How to setup Linux SSH key pair in Linux or Mac OS X

Setting up a Linux SSH key pair is a simple process using OpenSSH on most modern Linux distributions and Mac OS X.  In this article we’ll generate a private/public key pair, add it to an authentication agent and copy it to a remote server for password-less access.  If you’re running Windows see my article on how to use PuTTY as an alternative.

Generate a key

Open a terminal and use ssh-keygen to generate a new private/public key pair.

$ ssh-keygen -t rsa -C "your.email@yourdomain"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kblair/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/kblair/.ssh/id_rsa.
Your public key has been saved in /home/kblair/.ssh/id_rsa.pub.
The key fingerprint is:
7f:ab:88:26:29:fb:27:97:f2:c4:e5:25:87:14:7a:ed your.email@yourdomain.com
The key's randomart image is:
+--[ RSA 2048]----+
|        .        |
|       . o       |
|      . o .      |
|       o o       |
|        S E      |
|     . o =       |

|     .o.. . .    |
|  . =.=. . . .   |
|  .+.Oo . ...    |
+-----------------+

Replace with your e-mail of course, however this is not particularly important. Note that by default the key will be saved to ~/.ssh. The important part here is the passphrase: you want one.

Why you need a passphrase

A key is just that, a key. Think of the private key id_rsa as the key to your house and the public key id_rsa.pub as the lock on your door. Anyone who has your private key has the keys to your house, or rather your server. Depending on what the key is used for the implications are somewhere between bad and very bad.

The passphrase is the secret phrase needed to use the key. Without it, the key is useless. They can spend the time trying to break it, in which case the longer the passphrase the better. Hence the term pass phrase. This is not a pass word and for good reason. With an authentication agent you won’t have to constantly enter the passphrase anyway so it’s not much of an inconvenience.

Add your Linux SSH key to an authentication agent

An authentication agent helps you use the key when authenticating with remote servers. Modern versions of Mac OS X have an agent already configured when you open a terminal. For other Linux distributions OpenSSH provides a suitable agent, however you may have to configure your shell to use it. More on that later. Use ssh-add to add the new key to the agent.

$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/kblair/.ssh/id_rsa: 
Identity added: /home/kblair/.ssh/id_rsa (/home/kblair/.ssh/id_rsa)

Enter your passphrase (you did use a passphrase right?) and your key is now added to the authentication agent. You can use it in conjunction with ssh, scp and other commands to work easily and securely with remote servers. If you received a message Could not open a connection to your authentication agent. then you need to configure your shell to use the agent.

$ eval "$(ssh-agent)"
Agent pid 34215

You should now be able to add the key to the agent using ssh-add. You can also add the above command to your .bashrc to run automatically.

Add your Linux SSH key to a remote server

You’ve generated a key pair and added the private key to your local authentication agent. However remote servers still do not know anything about your key.  In order for a remote server to “know” you are who you say you are they must be provided with the public key.
First, copy the contents of id_rsa.pub exactly. Either open it with vim or use a utility such as pbcopy like so.

$ pbcopy < ~/.ssh/id_rsa.pub

It will look something like this.  Do not copy the fake key below, be sure to copy your own.

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqyUfIvRo+lK53t60O2qH66b9qNKZATWsSk5q8W8ET8bcXWNZVpj0f6PsECmeaYiwCo0jrIFLZfAL657n/giPxuu5BALne4BNMu6AFUkvUf3S2Yol5fYvSORibtaeRXIbuYx3ygRy3AnOdeW/NY9Bi3eBgx+DhgJ74obfApI5oRAkv1k32N3HTX/CfgdgbLxHHyPUVEHvLVrWbGzP7Zae6idzNC5yjzVAUlxK6FI2626Wdb56NLXqNqJDg23r4wHUFSl7x0DVwSpzh4sFzLE9FVBS0MIaeVOOki9azyXt9o8eCPE+IdDTFMU7YFZqSKGTRAu3d7+mXSGe2U+fKyFwJw== foo@foo.com

Save the file.  You can do this in vim using :wq.  Then change the file to only be writable by the current user.  By default your SSH daemon is likely to reject keys if the authorized_keys file does not have the correct permissions.

$ chmod 600 authorized_keys

At this point you can logout.  From now on you should be able to login with your private key.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>