Setting up a Linux SSH key pair is a simple process using OpenSSH on most modern Linux distributions and Mac OS X. In this article we’ll generate a private/public key pair, add it to an authentication agent and copy it to a remote server for password-less access. If you’re running Windows see my article on how to use PuTTY as an alternative.
Generate a key
Open a terminal and use
ssh-keygen to generate a new private/public key pair.
$ ssh-keygen -t rsa -C "your.email@yourdomain" Generating public/private rsa key pair. Enter file in which to save the key (/home/kblair/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/kblair/.ssh/id_rsa. Your public key has been saved in /home/kblair/.ssh/id_rsa.pub. The key fingerprint is: 7f:ab:88:26:29:fb:27:97:f2:c4:e5:25:87:14:7a:ed firstname.lastname@example.org The key's randomart image is: +--[ RSA 2048]----+ | . | | . o | | . o . | | o o | | S E | | . o = | | .o.. . . | | . =.=. . . . | | .+.Oo . ... | +-----------------+
Replace with your e-mail of course, however this is not particularly important. Note that by default the key will be saved to
~/.ssh. The important part here is the passphrase: you want one.
Why you need a passphrase
A key is just that, a key. Think of the private key
id_rsa as the key to your house and the public key
id_rsa.pub as the lock on your door. Anyone who has your private key has the keys to your house, or rather your server. Depending on what the key is used for the implications are somewhere between bad and very bad.
The passphrase is the secret phrase needed to use the key. Without it, the key is useless. They can spend the time trying to break it, in which case the longer the passphrase the better. Hence the term pass phrase. This is not a pass word and for good reason. With an authentication agent you won’t have to constantly enter the passphrase anyway so it’s not much of an inconvenience.
Add your Linux SSH key to an authentication agent
An authentication agent helps you use the key when authenticating with remote servers. Modern versions of Mac OS X have an agent already configured when you open a terminal. For other Linux distributions OpenSSH provides a suitable agent, however you may have to configure your shell to use it. More on that later. Use
ssh-add to add the new key to the agent.
$ ssh-add ~/.ssh/id_rsa Enter passphrase for /home/kblair/.ssh/id_rsa: Identity added: /home/kblair/.ssh/id_rsa (/home/kblair/.ssh/id_rsa)
Enter your passphrase (you did use a passphrase right?) and your key is now added to the authentication agent. You can use it in conjunction with
scp and other commands to work easily and securely with remote servers. If you received a message
Could not open a connection to your authentication agent. then you need to configure your shell to use the agent.
$ eval "$(ssh-agent)" Agent pid 34215
You should now be able to add the key to the agent using
ssh-add. You can also add the above command to your
.bashrc to run automatically.
Add your Linux SSH key to a remote server
You’ve generated a key pair and added the private key to your local authentication agent. However remote servers still do not know anything about your key. In order for a remote server to “know” you are who you say you are they must be provided with the public key.
First, copy the contents of
id_rsa.pub exactly. Either open it with
vim or use a utility such as
pbcopy like so.
$ pbcopy < ~/.ssh/id_rsa.pub
It will look something like this. Do not copy the fake key below, be sure to copy your own.
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqyUfIvRo+lK53t60O2qH66b9qNKZATWsSk5q8W8ET8bcXWNZVpj0f6PsECmeaYiwCo0jrIFLZfAL657n/giPxuu5BALne4BNMu6AFUkvUf3S2Yol5fYvSORibtaeRXIbuYx3ygRy3AnOdeW/NY9Bi3eBgx+DhgJ74obfApI5oRAkv1k32N3HTX/CfgdgbLxHHyPUVEHvLVrWbGzP7Zae6idzNC5yjzVAUlxK6FI2626Wdb56NLXqNqJDg23r4wHUFSl7x0DVwSpzh4sFzLE9FVBS0MIaeVOOki9azyXt9o8eCPE+IdDTFMU7YFZqSKGTRAu3d7+mXSGe2U+fKyFwJw== email@example.com
Save the file. You can do this in
:wq. Then change the file to only be writable by the current user. By default your SSH daemon is likely to reject keys if the authorized_keys file does not have the correct permissions.
$ chmod 600 authorized_keys
At this point you can logout. From now on you should be able to login with your private key.