including documentation for `-A`. – Biffen Feb 26 '18 at 13:41
  • @Biffen Thanks for the link to explain shell! What an awesome website! – Zak Feb 26 '18 at 23:23

3 Answers3

6

This is documented in the ssh-keygen manual:

-A

For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This is used by system administration scripts to generate new host keys.

So, if your system does not already have host keys, ssh-keygen -A will create them. Recreating the host keys will cause your SSH client to complain about the key fingerprint for the host having changed the next time you connect to the machine, and ...

Are you sure you want to continue connecting (yes/no)?

(assuming you have previously connected successfully to the machine with SSH)

Kusalananda
  • 14,885
  • 3
  • 41
  • 52
4

I suspect that part of the question being asked is where ssh-keygen -A stores the result, a question I was trying to ask myself, and think I've answered.

You can fairly quickly see where the results are stored on your system by running the "ssh-keygen -A" command as a regular user (NOT ROOT): then the permissions will stop you actually re-writing anything:

user> ssh-keygen -A
ssh-keygen: generating new host keys: RSA1 open /etc/ssh/ssh_host_key failed: Permission denied.
Saving the key failed: /etc/ssh/ssh_host_key.
ssh-keygen: generating new host keys: ED25519 open /etc/ssh/ssh_host_ed25519_key failed: Permission denied.
Saving the key failed: /etc/ssh/ssh_host_ed25519_key.

showing that the system wide keys are stored in /etc/ssh. This is configurable via the sshd_config file:

user> grep etc/ssh /etc/ssh/sshd_config 
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
David
  • 39
  • 3
1

From what I've read, the -A option generates (A)ll default host keys.

A host key is a cryptographic key used for authenticating computers in the SSH protocol. Here is a great explanation from ssh.com

When I pressed enter through the ssh-keygen prompts, a key was generated in the ~/.ssh/ folder; as I was expecting. However, when running ssh-keygen -A, I didn't see any additional keys in ~/.ssh/.

After reading the post from ssh.com, I discovered the freshly minted keys sitting in /etc/ssh/.

UPDATE:

Check out the documentation of explainshell.com/explain?cmd=ssh-keygen+-A as recommended by @Biffen in the comments of the original question!

Zak
  • 12,213
  • 21
  • 59
  • 105