I’m going to be using Ubuntu to demonstrate this.
The ssh-keygen utility manages authentication keys for ssh, it is a standard component bundled with the openssh-client suite which should be available on your system.
If you can’t find it, you can install it using the following command.
sudo apt-get install openssh-client
Running the following command will start an interactive session to create a default 2048-bit RSA key pair.
You could use the -b switch to create a larger 4096-bit RSA key pair.
ssh-keygen -b 4096
Here is the output of my interactive key generation session. I have accepted all of the default options by hitting enter, except for one – the file name. I have named my identification as “my_new_rsa_keys”.
I’m running the command direct form my ~/.ssh directory.
[email protected]:~/.ssh$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/ubuntu/.ssh/id_rsa): my_new_rsa_keys Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in my_new_rsa_keys Your public key has been saved in my_new_rsa_keys.pub The key fingerprint is: SHA256:Vku3tBU17L6sWClVG0OdB0YwjAOzzjLJr/YJIdzTy8F [email protected] The key's randomart image is: +---[RSA 3072]----+ | +.o +O=| | =o= . = * *.=B| | = * E =o=| | = = . B oo| | S * o *oo| | F o - +.+=| | . . * .o.| | . | | | +----[SHA256]-----+ [email protected]:~/.ssh$ ls my_new_rsa_keys my_new_rsa_keys.pub known_hosts [email protected]:~/.ssh$ pwd /home/ubuntu/.ssh
Well, it looks like the default -b bit size for my system is 3072 bits.
You should be able to see a pair of freshly generated ssh key files, a public key which can be identified as the one with a .pub extension and a private key file with no extension.
The filenames will be named with your earlier chosen identification string, we have the public/private keypair my_new_rsa_keys.pub and my_new_rsa_keys. You can create as many public/private keypairs as you want, just give them all different names when you are generating them.
Go ahead and feel free to share your .pub files with everyone you know.
Generate An Elliptic Curve Ed25519 SSH Key.
You may want to have a pair of SSH keys using a slightly more secure algorithm.
For a deeper insight you should search the internets for articles comparing Ed25519 elliptic curve cryptography with the default RSA 1024/2048/3072/4096 algorithm used by ssh-keygen. In short, the Ed25519 public-key algorithm is the most recommended key type to be used, and the lower bit RSA 1024 is actually considered unsafe.
I am going to state the full command to generation of an Ed25519 SSH key pair, show the interactive output and then explain the switches. Here is the full command.
ssh-keygen -a 100000 -t ed25519 -f id_my_eliptic_curve -C "[email protected]"
The interactive ssh-keygen session is identical to the default attempt, it just generates your keypair using the ed25519 algorithm instead.
[email protected]:~/.ssh$ ssh-keygen -a 100000 -t ed25519 -f id_my_eliptic_curve -C "[email protected]" Generating public/private ed25519 key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_my_eliptic_curve Your public key has been saved in id_my_eliptic_curve.pub The key fingerprint is: SHA256:Ty2DWCusXrKS3cUR3B0YgyHi4br/XchzzJfZrIjVY90 [email protected] The key's randomart image is: +--[ED25519 256]--+ | | | * | | o . o | | o = = * + | | + = S=O . | | o . + G M E . | | o o . + B B B Y| | T Я S . * + o | |+o++=.. o . . | +----[SHA256]-----+ [email protected]:~/.ssh$ ls id_my_eliptic_curve id_my_eliptic_curve.pub known_hosts [email protected]:~/.ssh$
Here are what the switches in the command mean.
- -a : KDF (Key Derivation Function) rounds. A higher number increases the resistance to brute-force password cracking.
- -t : Specify the type of key to create, we specified ed25519
- -f : The filename. You should specify the full path to your .ssh directory if you want the keys to be detected automatically.
For example -f ~/.ssh/id_my_eliptic_curve
- -C : This is optional. It can be useful to add a comment for your own reference.
- -o : We didn’t use this switch as when the type is ed25519 this option is implied. Setting this switch saves your key pair using the new OpenSSH format rather than the PEM format.
One final note. You must set any newly generated keypair to permission 600 otherwise you will run in to usage issues.
Here is how it is done.
[email protected]:~/.ssh$ chmod 600 id_my_eliptic_curve* [email protected]:~/.ssh$ ls -l total 12 -rw------- 1 ubuntu goodboy 411 Aug 23 23:46 id_my_eliptic_curve -rw------- 1 ubuntu goodboy 96 Aug 23 23:46 id_my_eliptic_curve.pub -rw-r--r-- 1 ubuntu goodboy 1770 Aug 24 23:46 known_hosts