Secure Shell (SSH) Public Key Extractor

Field	Value	Copy
{{ row.field }}	{{ row.value }}

Component	Value	Copy
{{ row.field }}	`{{ row.value }}`{{ row.value }}

#	Stage	Status	Detail	Evidence	Copy
{{ row.idx }}	{{ row.stage }}	{{ row.status }}	{{ row.detail }}	{{ row.evidence }}

An SSH public key line is the public identity that a server compares when deciding whether a login attempt matches a trusted key. When you need to register access or audit existing entries, the hard part is often not the math but getting the exact public blob and fingerprint into the right form. This tool extracts that public information and rewrites it into a shareable server entry.

It can start from an OpenSSH private key, an RSA PEM private key, or an existing SSH public key line. The result includes the key type, bit length, SHA-256 and MD5 fingerprints, and a reconstructed authorized_keys line with any options prefix and trailing comment you choose.

That makes it useful when you need to turn a private key into a public entry for server setup, confirm that a pasted key matches the fingerprint shown by ssh-keygen, or normalize an authorized_keys line before handing it to another administrator.

The result still needs to be read narrowly. A matching fingerprint proves that two public blobs are the same key. It does not prove who controls the private key, whether the key should be trusted, or whether a host and account policy will accept it.

There is also a package-specific security caveat. Parsing happens in the browser, but changed form values are mirrored into the page URL. That means pasted private keys, comments, and options can end up in browser history, copied links, screenshots, or logs, so this package is a poor place for live production secrets.

Everyday Use & Decision Guide:

The safest first pass is to paste a public key line rather than a private key. You still get Key type, Bits, SHA-256 fingerprint, and a normalized authorized entry, but you avoid placing private material into the address bar.

If you do need to start from private material, the package is best for disposable samples, lab checks, or already-sanitized keys used in documentation. It is a poor fit for encrypted PKCS#8 keys, non-RSA PEM private keys, or mixed blobs where you need every detected key processed instead of only the first one.

Check Derivation path first; it tells you whether the result came from openssh_private_key, rsa_private_pem, or public_key_line.
If Keys ignored is above zero, only the first recognized key fed the output.
Compare SHA-256 fingerprint with a trusted source such as ssh-keygen -lf or the destination host prompt before copying the authorized entry.
Treat authorized_keys options carefully because the package prepends them verbatim ahead of the key type token.

Copy the final authorized_keys line only after Key type, Bits, and the fingerprint agree with the source you intended to trust. When those fields disagree, Derivation Trace is the fastest place to see whether the problem is an unsupported key format, an unexpected parser path, or extra text around the key.

Technical Details:

SSH public key text has two parts that matter here: an algorithm token such as ssh-ed25519 or ssh-rsa, and a Base64 payload that encodes the public key blob. Fingerprints are computed from the decoded blob bytes, not from any trailing comment and not from any options that may appear before the key in an authorized_keys file.

The package supports three extraction paths. If the input is an OpenSSH private key block, it reads the embedded public key records from the openssh-key-v1 container and uses the first one. If the input is an RSA PEM private key, it derives the public blob from the modulus and exponent. Otherwise it scans for the first recognized public key line and decodes that line directly.

Bit-length handling depends on key family. Ed25519 is reported as 256 bits, the supported ECDSA curves are fixed at 256, 384, or 521 bits, and RSA length is estimated from the modulus mpint after ignoring any leading zero byte used to keep the integer positive. That explains why a 2048-bit RSA key may occupy 257 bytes in the blob without actually becoming a 2056-bit key.

The result surfaces answer different questions. Key Fact Sheet shows what was parsed and how many lines were ignored. Authorized Entry reconstructs the line that can go into authorized_keys, with any options prefix and comment you supply. Derivation Trace is a step log that shows which parser succeeded and where a failure occurred.

The local parsing story needs one more caveat. File reads, hashing, and format conversion happen in the browser and the package ships no tool-specific server helper, but the shared query-parameter mixin updates the page URL whenever Key input, Comment, or authorized_keys options change. Sensitive input can therefore persist in browser history or copied links even though the extraction logic itself does not upload it.

Transformation Core

Every supported path reduces the input to the same thing: a public key blob that can be fingerprinted and rewritten.

\begin{array}{lll} K_{pub} & = & decoded public key blob bytes \\ F_{256} & = & Base64 (SHA-256 (K_{pub})) without trailing = \\ F_{MD5} & = & lowercase hex (MD5 (K_{pub})) grouped as aa:bb:cc \end{array}

Supported extraction paths for the SSH public key extractor
Input Path	Accepted Form	Derivation Path	Limit
OpenSSH private key	`-----BEGIN OPENSSH PRIVATE KEY-----`	`openssh_private_key`	Uses only the first embedded key record when multiple keys are present.
RSA PEM private key	`-----BEGIN RSA PRIVATE KEY-----` or parseable RSA `PRIVATE KEY`	`rsa_private_pem`	Only RSA PEM conversion is supported; encrypted PKCS#8 input is rejected.
Public key line	`ssh-rsa`, `ssh-ed25519`, or supported `ecdsa-sha2-*` lines	`public_key_line`	Only the first recognized line is used, even if more are present in the pasted text.

