How to convert an SSH2 public Key to OpenSSH format

Converting an SSH2 public key to OpenSSH format prevents login failures when moving keys between different SSH implementations. Many Linux servers, configuration management systems, and automation tools expect public keys in OpenSSH layout before allowing key-based authentication.

SSH2-style public keys commonly use the RFC4716 format, which wraps key material in header and footer lines such as ---- BEGIN SSH2 PUBLIC KEY ---- along with optional metadata comments. In contrast, OpenSSH represents each key as a single line containing the key type, base64-encoded data, and an optional comment, for example ssh-ed25519 AAAA… host@example stored in files like /home/user/.ssh/authorized_keys.

Conversion relies on the ssh-keygen utility from the OpenSSH suite, which can read RFC4716 keys and emit equivalent OpenSSH-compatible public key lines. Public keys themselves are not secret, but correct file permissions, accurate paths, and the right key type still matter, because mistakes during conversion or deployment can lead to broken access or difficult-to-debug authentication issues.

1. Open a terminal on the system that stores the SSH2 public key file.

   $ whoami
   user

   Commands apply to Linux and other systems where OpenSSH tools such as ssh-keygen are available.

2. List the SSH2 public key file to confirm its location.

   $ ls ~/keys/ssh2_key.pub
   /home/user/keys/ssh2_key.pub

   SSH2 public keys are often saved with a .pub extension in a dedicated directory such as ~/keys or ~/.ssh.

3. Inspect the SSH2 public key file format.

   $ file ~/keys/ssh2_key.pub
   /home/user/keys/ssh2_key.pub: ASCII text

   Some systems label RFC4716 keys as plain ASCII text, so confirm the header lines before converting.

4. View the first lines of the SSH2 public key to recognize the header style.

   $ head -n 4 ~/keys/ssh2_key.pub
   ---- BEGIN SSH2 PUBLIC KEY ----
   Comment: "3072-bit RSA, converted by user@host from OpenSSH"
   AAAAB3NzaC1yc2EAAAADAQABAAABgQCgV8n55KC+69t59FU38nMtCZShn/Od1oTZFBq6yU
   VBI1W6d7Do2nAUjFBtKsXN6DyMKVYDH30QyKDSU/GJRNh6nyAO+alifH7+77ivM08p2KvT

   SSH2 keys typically include BEGIN SSH2 PUBLIC KEY and END SSH2 PUBLIC KEY markers plus an optional Comment: line.

5. Convert the SSH2 public key to OpenSSH format into a new output file.

   $ ssh-keygen -i -f ~/keys/ssh2_key.pub > ~/keys/id_example_ssh2_converted.pub

   The -i option tells ssh-keygen to read an SSH2 (RFC4716) key, and -f specifies the input file; successful conversion normally produces no terminal output.

6. Display the converted public key in OpenSSH one-line form.

   $ cat ~/keys/id_example_ssh2_converted.pub
   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgV8n55KC+69t59FU38nMtCZShn/Od1oTZFBq6yUVBI1W6d7Do2nAUjFBtKsXN6DyMKVYDH30QyKDSU/GJRNh6nyAO+alifH7+77ivM08p2KvTZwOR/XnEB0739OkxYiFkkFWefHEuhcwVo1xwdEHqyLGvOMsjfpo96vITB8rAID2LQEDdwult0ABLPpFg2yZ1I7kipwQR7qwQDh7wwloYtqOiKe7iDCTBDFRwtD0Th3OEx+MX7+57efqhcguIYETagtXa7PbHT5m2XU0ikMeNIKi9dY9GIKAS1SEvuQIRYYdJUOrWR2n7FerLuzADd3D/aFf++gHwORwfvZQwpoBbpn+GE2CEKZb2cpbkBnrOsG0PI+CD2qjyBGCKS51zPHz8t8ZMwJzrf8QQG8FfBRzOqIjf9H2w0S7mMj29gw77fZLCPtiLgGTvB57VfJ2/N4EqiGmYL+82ycLUFeH87wN/1lnXvWjEFtHkLsxphc2jopz9FhjLkgSIO+J6bdo+x78=

   The line should start with a key type such as ssh-rsa, ssh-ed25519, or ecdsa-sha2-nistp256 followed by base64 data and an optional comment.

7. Confirm the new file is recognized as an OpenSSH public key.

   $ file ~/keys/id_example_ssh2_converted.pub
   /home/user/keys/id_example_ssh2_converted.pub: OpenSSH RSA public key

   Seeing OpenSSH in the description indicates a successful conversion to the expected format.

8. Generate an OpenSSH public key directly from an SSH2 private key if a separate SSH2 public key is unavailable.

   $ ssh-keygen -y -f ~/keys/id_example_ssh2_private > ~/keys/id_example_ssh2_converted.pub

   The -y option extracts a public key from a private key; the private key file remains highly sensitive and must never be shared or exposed.

9. Install the converted public key into the remote account’s authorized_keys file using ssh-copy-id.

   $ ssh-copy-id -f -i ~/keys/id_example_ssh2_converted.pub user@host.example.net
   
   Number of key(s) added: 1
   
   Now try logging into the machine, with:   "ssh 'user@host.example.net'"
   and check to make sure that only the key(s) you wanted were added.

   The ssh-copy-id utility appends the public key line to /home/user/.ssh/authorized_keys on the remote host with correct permissions.

10. Verify key-based authentication by logging in to the remote server.

    $ ssh -i ~/keys/id_example_ssh2_private user@host.example.net 'whoami'
    user

    A successful login without a password prompt (or after a one-time host key confirmation) indicates that the converted OpenSSH public key is accepted.