SSH keys are used to secure communications between systems by creating a pair of cryptographic keys: a public key and a private key. The private key stays on your local machine, while the public key is shared with the remote system. This setup allows for passwordless login and secure command execution.
The ssh-keygen tool, available on most Linux distributions, is used to generate SSH keys. By default, it creates a 2048-bit RSA key pair, though you can choose other algorithms and key sizes. The process is straightforward and can be completed in a few simple steps.
Once generated, the private key should be secured with appropriate permissions to prevent unauthorized access. The public key, which is shared, can be used to authenticate and establish secure connections to remote systems.
Steps to create public and private SSH key pairs using ssh-keygen:
- Launch your favourite terminal application.
- Run ssh-keygen command without providing any options.
$ ssh-keygen Generating public/private rsa key pair.
ssh-keygen will generate a 2048 bit rsa key pair if no option is specified. You can change the key's bit size and type by using -b and -t options respectively as the following example.
$ ssh-keygen -b 521 -t ecdsa
Possible values for key types are dsa, ecdsa, ed25519 and rsa.
- Enter the location and filename to save the key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Default location is in the .ssh folder in your home directory and default filename is id_<key_type>.
- Enter passphrase to secure the key (optional).
Enter passphrase (empty for no passphrase): Enter same passphrase again:
Don't enter any passphrase if you want to use the key for passwordless SSH login.
Related: How to set up passwordless SSH authentication - Your public and private SSH key pair will be created and saved in the location you previously specified.
Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The public key will have .pub extension appended to the file name.
- Fingerprint and randomart for your SSH key will be displayed for you to visually remember.
The key fingerprint is: SHA256:iiaD/fAzINYAP1MSUD3r0J9750Gpb1MMRvlERe2Yu+c user@host The key's randomart image is: +---[RSA 3072]----+ |.ooo o.oo. | |. . + o . .| |.. + o . o + | | .= o o.. o .| | o= . .S.oo . | |.+....o. o o . | |o.=.o ... .. . | | Bo . ..+. . .| | oo . +o. oE| +----[SHA256]-----+
- Check permission of created keys (optional).
$ ls -l ~/.ssh/id_rsa* -rw------- 1 user user 2590 Sep 29 11:22 /home/user/.ssh/id_rsa -rw-r--r-- 1 user user 563 Sep 29 11:22 /home/user/.ssh/id_rsa.pub
Note that the private key (/home/user/.ssh/id_rsa) has very strict permission where only the owner has read and write permission. The user's group and other users don't have any permissions associated with them.
Related: How to resolve the "SSH Unprotected Private Key File" warning in SSH
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.
Comment anonymously. Login not required.