Secure Shell (SSH) Public Key Extractor

Field	Value	Copy
Type	{{ resultRows[0].type }}
Bits	{{ resultRows[0].bits }}
SHA-256	{{ resultRows[0].fp256 }}
MD5	{{ resultRows[0].fpmd5 }}
Public key (authorized_keys line)	`{{ resultRows[0].authorized }}`

SSH public keys are structured encodings that identify a user or host key and let a server recognize a trusted party. Many admins look for an ssh authorized keys line generator when onboarding a new account. This tool surfaces the public key, its fingerprints, and a ready to paste line for access control.

You provide a private key or an existing authorized key entry and receive the corresponding public key line with optional options and a comment, plus SHA 256 and MD5 fingerprints. Results help you compare what is on a workstation with what a server expects so you can verify identity quickly.

A common workflow is pasting an OpenSSH private key to confirm the public part before adding it to a server. Another is scanning a mixed text blob to pull out the first valid key and copy its authorized keys form with a short note.

Be mindful that fingerprints confirm a key match and not account permissions or server policy. Keep private keys safe, work on trusted devices, and avoid leaving sensitive material in shared clipboards.

Technical Details:

The core object is the Secure Shell public key and its raw byte representation known as the key blob. Two digests are computed from that blob to give stable fingerprints that are easy to compare across systems.

The engine computes a base64 fingerprint from a 32 byte Secure Hash value and a colon delimited hexadecimal fingerprint from a 16 byte Message Digest value. These fingerprints summarize the same key material and let you confirm that two encodings refer to the very same key.

Results show the key algorithm and a bit length. For Ed25519 and selected Elliptic Curve keys the bit length is fixed by the curve. For RSA it is derived from the modulus length encoded in the blob so you can see whether a key is 2048 or 4096 bits in practice.

Comparisons are meaningful only when you hash the same public blob. Formatting changes in the text line do not affect the raw blob, and comments or authorized options are not included in the hash inputs.

f_{256} = {B64}_{np} (H_{256} (K_{pub}))

Symbols and units used in formulas
Symbol	Meaning	Unit/Datatype	Source
`K_pub`	SSH public key blob	bytes	Derived
`H256`	SHA 256 digest of `K_pub`	32 bytes	Derived
`B64np`	Base64 without trailing `=`	string	Derived
`HMD5`	MD5 digest of `K_pub`	16 bytes	Derived
`Hexcolon`	Lowercase hex with colons	string	Derived
`bits`	Key length estimate	bits	Derived

Worked example:

\begin{array}{l} n_{len} & = & 257 bytes (mpint, first byte 0x00) \\ first & = & 0 \\ bits & = & (n_{len} - 1) \times 8 + first = 2048 \end{array}

For RSA the modulus mpint may include a leading zero to keep it positive, which does not add to the bit count.

Processing pipeline

Accept input as OpenSSH private key, RSA PEM private key, or a detected authorized key line.
Extract the first public key blob from the input.
Identify algorithm and derive bit length.
Hash the blob for SHA 256, strip any base64 padding.
Hash the blob for MD5, format as colon separated lowercase hex.
Assemble the authorized keys line with optional options and comment.

Validation & bounds

Input validation and limits
Field	Type	Min	Max	Step/Pattern	Error Text	Placeholder
Key input	text / file	—	—	`\b(ssh-(?:rsa\|ed25519\|ecdsa-sha2-nistp256\|ecdsa-sha2-nistp384\|ecdsa-sha2-nistp521))\s+([A-Za-z0-9+/=]+)`	Could not detect a key. Provide an OpenSSH private key or an RSA PEM.	Paste SSH private key (OpenSSH or RSA PEM)…
OpenSSH key	PEM	—	—	openssh-key-v1 header and structure	Malformed openssh-key-v1 structure.	—
RSA PEM	PKCS#1 / PKCS#8	—	—	RSA PRIVATE KEY or PRIVATE KEY blocks	Unsupported or encrypted PEM key (only RSA PEM supported). Encrypted PKCS#8 private keys are not supported without a passphrase.	—
Options	text	—	—	prepended verbatim before key type	—	`command="/bin/echo hi",no-port-forwarding`
Comment	text	—	—	appended verbatim at end	—	`user@host`

I/O formats

Accepted inputs and produced outputs
Input	Accepted Families	Output	Encoding/Precision	Rounding
Private key	OpenSSH private key; RSA PEM (PKCS#1 or PKCS#8)	Authorized key line	Key type, base64 key, optional options and comment	Not applicable
Public key line	ssh-rsa; ssh-ed25519; ecdsa-sha2-nistp256; ecdsa-sha2-nistp384; ecdsa-sha2-nistp521	Type, bits, fingerprints, authorized key line	SHA 256 base64 without padding; MD5 hex with colons	Not applicable
JSON/CSV exports	Single result payload	Inputs and results	Strings and integers as shown	Exact values

Networking & storage

Processing occurs in the browser; hashing and parsing run locally.
No data is transmitted to a server by the extraction logic.
Copy and download actions operate on in memory results.

