Not Sure If Your SSH Key Pair Is Actually Correct? Check This First
When SSH connections fail, it’s common to immediately suspect server settings or permissions. In practice, however, many issues stem from a much simpler cause:
The private key and public key are not actually a matching pair.
This article explains how to use ssh-keygen -lf to quickly verify SSH key pair integrity.
Why Key Pair Verification Matters
Matching filenames like id_rsa and id_rsa.pub do not guarantee that the keys belong together.
Common real-world causes include:
- Copying the wrong key file
- Regenerating keys but keeping an old public key
- Mixing files via scp / rsync / Git
- Moving directories and breaking key associations
Keys may look correct while being cryptographically unrelated.
Why ssh-keygen -lf Works So Well
The ssh-keygen -lf command outputs a fingerprint derived from a key.
Key point:
- A valid key pair
- Produces the same fingerprint
- From both the private key and the public key
If the fingerprints match, the key pair itself is guaranteed to be correct.
How to Check
ssh-keygen -lf id_rsa
ssh-keygen -lf id_rsa.pubCompare the SHA256 fingerprint shown in the output.
Interpreting the Result
Fingerprints match
- The key pair is valid
- The SSH issue lies elsewhere
Fingerprints do not match
- The keys are not a pair
- Regenerate or locate the correct matching key
This single step eliminates a large portion of guesswork.
What to Check Next
After confirming the key pair:
- Verify the authorized_keys location
- Confirm the correct SSH user
- Check permissions on .ssh and authorized_keys
- Review sshd_config
Troubleshooting becomes systematic and predictable.
Conclusion
SSH troubleshooting is about elimination, not assumption.
Fingerprint comparison with ssh-keygen -lf is one of the fastest and most reliable ways to validate SSH key integrity before diving into configuration details.
