SSH provides the possibility to use Public Keys to log in to a target system (which is very likely more secure than a password). To make this possible:
~/.ssh/authorized_keys)~/.ssh/known_hosts)Some popular services like GitHub do not even provide a password based authentication for data exchange, forcing you to use a SSH Public Key. Same for the Fedora Account System (FAS) where I created an account recently.
On a common Linux system, all needed SSH client tools should be installed by default. If not (e.g. because they were removed), simply install the openssh-clients package on Fedora or the openssh-client package on Debian/Ubuntu. After installation, the SSH tool for authentication, key generation, management and conversion is available via terminal: ssh-keygen
As already said, ssh-keygen is the tool for creating a key pair. It brings a lot of options, I'm going into detail on the most important ones:1)
-b <bits>:-t <type>:-C "<comment>":username@host will be set by default. You can change the comment later without any problems.Using a 2048bit long RSA key is a good choice for most use-cases. 1024bit RSA is no longer regarded as indisputably secure, 4096bit RSA is for paranoid person like me. Please make sure you set a passphrase to protect your key. Otherwise everyone who may gets access to it (e.g. because someone steals your laptop and copies the keyfile) is able to get instant access to all systems you used the key for logging in. In contrast, you should have enough time to change the keys on all affected system without any danger if you used a good passphrase for a leaked private key. Additionally, it is no problem to use multiple SSH keys. So if you need a SSH key without password (e.g. for a quickly hacked backup script), create a separate key for this special task but do not use it for logging in to important systems.
Before you start: If you do not answer the question “Enter file in which to save the key” properly, you possibly overwrite an already existing key pair (if any). So take care which filename you are using for storage. The defaults are id_rsa and id_dsa (depending on the used algorithm). You have been warned!
Now open a terminal and let's go:
user@local:~$ ssh-keygen -t rsa -b 2048 -C "user@local" Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa):
As you can see, the key will be stored into ~/.ssh/id_rsa by default. To choose another file, you have to provide the complete path (→ ~/ normally does not work to point to your home dir). I use the non-default path /home/user/.ssh/mykey in this example.
You should store all SSH keys into the default directory ~/.ssh (no matter which filenames you are using for them). Otherwise, many tools and programs are not able to locate your SSH keys by default, leading to more configuration issues. None the less, it is possible to store your keys in another directory than the default one. ssh-add /path/to/your_key is your friend.
Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/mykey Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/mykey. Your public key has been saved in /home/user/.ssh/mykey.pub. The key fingerprint is: 10:af:1e:58:a3:a2:2a:7e:11:23:52:bf:c2:32:61:fa user@local The key's randomart image is: +--[ RSA 2048]----+ | ... o | | + o | | . o = . | | ... o + | |.. . . S | | o . | |Bo. . .+ | |E oo. | | +o+o | +-----------------+
Done. Now you got the needed key pair:
/home/user/.ssh/mykey is the private key. Never share this one with someone else. Simply keep the Private Key… well, private. /home/user/.ssh/mykey.pub is the public key (also called “ID file” or “identity file”). This is the one you have to upload to the remote systems.~. closes the ssh client program if the server hangs (e.g. because it was unexpectedly shut down or your internet connection is not stable).ssh-copy-id helps you to copy your SSH Public Key into the ~/.ssh/authorized_keys file of the remote system and/or copy the remote system's public key into your local ~/.ssh/known_hosts file. Usage: ssh-copy-id -i "~/.ssh/mykey.pub" remote-user@remote.example.com
ssh-keygen is also the tool of choice to change a key's password. The -f parameter specifies the private key file you want to change. The -p parameter tells the program that you want to change the password of an existing key, preventing the generation of a new one: ssh-keygen -f /path/to/your_key -p
ssh-keygen is also the tool of choice to change a key's comment. The -f parameter specifies the private key file you want to change. The -c parameter tells the program that you want to change the comment of an existing key, preventing the generation of a new one: ssh-keygen -f /path/to/your_key -c
