Generating and using SSH keys

Summary

SSH keys, a public key cryptographic system, secures network communication and replaces plain text password authentication on remote systems. SSH is widely used as the default service to connect to shell accounts, switches, routers, git repositories, serial consoles, etc. Many of these systems require ssh keys to operate, creating the keys varies depending on the operating systems and the ssh software installed. Directions for unix-based systems, including macOS, are detailed below.

Command summary

Create and copy keys to a remote host:

ssh-keygen
ssh-copy-id <remote host>

Details

Use ssh-keygen to create the key. The default options will be safe for the vast majority of users:

[email protected]:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jemurray/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/jemurray/.ssh/id_rsa.
Your public key has been saved in /home/jemurray/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:5WjnOPnQwOsulQqddNpnEeNzROX2N9g4UEgrwu9DCJY [email protected]
The key's randomart image is:
+---[RSA 2048]----+
|          .ooo.  |
|      o   o.+.   |
|     E o o.*  o  |
|    . o.=+= o.+. |
|     o *S+o+ + oo|
|    . +.*Oo   . o|
|     . o*=o      |
|      o. +.      |
|       oo .      |
+----[SHA256]-----+

The new keys are stored in the ~/.ssh directory:

[email protected]:~$ ls -al .ssh/id_rsa*
-rw------- 1 jemurray jemurray 1876 Jun 16 13:07 .ssh/id_rsa
-rw-r--r-- 1 jemurray jemurray  396 Jun 16 13:07 .ssh/id_rsa.pub

Use ssh-copy-id to facilitate copying the ssh public key to remote servers. While scp can manually move the keys around, ssh-copy-id eliminates the complexity of creating directories, fixing permissions, and reduces accidental misconfiguration.

[email protected]:~$ ssh-copy-id sdf.org
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/jemurray/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:

Number of key(s) added: 1

Now try logging into the machine with:   "ssh 'sdf.org'"
and check to make sure that only the key(s) you wanted were added.

Validate the newly created key is working:

[email protected]:~$ ssh sdf.org
Enter passphrase for key '/home/jemurray/.ssh/id_rsa':
 *
 * Wed Jun  3 23:41:54 UTC 2020
 *

Review the new public key ssh-copy-id pushed to the remote server:

[email protected]:~ $ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC19FBRJBaiuE3uJVkRdL8CjFnQEDH/ysN2nyyn7LB/Y7dLSNnL1HWDt87Jnnc430Nv+4J7isaQdaHaG4bgeDGQyDBD9NYpmI1r6+OM1MK80dZ+Mv1Gtn7ppA/m23NuSVzVQze8arTBw0bzj90W+ro75XxjaZ+VS0VNUOdHgiDKuRs/E7Fqb52tVivB0+6BqgA9MwGN3Jm2PM0IhQFx/eBKy6glQDqotzrDw+du56GCGlFbzv8unBD6OQ2yQSyJ6ZdjaXZvHQvmPpIgThqCnqrM97Kb6/NwdYpJyfwuDeOycyPX9jYgssCqTOjazEA0mxm280nGNIceQUgD4sR6u4Pb [email protected]

ssh-agent saves the key password allowing remote authentication without having to type a password every time:

[email protected]:~$ ssh-agent bash

[email protected]:~$ ssh-add

Enter passphrase for /home/jemurray/.ssh/id_rsa:
Identity added: /home/jemurray/.ssh/id_rsa ([email protected])

[email protected]:~$ ssh sdf.org
 *
 * Wed Jun  3 23:41:54 UTC 2020
 *

comments powered by Disqus