Installation
I’m going to be using Ubuntu to demonstrate this.
The ssh-keygen utility manages authentication keys for ssh, it is a standard component bundled with the openssh-client suite which should be available on your system.
If you can’t find it, you can install it using the following command.
sudo apt-get install openssh-clientInteractive Usage
Default Usage
Running the following command will start an interactive session to create a default 2048-bit RSA key pair.
ssh-keygenYou could use the -b switch to create a larger 4096-bit RSA key pair.
ssh-keygen -b 4096Here is the output of my interactive key generation session. I have accepted all of the default options by hitting enter, except for one – the file name. I have named my identification as “my_new_rsa_keys”.
I’m running the command direct form my ~/.ssh directory.
ubuntu@goodboy:~/.ssh$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ubuntu/.ssh/id_rsa): my_new_rsa_keys
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in my_new_rsa_keys
Your public key has been saved in my_new_rsa_keys.pub
The key fingerprint is:
SHA256:Vku3tBU17L6sWClVG0OdB0YwjAOzzjLJr/YJIdzTy8F ubuntu@goodboy
The key's randomart image is:
+---[RSA 3072]----+
| +.o +O=|
| =o= . = * *.=B|
| = * E =o=|
| = = . B oo|
| S * o *oo|
| F o - +.+=|
| . . * .o.|
| . |
| |
+----[SHA256]-----+
ubuntu@goodboy:~/.ssh$ ls
my_new_rsa_keys my_new_rsa_keys.pub known_hosts
ubuntu@goodboy:~/.ssh$ pwd
/home/ubuntu/.sshWell, it looks like the default -b bit size for my system is 3072 bits.
You should be able to see a pair of freshly generated ssh key files, a public key which can be identified as the one with a .pub extension and a private key file with no extension.
The filenames will be named with your earlier chosen identification string, we have the public/private keypair my_new_rsa_keys.pub and my_new_rsa_keys. You can create as many public/private keypairs as you want, just give them all different names when you are generating them.
Go ahead and feel free to share your .pub files with everyone you know.
Custom Usage
Generate An Elliptic Curve Ed25519 SSH Key.
You may want to have a pair of SSH keys using a slightly more secure algorithm.
For a deeper insight you should search the internets for articles comparing Ed25519 elliptic curve cryptography with the default RSA 1024/2048/3072/4096 algorithm used by ssh-keygen. In short, the Ed25519 public-key algorithm is the most recommended key type to be used, and the lower bit RSA 1024 is actually considered unsafe.
I am going to state the full command to generation of an Ed25519 SSH key pair, show the interactive output and then explain the switches. Here is the full command.
ssh-keygen -a 100000 -t ed25519 -f id_my_eliptic_curve -C "ubuntu@goodboy"The interactive ssh-keygen session is identical to the default attempt, it just generates your keypair using the ed25519 algorithm instead.
ubuntu@goodboy:~/.ssh$ ssh-keygen -a 100000 -t ed25519 -f id_my_eliptic_curve -C "ubuntu@goodboy"
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_my_eliptic_curve
Your public key has been saved in id_my_eliptic_curve.pub
The key fingerprint is:
SHA256:Ty2DWCusXrKS3cUR3B0YgyHi4br/XchzzJfZrIjVY90 ubuntu@goodboy
The key's randomart image is:
+--[ED25519 256]--+
| |
| * |
| o . o |
| o = = * + |
| + = S=O . |
| o . + G M E . |
| o o . + B B B Y|
| T Я S . * + o |
|+o++=.. o . . |
+----[SHA256]-----+
ubuntu@goodboy:~/.ssh$ ls
id_my_eliptic_curve id_my_eliptic_curve.pub known_hosts
ubuntu@goodboy:~/.ssh$Here are what the switches in the command mean.
- -a : KDF (Key Derivation Function) rounds. A higher number increases the resistance to brute-force password cracking.
- -t : Specify the type of key to create, we specified ed25519
- -f : The filename. You should specify the full path to your .ssh directory if you want the keys to be detected automatically.
For example -f ~/.ssh/id_my_eliptic_curve - -C : This is optional. It can be useful to add a comment for your own reference.
- -o : We didn’t use this switch as when the type is ed25519 this option is implied. Setting this switch saves your key pair using the new OpenSSH format rather than the PEM format.
Click here for the full manual pages for ssh-keygen
Key Permissions
One final note. You must set any newly generated keypair to permission 600 otherwise you will run in to usage issues.
Here is how it is done.
ubuntu@goodboy:~/.ssh$ chmod 600 id_my_eliptic_curve*
ubuntu@goodboy:~/.ssh$ ls -l
total 12
-rw------- 1 ubuntu goodboy 411 Aug 23 23:46 id_my_eliptic_curve
-rw------- 1 ubuntu goodboy 96 Aug 23 23:46 id_my_eliptic_curve.pub
-rw-r--r-- 1 ubuntu goodboy 1770 Aug 24 23:46 known_hosts
[…] Click here to follow a quick start SSH key generation guide.I’m going to use the id_my_eliptic_curve keypair generated in that guide, your chosen keypair name may vary. […]