# Generate SSH keys for service-managed users
<a name="sshkeygen"></a>

You can set up your server to authenticate users using the service managed authentication method, where usernames and SSH keys are stored within the service. The user's public SSH key is uploaded to the server as a user's property. This key is used by the server as part of a standard key-based authentication process. Each user can have multiple public SSH keys on file with an individual server. For limits on number of keys that can be stored per user, see [AWS Transfer Family endpoints and quotas](https://docs.aws.amazon.com//general/latest/gr/transfer-service.html) in the *Amazon Web Services General Reference*.

As an alternative to the service managed authentication method, you can authenticate users using a custom identity provider, or AWS Directory Service for Microsoft Active Directory. For more information, see [Working with custom identity providers](custom-idp-intro.md) or [Using AWS Directory Service for Microsoft Active Directory](directory-services-users.md).

A server can only authenticate users using one method (service managed, directory service, or custom identity provider), and that method cannot be changed after the server is created.

**Topics**
+ [Creating SSH keys on macOS, Linux, or Unix](macOS-linux-unix-ssh.md)
+ [Creating SSH keys on Microsoft Windows](windows-ssh.md)
+ [Converting an SSH2 key to SSH public key format](convert-ssh2-public-key.md)

# Creating SSH keys on macOS, Linux, or Unix
<a name="macOS-linux-unix-ssh"></a>

On the macOS, Linux, or Unix operating systems, you use the `ssh-keygen` command to create an SSH public key and SSH private key also known as a key pair.

**Note**  
In the following examples, we do not specify a passphrase: in this case, the tool asks you to enter your passphrase and then repeat it to verify. Creating a passphrase offers better protection for your private key, and might also improve overall system security. You cannot recover your passphrase: if you forget it, you must create a new key.  
However, if you are generating a server host key, you *must* specify an empty passphrase, by specifying the `-N ""` option in the command (or by pressing **Enter** twice when prompted), because Transfer Family servers cannot request a password at start-up.

**To create SSH keys on a macOS, Linux, or Unix operating system**

1. On macOS, Linux, or Unix operating systems, open a command terminal.

1. AWS Transfer Family accepts RSA-, ECDSA-, and ED25519-formatted keys. Choose the appropriate command based on the type of key-pair you are generating.

   **Tip**: Replace `key_name` with the actual name of your SSH key pair file.
   + To generate an RSA 4096-bit key pair:

     ```
     ssh-keygen -t rsa -b 4096 -f key_name
     ```
   + To generate an ECDSA 521-bit key-pair (ECDSA has bit sizes of 256, 384, and 521):

     ```
     ssh-keygen -t ecdsa -b 521 -f key_name
     ```
   + To generate an ED25519 key pair:

     ```
     ssh-keygen -t ed25519 -f key_name
     ```

   The following shows an example of the `ssh-keygen` output.

   ```
   ssh-keygen -t rsa -b 4096 -f key_name
   Generating public/private rsa key pair.
   
   Enter passphrase (empty for no passphrase): 
   Enter same passphrase again:
   Your identification has been saved in key_name.
   Your public key has been saved in key_name.pub.
   The key fingerprint is:
   SHA256:8tDDwPmanTFcEzjTwPGETVWOGW1nVz+gtCCE8hL7PrQ bob.amazon.com
   The key's randomart image is:
   +---[RSA 4096]----+
   |    . ....E      |
   | .   = ...       |
   |. . . = ..o      |
   | . o +  oo =     |
   |  + =  .S.= *    |
   | . o o ..B + o   |
   |     .o.+.* .    |
   |     =o*+*.      |
   |    ..*o*+.      |
   +----[SHA256]-----+
   ```

   **Tip**: When you run the `ssh-keygen` command as shown preceding, it creates the public and private keys as files in the current directory.

   Your SSH key pair is now ready to use. Follow steps 3 and 4 to store the SSH public key for your service-managed users. These users use the keys when they transfer files on Transfer Family server endpoints.

1. Navigate to the `key_name.pub` file and open it.

1. Copy the text and paste it in **SSH public key** for the service-managed user.

   1. Open the AWS Transfer Family console at [https://console.aws.amazon.com/transfer/](https://console.aws.amazon.com/transfer/), then select **Servers** from the navigation pane.

   1. On the **Servers** page, select the **Server ID** for server that contains the user that you want to update.

   1. Select the user for which you are adding a public key.

   1. In the **SSH public keys** pane, choose **Add SSH public key**.  
![\[The AWS Transfer Family console, showing the user details for a selected user.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/edit-user-add-key-01.png)

   1. Paste the text of the public key you generated into the SSH public key text box, and then choose **Add key**.  
![\[The AWS Transfer Family console, showing the Add key page for adding a public key.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/edit-user-add-key-02.png)

      The new key is listed in the SSH public key pane.  
![\[The AWS Transfer Family console, showing the newly added public key in the SSH public keys section.\]](http://docs.aws.amazon.com/transfer/latest/userguide/images/edit-user-add-key-03.png)

# Creating SSH keys on Microsoft Windows
<a name="windows-ssh"></a>

Windows includes OpenSSH as a built-in feature, which you can use to generate SSH keys in the same format as on Linux or macOS. Alternatively, you can use third-party tools like PuTTY's key generator (PuTTYgen).

## Using Windows built-in OpenSSH
<a name="windows-openssh"></a>

Recent versions of Windows include OpenSSH by default. You can use the same `ssh-keygen` commands as described in the macOS/Linux section:

1. Open Windows PowerShell or Command Prompt.

1. Run one of the following commands based on the type of key you want to generate:
   + To generate an RSA 4096-bit key pair:

     ```
     ssh-keygen -t rsa -b 4096 -f key_name
     ```
   + To generate an ECDSA 521-bit key-pair:

     ```
     ssh-keygen -t ecdsa -b 521 -f key_name
     ```
   + To generate an ED25519 key pair:

     ```
     ssh-keygen -t ed25519 -f key_name
     ```

1. Follow the same steps as in the macOS/Linux section to upload your public key to AWS Transfer Family.

## Using PuTTYgen (third-party tool)
<a name="windows-puttygen"></a>

Some third-party SSH clients for Windows, such as PuTTY, use different key formats. PuTTY uses the `PPK` format for private keys. If you're using PuTTY or related tools like WinSCP, you can use PuTTYgen to create keys in this format.

**Note**  
If you present WinSCP with a private key file not in `.ppk` format, that client offers to convert the key into `.ppk` format for you.

For a tutorial about creating SSH keys by using PuTTYgen, see the [SSH.com website](https://www.ssh.com/ssh/putty/windows/puttygen).

# Converting an SSH2 key to SSH public key format
<a name="convert-ssh2-public-key"></a>

 AWS Transfer Family only accepts SSH-formatted public keys. If you have an SSH2 public key, you need to convert it. An SSH2 public key has the following format:

```
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20160402"
AAAAB3NzaC1yc2EAAAABJQAAAgEAiL0jjDdFqK/kYThqKt7THrjABTPWvXmB3URI
:
:
---- END SSH2 PUBLIC KEY ----
```

An SSH public key has the following format:

```
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAA...
```

Run the following command to convert an SSH2-formatted public key into an SSH-formatted public key. Replace *ssh2-key* with the name of your SSH2 key, and *ssh-key* with the name of your SSH key.

```
ssh-keygen -i -f ssh2-key.pub > ssh-key.pub
```