How to convert an SSH2 public key to OpenSSH format

An SSH2 public-key block cannot be pasted directly into most OpenSSH authorized-key fields. The underlying public key may be valid, but OpenSSH expects a one-line key type and base64 body, so converting the wrapper prevents a correct key from being rejected during an access handoff.

The ssh-keygen import path reads RFC 4716 public-key files with -i and writes an OpenSSH public-key line to standard output. Adding -m RFC4716 makes the source format explicit and avoids depending on a default when the command is reused in scripts or run on another system.

Use this conversion on public key files only. If the source material is a private key, extract the public half first and keep the private key out of tickets, web forms, and shared terminals. Comments and line wrapping can change during import, so verify the converted file with ssh-keygen -lf before copying it to a server or access system.

Related: How to convert SSH public keys between SSH2 and OpenSSH formats
Related: How to extract a public key from an SSH private key
Related: How to copy an SSH public key to a server
Tool: SSH Public Key Converter

Steps to convert an SSH2 public key to OpenSSH format:

  1. Display the source SSH2 public key block. 
    $ cat vendor_ssh2.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "256-bit ED25519, converted by user@workstation from OpenSSH"
AAAAC3NzaC1lZDI1NTE5AAAAII2ZnFuTmfmCAxR0GOE1jEFC6+CoUnmFaJuQXNoi3qfr
---- END SSH2 PUBLIC KEY ----

    The BEGIN SSH2 PUBLIC KEY and END SSH2 PUBLIC KEY markers identify the RFC 4716 wrapper. The comment line is metadata and may not survive the import.

  2. Import the SSH2 public key as an OpenSSH public key. 
    $ ssh-keygen -i -m RFC4716 -f vendor_ssh2.pub > id_ed25519_openssh.pub

    The -i option imports a key from the format named by -m. Successful import writes the converted public key to the output file and normally prints no terminal output.

  3. Display the converted OpenSSH public key. 
    $ cat id_ed25519_openssh.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII2ZnFuTmfmCAxR0GOE1jEFC6+CoUnmFaJuQXNoi3qfr

    The converted line starts with the key type, followed by base64 key data and an optional trailing comment.

  4. Check the converted public key fingerprint. 
    $ ssh-keygen -lf id_ed25519_openssh.pub
256 SHA256:XQkMXlVLM1ERRxBGZXEs8q/8ZhrTv7NYNNZ71K0qcbw no comment (ED25519)

    ssh-keygen -lf reads the converted OpenSSH public-key line. Compare the SHA256 fingerprint with a trusted source-system fingerprint when one is available.