How to setup SSH keys and why?

September 16, 2005
This guide explains the concept of SSH keys and their use.

This is a continuation of the previous guide - SSH Secure Shell that explains the basics of SSH. Please read the guide if you haven't already, before continuing further.

What is an SSH key ?


SSH keys serve as a means of identifying yourself to an SSH server using public-key cryptography and challenge-response authentication.

An SSH key comprises of two separate keys -

  1. A public key - which you can share freely with any SSH server, and
  2. A private key - which should be known only to you, and kept secret.

Advantages of using SSH keys


The following are some of the advantages of using SSH keys over traditional password authentication.

  • Your password is never sent over the network.
  • Eliminates the risk posed by brute-force password attacks.
  • More convenience - You can connect to a server, or multiple servers, without having to remember or enter your password for each system.

How to generate an SSH key


To generate an SSH key pair in Linux, you use the ssh-keygen tool.

ssh-keygen generates, manages and converts authentication keys for ssh.


Syntax -

$ ssh-keygen -t <type>

-t option specifies the type of encryption to use while creating the key pair. The possible values are "rsa1" for protocol version 1, and "dsa", "ecdsa", or "rsa" for protocol version 2.

DSA - 1024 bit algorithm
RSA - 2048-4096 bit algorithm
ECDSA - stands for Elliptic Curve Digital Signature Algorithm that provides smaller key sizes and faster operations when compared to other algorithms.

For example, to create an SSH key that uses DSA, do the following -

$ ssh-keygen -t dsa

The program will ask you to (optionally) enter a password phrase. You can just press the ENTER key if you do not want to set the password phrase. However, if you decide otherwise, your private key will be encrypted using the string you entered as your password phrase.

Next the tool will generate two keys - id_dsa and id_dsa.pub which will be saved beneath your HOME directory at the location ~/.ssh.

id_dsa is the private key, and

id_dsa.pub is the public key.

There are lots of other options for the ssh-keygen tool. For the full list of options, see its man page.


If you have set a password phrase, it must be entered every time you attempt to connect to an SSH server using public-key authentication.

SSH Agent


You can use an SSH Agent to remember your password phrase.

An SSH Agent is a program used to hold private keys used for public key authentication (RSA, DSA, ECDSA).

ssh-agent tool is the default SSH Agent in OpenSSH.

Using an SSH Agent to remember the password phrase is a 2 step process.

Step 1 : Start running SSH Agent in the background.

The idea is that ssh-agent is started in the beginning of an X-session or a login session, and all other windows or programs are started as clients to the ssh-agent program.

For now, lets start ssh-agent explicitly from the command line.

$ ssh-agent

Step 2 : Add your private key to its cache.

This is done using another tool called ssh-add.

$ ssh-add ~/.ssh/id_dsa
Enter passphrase for /home/ravi/.ssh/id_dsa: 
Identity added: /home/ravi/.ssh/id_dsa (/home/ravi/.ssh/id_dsa)

ssh-add prompts you to enter the passphrase for your private key. Once you enter the correct passphrase, it adds the key to the cache of the SSH Agent running in the background.

From now on, you won't have to enter the passphrase for your private SSH key when you decide to login to a remote computer.

An SSH Key Example


How to use SSH without a password


Each time you use ssh or any related tools such as scp, you are prompted for a password to the remote machine.

If you use SSH often enough, typing the password can be tedious. However, if you are using SSH keys, you can do away with entering or remembering the passwords.

Here is one way of doing it.

Step 1: Create a private-public SSH key pair

$ ssh-keygen -t dsa

and following is output of the command on my machine -

Generating public/private dsa key pair.
Enter file in which to save the key (/home/ravi/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/ravi/.ssh/id_dsa.
Your public key has been saved in /home/ravi/.ssh/id_dsa.pub.
The key fingerprint is:
2c:fc:84:60:87:2b:98:ab:f1:c0:ee:9c:55:b6:b2:b7 ravi@ubuntu-desktop
The key's randomart image is:
+--[ DSA 1024]----+
|                 |
|     .           |
|    + .          |
| o . = o         |
|o . .++ S        |
|.. .o .+         |
|+. + .  .        |
|++o o.           |
|o=...E.          |
+-----------------+

What it does

ssh-keygen will prompt you to enter a passphrase which should be left blank.

Next, it will generate two files named - id_dsa and id_dsa.pub.

The files will be saved (by default) in the .ssh directory in your home folder.

$ ls ~/.ssh
id_dsa  id_dsa.pub  known_hosts

Step 2: Copy the SSH public key to the remote machine

Copy the 'id_dsa.pub' file to the .ssh/ directory in your remote machine.

Remote machine hostname - xyz.com
Remote machine username - ravi

$ scp ~/.ssh/id_dsa.pub ravi@xyz.com:~/.ssh/.

Step 3: Authorize the SSH server to use the public keys

SSH to your remote machine and copy the contents of the 'id_dsa.pub' file to 'authorized_keys' file in the same folder.

If there is no such file in your remote machine, you will have to create it.

$ ssh ravi@xyz.com
...
ravi@xyz.com [~]$ cd .ssh
ravi@xyz.com [~/.ssh]$ cat id_dsa.pub >> authorized_keys

From here on, you won't need any passwords to login to the remote machine xyz.com from your local machine.

References for further reading


SSH Keys @ wiki.archlinux.org
OpenSSH key management @ IBM Developerworks - Part 1, Part 2, and Part 3.

6 comments:

  • Your article got me thinking... you could extend this to synch up home directories on various machines, or remote backups automatically (and securely) Great article.

  • BP{k}

    Very good and clear written article. Have added a link from my blog: /udev/random/source to yours

  • Hiro, look up rsync, its a took designed for syncing directorys across several machines - and can use ssh/sftp as the method for doing this.

    Agreed very useful article.

  • Mahmoud Lababidi

    from http://artax.karlin.mff.cuni.cz/~kaspj0am/?file=howIdid.m2

    save frequently visited SSH sites in SSH Shortcuts like so:

    In "~/.ssh/config" I added following lines
    Host shortcut
    User my_username
    HostName real_host_name
    And then I can simply log in via
    ssh shortcut

  • One minor issue. This command is really not quit what you want:

    $ scp ~/.ssh/id_rsa.pub remote_mc:.ssh/authorized_keys

    because it will replace the authorized_keys on the remote machine with your new machines public key. Using that command, you can only have one machine at a time from which you could log in without a password. The authorized_keys file can have multiple keys in it. What probably should be done if the file exists, is the id_rsa.pub file should be appended to the end of the file. So maybe:


    $ scp ~/.ssh/id_rsa.pub remote_mc:id_rsa.pub
    $ ssh remote_mc "cat id_rsa.pub >> .ssh/authorized_keys; rm id_rsa.pub"


    That will allow you to have any number of authorized machines you can log in from.

  • The best way to do this:

    $ scp ~/.ssh/id_rsa.pub remote_mc:id_rsa.pub
    $ ssh remote_mc "cat id_rsa.pub >> .ssh/authorized_keys; rm id_rsa.pub"

    is

    $ ssh-copy-id - i ~/.ssh/id_rsa.pub remote_mc