OK, not an issue with keygen, so much as what to do after it's run.
I've been trying to setup an environment wherein I can ssh to the localhost as the current user, without a password prompt. Normally the process is pretty straightforward, but despite having done what I thought were all the right steps, when I looked at my ssh debug messages, I saw the infamous...
debug(3):remaining preferred: keyboard-interactive,password
debug(1):Next authentication method: publickey
debug(2):we did not send a packet, disable method
debug(3):remaining preferred: password
Seems the step I somehow missed, in all my fiddling with .ssh/authorized_keys, .ssh/authorized_keys2, .ssh2/authorized_keys, and .ssh2/authorized_keys2, I left out identification. I'm still not clear on the interaction between identification and authorized_keys, or which ssh client/servers support .ssh vs .ssh2, and which files go where. At least I'm up and running.