The Secure Shell (SSH) provides an encrypted communication protocol. SSH can be used to connect two Linux PCs in a local network, but is also allows you to work on a remote server with a local machine. Including virtual private servers (VPS) and shared web servers.
When you login to a VPS by SSH, you can of course use a password. However, a much better way is logging in by applying SSH keys.
SSH keys have two big advantages over passwords:
- no matter how strong the password is, it is much easier to brute force a password than SSH keys
- by deploying SSH keys you can login automatically, without the need to enter a password
When we talk about SSH keys, we actually mean a pair of SSH keys: a private key and a public key. You keep the private key for yourself, while you upload the public key to the server or servers that you want to access over SSH.
The pair of SSH keys is generated simultaneously. Fire up a terminal window on your Mac or Linux PC.
Go to the SSH folder by typing:
Check whether a pair of SSH keys already exist:
You already have a pair of SSH keys when you see file names containing something like:
As you probably will understand, the filename ending on
.pub is the public part of the key pair.
However, having SSH keys is not enough. You can only apply existing SSH keys when you know the passphrase. The passphrase is used to verify that you are authorized to use the SSH keys.
When you are not familiar with the passphrase, ask your system administrator, or create a new pair. Just make sure you do not lose the existing pair, you never know. Put the existing keys somewhere save or use a unique name when generating the new SSH keys.
Let’s generate a new pair of SSH keys.
Type at the terminal prompt:
ssh-keygen -t rsa -b 4096
ssh-keygen is the command to create the SSH key.
-t rsa indicates, of the type RSA.
Another type of encryption is DSA. When you prefer DSA – or when for example a shared server only allows DSA encryption – you would apply the DSA type:
By default, the
ssh-keygen generates RSA keys with 2048 bit encryption.
-b 4096, we increase the encryption level to 4096 bits.
DSA keys must by 1024 bits, an encryption level which is set by default.
No matter the chosen encryption strength, the response from the terminal is:
Generating public/private rsa key pair. Enter file in which to save the key (/home/<$yourusername>/.ssh/id_rsa):
Now you can enter a custom filename for your key pair, or hit enter to use the suggested
The terminal requires you to enter a passphrase.
Enter passphrase (empty for no passphrase):
Enter the passphrase. The passphrase remains invisible, so you have to enter it a second time for verification. Remember or store the passphrase and keep it safe.
That is it. Now we have our own private key id_rsa and public key id_rsa.pub.
The entire procedure in the terminal window looks like this:
username@yourpc ~/.ssh$ ssh-keygen -t rsa -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/home/<$username>/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/<$username>/.ssh/id_rsa. Your public key has been saved in /home/<$username>/.ssh/id_rsa.pub. The key fingerprint is: 72:62:6b:fd:c4:e1:80:dd:b7:a3:18:41:13:2c:84:3a yourusername@yourpc The key's randomart image is: +--[ RSA 4096]----+ | o... | | . . .. | | . .o | | E + o | | . = S o . | | . * = o . | | o o + o | | . = . . | | . o | +-----------------+ yourusername@yourpc ~ $
That’s it. Now we have our own pair of SSH Keys:
- id_rsa — our Private SSH Key, locked with a strong passphrase, which we should never share with anyone — keep it private!
- id_rsa.pub — our Public SSH Key, which we need to share in order to make use of our pair of SSH Keys.
man ssh man ssh-keygen