Search code examples
linuxssh-keysssh-keygen

What exactly does `ssh-keygen -A` do?

$ ssh-keygen --help
ssh-keygen: unrecognized option: -
usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]
              [-N new_passphrase] [-C comment] [-f output_keyfile]
   ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
   ssh-keygen -i [-m key_format] [-f input_keyfile]
   ssh-keygen -e [-m key_format] [-f input_keyfile]
   ssh-keygen -y [-f input_keyfile]
   ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
   ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
   ssh-keygen -B [-f input_keyfile]
   ssh-keygen -D pkcs11
   ssh-keygen -F hostname [-f known_hosts_file] [-l]
   ssh-keygen -H [-f known_hosts_file]
   ssh-keygen -R hostname [-f known_hosts_file]
   ssh-keygen -r hostname [-f input_keyfile] [-g]
   ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
   ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]
              [-j start_line] [-K checkpt] [-W generator]
   ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]
              [-O option] [-V validity_interval] [-z serial_number] file ...
   ssh-keygen -L [-f input_keyfile]
   ssh-keygen -A
   ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
              file ...
   ssh-keygen -Q -f krl_file file ...

You may notice that ssh-keygen -A is conspicuously missing documentation. 

$ ssh-keygen -A
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519

It appears to be generating (A)ll the key files, but I don't see any keys in /root/.ssh/. Just to confirm, I ran ssh-keygen with no options, entered through all the prompts, and I had keys as expected.

So the question is, "What exactly is happening?"

Solution

  • This is documented in the ssh-keygen manual:

    -A

    For each of the key types (rsa1, rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This is used by system administration scripts to generate new host keys.

    So, if your system does not already have host keys, ssh-keygen -A will create them. Recreating the host keys will cause your SSH client to complain about the key fingerprint for the host having changed the next time you connect to the machine, and ...

    Are you sure you want to continue connecting (yes/no)?

    (assuming you have previously connected successfully to the machine with SSH)