Result fields and failure signals for the SSH public key extractor
Field or Signal	What It Means	How To Use It
`SHA-256 fingerprint`	Modern fingerprint derived from the public blob bytes	Use this as the primary match string when you compare against `ssh-keygen` or a host prompt.
`MD5 fingerprint`	Legacy colon-delimited digest of the same blob	Useful only when the external system still shows MD5-style fingerprints.
`Keys ignored`	Recognized extra keys that were not processed	A value above zero means the page did not build output for every key in the pasted text.
`Could not detect a key`	No supported private or public key structure was found	Paste a full public key line or a supported private key block instead of surrounding prose.
`Unsupported or encrypted PEM key`	The PEM input was not a parseable RSA key for this package	Export a public key line or convert the key to a compatible OpenSSH or RSA PEM form before retrying.

Step-by-Step Guide:

Pick the least sensitive input path that still answers your question.

Paste into Key input, upload a file, or drop a file onto the text area. If you already have a public key line, use that instead of a private key.
Open Advanced only if you need a custom authorized_keys options prefix or a trailing Comment. Otherwise leave both blank so the generated entry stays minimal.
Click Extract Key. If parsing succeeds, the summary block appears with the algorithm and fingerprints. If parsing fails, read the warning text before trying a different format.
In Key Fact Sheet, confirm Derivation path, Keys detected, Keys ignored, and SHA-256 fingerprint.
In Authorized Entry, inspect authorized_keys line and Line SHA-256 prefix. If the line starts with unexpected options or the wrong comment, edit the advanced fields and extract again.
Use Derivation Trace when the path surprises you. Unsupported PEM, malformed OpenSSH private-key data, or mixed text with multiple keys usually becomes obvious there.

Interpreting Results:

SHA-256 fingerprint is the modern comparison field, while MD5 fingerprint is mainly for matching older displays. If you are comparing against a trusted external source, use SHA-256 first unless that source clearly shows MD5.

Derivation path should match the kind of material you pasted. If it says public_key_line when you expected a private-key path, the parser likely skipped unsupported private-key data and found a key line later in the text instead.

If Keys ignored is > 0, only the first recognized key fed the output.
If Bits is blank or zero, type detection succeeded only partially and the blob may be incomplete or malformed.
A matching fingerprint confirms identical public key bytes, not successful login, file permissions, ownership, or server authorization. Verify against the destination host or a trusted ssh-keygen -lf output before granting access.

Worked Examples:

Checking a disposable Ed25519 public key

A disposable sample line such as ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFG1q39pWeLhE7WPGlz59vh4g4XS0RoRD+ClFhwnMQzT user@host produces Key type ssh-ed25519, Bits 256, Derivation path public_key_line, and SHA-256 fingerprint 9ie0m4J7mV91N44E7xNJ0do5ej0uRphNs5Qw8Mq3v0Y.

That is a normal audit case. The comment can change without changing the fingerprint because the digest is computed from the public blob, not from the trailing text.

Deriving an RSA public entry from a PEM private key

Pasting a 2048-bit RSA PEM private key yields Derivation path rsa_private_pem, Key type ssh-rsa, and Bits 2048. If you add from="10.0.0.0/8",no-port-forwarding in authorized_keys options, the generated authorized_keys line begins with that restriction string and then appends the public key.

The important interpretation point is that the options alter the server entry, not the fingerprint. They are outside the hashed public blob.

Mixed text where only the first key is processed

If you paste two recognized key lines in one block, the package still builds output for only the first one. Keys detected rises to 2, Keys ignored rises to 1, and the Authorized Entry tab represents only the first recognized key.

That is a useful warning, not a batch result. If you actually need both keys handled, split the input and process each line separately. If the warning instead says the PEM input is unsupported or encrypted, the corrective path is to export a compatible public key line or use a supported OpenSSH or RSA PEM key.

FAQ:

Does this package upload my key to a server?

The parsing, hashing, and file reading happen in the browser and this package has no tool-specific server helper. The larger risk is local leakage through the page URL, because changed form values are mirrored into query parameters.

Which private key formats actually work?

The supported private-key paths are OpenSSH private keys and RSA PEM keys that can be parsed as RSA. Encrypted PKCS#8 input and non-RSA PEM private keys are outside the package's supported conversion path.

Why does Keys ignored show a number greater than zero?

Because the package found more than one recognized key in the pasted text but only processed the first one. The extra keys are counted for visibility, not transformed into additional result sets.

Why does the fingerprint stay the same when I change the comment or options?

Because SHA-256 fingerprint and MD5 fingerprint are derived from the decoded public blob bytes only. authorized_keys options and the trailing comment sit outside that blob.

What should I do if the page says it could not detect a key?

Paste a full public key line or a supported private-key block instead of surrounding prose. If the warning says the PEM key is unsupported or encrypted, export a compatible public key line or use an OpenSSH private key or unencrypted RSA PEM key.

Glossary:

Public key blob: Decoded SSH byte sequence used for fingerprinting and type analysis.
Fingerprint: Digest summary used to compare one public key with another.
authorized_keys: Server file format that stores allowed public-key entries.
mpint: SSH multi-precision integer encoding used for RSA values.
Derivation path: The parser route that successfully produced the public key.

References:

ssh-keygen(1), OpenBSD manual pages. https://man.openbsd.org/ssh-keygen
sshd(8), OpenBSD manual pages. https://man.openbsd.org/sshd
RFC 4251, The Secure Shell (SSH) Protocol Architecture, IETF. https://datatracker.ietf.org/doc/html/rfc4251