Diagnostics & determinism

Identical inputs yield identical fingerprints and authorized key output.
Whitespace around inputs is ignored where safe.
On malformed inputs, concise warnings appear above the form.

Assumptions & limitations

Single item mode processes only the first detected key in any input.
Public key detection recognizes ssh-rsa, ssh-ed25519, and selected ECDSA curves.
Encrypted PKCS#8 private keys are not parsed without a passphrase.
Non RSA PEM private keys are not converted from PEM.
SHA 256 may be unavailable in very old environments.
MD5 output may be blank if no compatible implementation is available.
RSA bit length depends on a correctly encoded modulus mpint.
Options and comments are joined verbatim and are not validated.
Heads‑up Only the public blob is hashed; comments and options are excluded.

Edge cases & error sources

Leading or trailing text around a key line may confuse detection if the type token is altered.
Malformed OpenSSH structures raise a specific warning.
Invalid base64 in a key line prevents blob decoding.
Multiple keys in a blob trigger a single item note; extras are ignored.
Unsupported key types such as security key variants are not matched by the detector.
RSA keys with unusual encodings may report zero bits if parsing fails.
SHA 256 fallback may be unavailable and stop fingerprinting.
MD5 calculation can be disabled by environment limits, producing an empty field.
Encrypted PKCS#8 without a passphrase is rejected.
File read failures cancel the quick scan and extraction.

Privacy & compliance

No data is transmitted or stored server‑side. Treat private keys as sensitive material and follow your organization’s security guidance.

How‑to Guide:

SSH public key extraction with fingerprints and an authorized keys line.

Paste a OpenSSH private key or RSA PEM, or drop a file.
Optionally add authorized_keys options such as no-port-forwarding.
Optionally add a comment like user@host.
Choose Extract Key to compute fingerprints and build the line.
Copy the authorized key line or download JSON or CSV as needed.

Example: Options command="/bin/echo hi",no-port-forwarding with comment alice@work produce a single authorized key line with those parts wrapped around the key.

If a mixed text includes more than one key, only the first is used.
Warning Encrypted PKCS#8 inputs require a passphrase and are not parsed here.

FAQ:

Is my data stored?

No. Extraction and hashing run locally in the browser, and no server receives your inputs.

Keep private keys off shared or unmanaged devices.

Which key types are supported?

Authorized key detection supports ssh-rsa, ssh-ed25519, and ECDSA on nistp256, nistp384, and nistp521. PEM conversion is available for RSA only.

Other families are ignored rather than partially parsed.

How are fingerprints computed?

Both digests hash the raw public blob. SHA 256 is shown as base64 without trailing padding, and MD5 is shown as lowercase hex separated by colons.

Options and comments are not part of the hash.

Why do I see “Malformed openssh-key-v1 structure”?

The OpenSSH header was found, but its internal fields were inconsistent or truncated. Supply a complete key or try a different source.

Encrypted bodies are fine because public parts are stored in clear.

Can I use an encrypted PKCS#8 file?

Not here. Encrypted PKCS#8 private keys require a passphrase and are not parsed for public output by this tool.

Provide an OpenSSH private key instead.

What if the MD5 field is empty?

Your environment did not provide a compatible MD5 routine. The SHA 256 fingerprint remains available for verification.

Prefer SHA 256 for comparisons.

How do I extract an authorized key from a private key?

Paste the private key, choose Extract Key, then copy the authorized key line from the summary or the table.

You may add options and a comment before copying.

Does it work offline?

Once loaded, the extraction runs locally. No external service is needed during parsing and hashing.

Network access may still be required to load the page itself.

Troubleshooting:

“Paste a key or blob first.” appears when the input is empty.
Use the file picker if copy and paste alters line breaks.
Remove shell prompts or comments around key lines before trying again.
Verify PEM headers match the key family you intend to use.
Try the Table tab if JSON highlighting looks odd in your theme.
Toggle the Advanced panel to check whether options or comments caused confusion.

Blocking: If hashing fails with a SHA 256 unavailable message, update the environment or use a modern browser that provides cryptographic primitives.

Advanced Tips:

Tip Add a distinct comment for each host to make audit trails easier to read.

Tip Keep options minimal and explicit so you can spot drift across servers.

Tip Store the JSON output with tickets to tie a fingerprint to a change request.

Tip Confirm the bit length before rollout when rotating RSA keys.

Tip Use options like no-port-forwarding to restrict automation accounts.

Tip Clear the clipboard after copying sensitive lines on shared machines.

Glossary:

Authorized keys line: Text form used by a server to grant access to a public key.
Public key blob: Length prefixed bytes that encode the algorithm and key data.
SHA 256 fingerprint: Base64 of a 32 byte digest of the public blob, without padding.
MD5 fingerprint: Colon separated lowercase hex of a 16 byte digest of the blob.
OpenSSH private key: PEM form that embeds public parts in clear with private data.
RSA modulus mpint: Unsigned big integer for RSA that sets the bit length.
Options prefix: Comma separated controls placed before the key type.
Comment: Trailing note that helps you identify where a key is used.