Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.


Creating Keys with ssh-keygen-g3

To create a public key pair, run ssh-keygen-g3 on Client:

$ ssh-keygen-g3
Generating 2048-bit rsa key pair
   9 oOo.oOo.oOo
Key generated.
2048-bit rsa, ClientUser@Client, Wed Feb 2 2016 12:09:46 +0200
Passphrase : 
Again :
Private key saved to  /home/ClientUser/.ssh2/id_rsa_2048_a
Public key saved to   /home/ClientUser/.ssh2/

When run without options, ssh-keygen-g3 asks for a passphrase for the new key. Enter a sufficiently long (20 characters or so) sequence of any characters (spaces are OK).


In FIPS mode, due to a FIPS regulation which forbids exporting unencrypted private keys out of the FIPS module, it is not possible to generate user keys without a passphrase.

The new authentication key pair consists of two separate files. One of the keys is your private key which must never be made available to anyone but yourself. The private key can only be used together with the passphrase.

On Unix, the key pair is by default stored in your $HOME/.ssh2 directory (created by ssh-keygen-g3 if it does not exist previously). On Windows, the key pair is by default stored in your %APPDATA%\SSH\UserKeys directory.

In the example above, the private key file is id_rsa_2048_a. The public key file is, and it can be distributed to other computers.

By default, ssh-keygen-g3 creates a 2048-bit RSA key pair. DSA or ECDSA keys can be generated by specifying the -t option with ssh-keygen-g3. Key length can be specified with the -b option. For automated jobs, the key can be generated without a passphrase with the -P option, for example:

$ ssh-keygen-g3 -t ecdsa -b 384 -P 

For more information on the ssh-keygen-g3 options, see ssh-keygen-g3(1).