ssh-keygen: Usage, Options & Common CI Errors
ssh-keygen generates SSH key pairs and edits the known_hosts file.
ssh-keygen creates the deploy keys CI uses and manages known_hosts entries. In automation the must-haves are an empty passphrase (-N "") so nothing prompts, and -R to remove a stale host key.
What it does
ssh-keygen generates, manages, and inspects SSH authentication keys and known_hosts entries. In CI it creates non-interactive deploy keys, computes key fingerprints, and removes outdated host keys so connections do not fail on a changed key.
Common usage
ssh-keygen -t ed25519 -f ./deploy_key -N "" # no passphrase, no prompt
ssh-keygen -t rsa -b 4096 -C "ci@example.com" -f ./id_rsa -N ""
ssh-keygen -lf ./deploy_key.pub # show the fingerprint
ssh-keygen -R github.com # remove a stale host key
ssh-keygen -y -f ./deploy_key > ./deploy_key.pub # derive the public keyOptions
| Flag | What it does |
|---|---|
| -t <type> | Key type (ed25519, rsa, ecdsa) |
| -b <bits> | Key size (rsa: 2048/4096) |
| -f <file> | Output key file path |
| -N "<phrase>" | Passphrase ("" = none, for automation) |
| -R <host> | Remove host from known_hosts |
| -l -f <file> | Print a key fingerprint |
Common errors in CI
Omitting -N makes ssh-keygen prompt "Enter passphrase" and hang a non-interactive job - always pass -N "" for CI keys. "Load key ... invalid format" / "error in libcrypto" means the private key was mangled - usually a multi-line key stored in a CI secret lost its newlines or trailing newline; preserve exact formatting. "Permissions 0644 ... are too open" - chmod 600 the key before use. "ssh-keygen -R" rewrites known_hosts to drop a changed host key, the fix for "REMOTE HOST IDENTIFICATION HAS CHANGED".