SSH Notes

Generate an SSH Key

With OpenSSH, an SSH key is created using ssh-keygen. In the simplest form, just run ssh-keygen and answer the questions. The following example illustates this.

# ssh-keygen

Generating public/private rsa key pair. Enter file in which to save the key (/home/ylo/.ssh/id_rsa): mykey 

Enter passphrase (empty for no passphrase):  

Enter same passphrase again:  

Your identification has been saved in mykey. Your public key has been saved in mykey.pub. 

Creating a key pair (public key and private key) only takes a minute. The key files are usually stored in the ~/.ssh directory.

Copy the key to a server

Once an SSH key has been created, the ssh-copy-id command can be used to install it as an authorized key on the server. Once the key has been authorized for SSH, it grants access to the server without a password.

Use a command like the following to copy SSH key:

ssh-copy-id -i ~/.ssh/mykey user@host

This logs into the server host, and copies keys to the server, and configures them to grant access by adding them to the authorized_keys file. The copying may ask for a password or other authentication for the server.

Only the public key is copied to the server. The private key should never be copied to another machine.

Test the new key
Once the key has been copied, it is best to test it:

ssh -i ~/.ssh/mykey user@host

The login should now complete without asking for a password. Note, however, that the command might ask for the passphrase you specified for the key.

ssh-keygen options

The ssh-keygen command-line tool offers various options for generating, managing, and converting SSH keys. It supports generating keys for different algorithms like RSA, DSA, ECDSA, and Ed25519. You can specify the key type with the -t option, the key length with -b, and the file name with -f. Other useful options include changing the passphrase (-p), silent mode (-q), and verbose mode (-v). 

Key Options and Their Uses: 

  • -t key_type: Specifies the type of key to generate (e.g., rsa, dsa, ecdsa, ed25519).
  • -b bits: Sets the number of bits for the key (e.g., 2048, 4096).
  • -f file: Specifies the filename for storing the key.
  • -N new_passphrase: Sets a new passphrase for the private key.
  • -P passphrase: Provides the old passphrase when reading a key.
  • -c comment: Adds a comment to the public key (e.g., user@host).
  • -q: Silences ssh-keygen output.
  • -v: Enables verbose mode, displaying more information.
  • -l: Prints the fingerprint of the public key.
  • -B: Shows the “bubble babble” fingerprint of a keyfile.
  • -F: Searches for a specified hostname in a known_hosts file.
  • -R: Removes all keys belonging to a hostname from a known_hosts file.
  • -i key: Input a file for use with ssh-keygen.
  • -e private_key: Exports a private key to a different format.
  • -X cert: Creates or manages a certificate for a key.
  • key_name1 key_name2 …: Specifies the names of the keys to be used. 

Example:

 

To generate a 2048-bit RSA key pair and save it in a file named my_key, you could use:

 
text-x-sh<br>ssh-keygen -t ed25519 -f id_ed25519_npw_xps_wsl<br>