++ed by:

6 PAUSE users
3 non-PAUSE users.

Steffen Schwigon
and 2 contributors


Net::SSH::Perl::Key - Public or private key abstraction


    use Net::SSH::Perl::Key;
    my $key = Net::SSH::Perl::Key->new;


Net::SSH::Perl::Key implements an abstract base class interface to key objects (either DSA, RSA, ECDSA, or Ed25519 keys, currently). The underlying implementation for RSA, DSA, an ECDSA keys is the CryptX module. The Ed25519 implementation uses bundled XS and C code from the SUPERCOP ref10 implementation.


Net::SSH::Perl::Key->new($key_type [, $blob [, $compat_flag_ref ]])

Creates a new object of type Net::SSH::Perl::Key::$key_type, after loading the class implementing $key_type. should be DSA, RSA1, RSA, ECDSA256, ECDSA384, ECDSA521, or Ed25519.

$blob, if present, should be a string representation of the key, from which the key object can be initialized. In fact, it should be the representation that is returned from the as_blob method, below.

$compat_flag_ref should be a reference to the SSH compatibility flag, which is generally stored inside of the Net::SSH::Perl object. This flag is used by certain key implementations (DSA) to work around differences between SSH2 protocol implementations.

Returns the new key object, which is blessed into the subclass.

Net::SSH::Perl::Key->read_private($key_type, $file [, $pass])

Reads a private key of type $key_type out of the key file $file. If the private key is encrypted, an attempt will be made to decrypt it using the passphrase $pass; if $pass is not provided, the empty string will be used. An empty passphrase can be a handy way of providing password-less access using publickey authentication.

If for any reason loading the key fails, returns undef; most of the time, if loading the key fails, it's because the passphrase is incorrect. If you first tried to read the key using an empty passphrase, this might be a good time to ask the user for the actual passphrase. :)

Returns the new key object, which is blessed into the subclass denoted by $key_type (DSA, RSA1, ECDSA or Ed25519).

Net::SSH::Perl::Key->keygen($key_type, $bits)

$key_type is one of RSA, DSA, or ECDSA256/ECDSA384/ECDSA521. Generates a new key and returns that key. The key returned is the private key, which (presumably) contains all of the public key data, as well. $bits is the number of bits in the key.

Your $key_type implementation may not support key generation; if not, calling this method is a fatal error.

Returns the new key object, which is blessed into the subclass denoted by $key_type


Generates a new Ed25519 key. Ed25519 keys have fixed key length.

Returns the new key object, which is bless into the Ed25519 subclass.

Net::SSH::Perl::Key->extract_public($key_type, $key_string)

Given a key string $key_string, which should be a textual representation of the public portion of a key of $key_type, extracts the key attributes out of that string. This is used to extract public keys out of entries in known_hosts and public identity files.

Returns the new key object, which is blessed into the subclass denoted by $key_type

$key->write_private([ $file [, $pass, $ciphername, $rounds] ])

Writes out the private key $key to $file, and encrypts it using the passphrase $pass. If $pass is not provided, the key is unencrypted, and the only security protection is through filesystem protections. For Ed25519 keys, optional parameters ciphername and rounds can be passed to specify the desired cipher to encrypt the key with and how many rounds of encryption to employ, respectively.

If $file is not provided, returns the content that would have been written to the key file.


Performs the inverse of extract_public: takes a key $key and dumps out a textual representation of the public portion of the key. This is used when writing public key entries to known_hosts and public identity files.

Returns the textual representation.


Returns a string representation of the public portion of the key; this is not the same as dump_public, which is intended to match the format used in known_hosts, etc. The return value of as_blob is used as an intermediary in computing other values: the key fingerprint, the known hosts representation, etc.


Returns true if the public portions of $key are equal to those of $key2, and false otherwise. This is used when comparing server host keys to keys in known_hosts.


Returns the size (in bits) of the key $key.

$key->fingerprint([ $type ])

Returns a fingerprint of $key. The default fingerprint is a SHA256 representation. If $type is equal to bubblebabble, the Bubble Babble representation of the fingerprint is used. If $type is equal to hex, a traditional hex representation is returned.

The hex representation uses an MD5 digest of the public key, and the bubblebabble uses a SHA-1 digest.


Please see the Net::SSH::Perl manpage for author, copyright, and license information.