How to create SSH Key for SSH public key authentication by SSH-KEYGEN
Public key authentication, also known as asymmetric cryptosystem, is an authentication method used by OpenSSH and OpenSSL to log users on to a server using a key pair consisting of digital signatures, private and public keys. Such a key pair is much harder to compromise than a password.
Create OpenSSH RSA Key using SSH-KEYGEN
The easiest way to create a SSH key pair in OpenSSH format is to run SSH-KEYGEN without arguments in the shell. In this case, it asks for the file in which the keys are to be stored. Like here in this example:
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:TZ+isKhohYE6wOcKuqWxElclsdZw4UxJwFtnB9txEC8 user@debian.localdomain
The key's randomart image is:
+---[RSA 3072]----+
| .+.o... +o. |
| oOo.oo.+ |
|o o=*o..E . |
|oo oo. . o o . |
|o =. . S o o |
|=.. o . . . |
|+++ . . |
|oO . . |
|B.... . |
+----[SHA256]-----+SSH keys for user authentication are typically stored in the user base under the .ssh directory.
Run SSH-KEYGEN with arguments
The key pair can also be generated by passing parameters.
$ ssh-keygen -f.ssh/key_rsa -t rsa -b 4096The parameters have the following meaning:
-f the key file
-t the algorithm
-b the key length
The longest key is 4096. If no algorithm is passed, the default is an RSA key.
When asking for the passphrase for the private key, a passphrase can be entered, in the next section after that it is shown how it can be generated, by pressing the Enter key, without a passphrase the key is created without password protection.
The purpose of the passphrase is usually to protect the key. It is a second authentication factor. This makes the key file without a public key unusable for attackers.It is not uncommon for hackers to filter for files from compromised systems, including backups and decommissioned hardware.
Generate a secure passphrase
A secure passphrase can be generated automatically, with the following input a 32-character passphrase is generated.
$ date +%s | sha256sum | base64 | head -c 32 ; echoOpenSSL can also be used to generate a passphrase with the built-in random number generator (rand), which is output as follows.
$ openssl rand -base64 32Note. It is important you protect the private key and the associated passphras from unauthorized individuals, if the private key is stolen, a new one must be generated, and the public key has to be changed.
If only the public key is lost, the following input shows how the public key can be recovered from the openSSH private key with the -y option, the passphrase is required for this.
$ ssh-keygen -y -f ~/.ssh/key_rsa > ~/.ssh/key_rsa.pubIt should be noted that at the end of the file key_rsa.pub the comment (key comment) must be added again, after a space, as in this example user@host.localdomain:
$ ssh-rsa AAAA...HPCQ== user@host.localdomain The file key_rsa.pub must not be modified in any other place.
Remove passphrase from key
If the passphrase is to be removed, this can be performed with the following input:
$ ssh-keygen -p -P old_passphrase -N "" -f ~/.ssh/key_rsaThe empty input between the quotation marks does not write a new passphrase, so it is deleted.
Run SSH-KEYGEN to create ECDSA key
Next, an ECDSA key pair with a key length of 521 bits is generated and stored under the user base ~/.ssh. Valid lengths are 256, 384 or 521 bits.
$ ssh-keygen -f ~/.ssh/key-ecdsa -t ecdsa -b 521ECDSA is a new algorithm for digital signatures standardized by the U.S. government using elliptic curves. It’s probably the best algorithm right now. Most SSH clients today support ECDSA.
Two files have now been created in the path ~/.ssh directory. The file with the extension .pub is the public key. The key-ecdsa file in this example is the private key and is readable only by the owner.
-rw-------. 1 user user 801 May 20 20:33 key-ecdsa
-rw-r--r--. 1 user user 279 May 20 20:33 key-ecdsa.pubThe public key key key-ecdsa.pub as SHA2 hash is now stored in the file authorized_keys on the server in the user’s home directory under .ssh.
$ cat ~/.ssh/authorized_keys
ecdsa-sha2-nistp521 AAAAE2vjZHNhLXNoYTItbmlzdHA1MjEFASBIbml
zdHA1MjEAfACFBAHnx0uIYUprY7D7myKMf1H+6NjCIV9U2GhZ69/oRE546i
QsvqSnSBs6SyL2ekvSe2JO3WXkrQ4gGpdLr9+XcLxfbAD79Oc8Z/Gcpr8mN
uKabOc4V/Seyr6AQ3l2KC+k8Wp0SBWG2ZofN0QYsPND8yIUL8Y7bS+t2tH9
dhSmeVwnLHUQNoktbVPoVDHw== user@host.localdomainPublic-Key Transfer with ssh-copy-id
To use public key authentication, the public key must be copied to the server and stored in the authorized_keys file. This can be done conveniently with the ssh-copy-id tool.
$ ssh-copy-id -i ~/.ssh/key-ecdsa user@host.foo.barNow you can log on to the server without having to enter a password, this method is also suitable for automated tasks and for logins from scripts.
$ ssh user@host.foo.bar
Last login: Mon May 20 21:53:46 2019 from 192.168.7.85Verbose mode can be useful for troubleshooting, with numerous debugging messages about progress, such as connection, authentication, and configuration issues.
$ ssh -v user@host.foo.barNote. multiple -v options increase the verbosity to max. -vvv.
OpenSSH config
If you have different hosts and key pairs, this can be defined in the config file under ~/.ssh.
$ vi ~/.ssh/config
Host *.foo.bar
User user
Port 22
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
IdentityFile key-ecdsa
Host host.fooo.bar
User user
Port 22
HostKeyAlgorithms +ssh-dss
PubkeyAcceptedKeyTypes +ssh-dss
IdentityFile id_dssConclusion
In this tutorial you’ll show how is the easiest way to create a SSH key pair in OpenSSH format, by run SSH-KEYGEN with and without arguments in the terminal shell. It’s able to log on users to remote systems using a key pair consisting of digital signatures, private and public keys. Such a key pair is much harder to compromise than a password.
