Ssh Key Generation
Table of Contents
- 1. Introduction
- 2. On Linux and Mac OS X
- 2.1. Creating a new pair of ssh keys
- 2.2. Transferring the public key to the remote machine
- 2.3. Connecting to the remote machine: ssh-agent
- 2.4. Adding your key to your ssh-agent
- 2.5. Listing the keys currently help by your ssh-agent
- 2.6. Deleting keys from the ssh-agent
- 2.7. Some interesting utilities
- 3. On Windows
1 Introduction
The ssh-key mechanism allows you to connect on remote machines through ssh without having to enter your password. This is very convenient for instance when you do a lot of copy (scp) to and from a remote machine.
2 On Linux and Mac OS X
2.1 Creating a new pair of ssh keys
In this example we create an ssh key pair to connect as user
from the local machine local
to the remote machine remote
$ ssh-keygen -f ~/.ssh/id_rsa_remote -C user@remote Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/user/.ssh/id_rsa_remote. Your public key has been saved in /Users/user/.ssh/id_rsa_remote.pub. The key fingerprint is: 2d:f0:5b:ae:05:b5:25:10:f2:f0:c6:67:1b:bc:10:28 user@remote The key's randomart image is: +--[ RSA 2048]----+ | o.+. | | E .* + | | .. * B . | | + * | | B * | | * | | o o | | o | | . | +-----------------+
The options for the command are:
-f
: specifies the name of the files where the keys are going to be saved.-C
: adds a comment to the public key so it's easier to identify keys.
ssh-keygen
lets you enter an empty passphrase but please do enter a strong passphrase. It will help make the machine more secure.
In this example, two files are created:
- the private key:
~/.ssh/id_rsa_remote
. The private key should not be shared. - the public key:
~/.ssh/id_rsa_remote.pub
. The public key is what you send to the remote machine.
2.2 Transferring the public key to the remote machine
2.2.1 If you already have access to the machine through ssh
- On Linux:
$ ssh-copy-id -i ~/.ssh/id_rsa_remote.pub user@remote
- On Mac (Mac OS does not come with the ssh-copy-id function, so it's a little more involved):
$ cat ~/.ssh/id_rsa_remote.pub | ssh user@remote "mkdir -p .ssh; chmod 700 .ssh;cat >> .ssh/authorized_keys;chmod 600 .ssh/authorized_keys"
2.2.2 If you don't already have ssh access to the remote machine
Send the file ~/.ssh/id_rsa_remote.pub
to your system administrator.
2.3 Connecting to the remote machine: ssh-agent
You can connect through ssh by
$ ssh user@remote
but then ssh will ask you for your password every time you connect. Instead you can use ssh-agent which is a program that asks for your passphrase once and remembers it.
2.3.1 Starting ssh-agent
More specifically, ssh-agent is a daemon that runs in the background. To start it:
- On Mac OS it is started automatically.
- On Linux: Most Linux desktop (e.g. Gnome, KDE) will start an ssh agent automatically. But if you only connect through a terminal you will need to change two files:
~/.bash_profile
if [ "X$SSH_AUTH_SOCK" = "X" ] ; then eval `ssh-agent` fi
~/.bash_logout
(to stop the ssh-agent when you log out)if [ "$SSH_AGENT_PID" -a "$SHLVL" = "1" ] ; then eval `ssh-agent -k` fi
2.4 Adding your key to your ssh-agent
To add your newly created key to your ssh-agent
$ ssh-add ~/.ssh/id_rsa_remote
You'll be asked for your passphrase once and you won't be asked again until you logged out of the machine.
2.5 Listing the keys currently help by your ssh-agent
$ ssh-add -l 2048 55:bb:c3:8c:e7:b6:a5:56:de:f7:65:07:0b:a2:65:71 ./id_rsa_remote
2.6 Deleting keys from the ssh-agent
Let say that you have an ssh-agent running on your laptop and holding important keys. If you simply close the lid of your laptop, ssh-agent will still hold the keys. If you laptop gets stolen, the thief will have passwordless access to the remote machines. It's good practice to delete the ssh-keys when you are done using them for a while.
The commend ssh-add lets you do two things:
- Deleting one key from the ssh-agent
ssh-add -d ~/.ssh/id_rsa_remote
- Deleting all the keys from the ssh-agent
ssh-add -D
2.7 Some interesting utilities
2.7.1 Changing the passphrase on a key
$ ssh-keygen -p -f .ssh/id_rsa_atmos
2.7.2 Agent forwarding.
Let's say you have 3 machines A, B and C, such that: A has ssh keys for B and C but B and C don't have ssh keys for each other. Now imagine that you connect from A to B and then you want to connect from B to C. You can do that by forwarding your agent. On Mac OS this is done by modifying the ssh configuration file:
$ sudo vim /etc/ssh_config
and make sure that those lines appear:
Host * ForwardAgent yes
then restart the ssh server with
sudo launchctl stop com.openssh.sshd sudo launchctl start com.openssh.sshd
3 On Windows
Download: PuTTY. There you will find:
- PuTTYgen: for key generation.
- Pageant: the ssh-agent.
This is a good reference for Key-based ssh logins with PuTTY: Key-Based SSH Logins With PuTTY.