||This article contains instructions, advice, or how-to content. (January 2010)|
ssh-keygen is a Unix utility that is used to generate, manage, and convert authentication keys for ssh authentication. With the help of the ssh-keygen tool, a user can create passphrase keys for both SSH protocol version 1 and version 2. ssh-keygen creates RSA keys for SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2. These keys differ from keys used by GNU Privacy Guard.
How it Works
The ssh-keygen tool stores the private key in $HOME/.ssh/id_rsa and the public key in $HOME/.ssh/id_rsa.pub in the user’s home directory. The user should then copy the contents of id_rsa.pub to the $HOME/.ssh/authorized_keys file in his or her home directory on the remote machine. It also asks for a passphrase. The passphrase may be empty to indicate no passphrase (host keys must have an empty passphrase), or it may be a string of arbitrary length. Instead of RSA, DSA can also be used. The steps to create authorization keys by using the ssh-keygen tool are as follows:
- Start the ssh-keygen tool by using the following command to generate an RSA authentication key:
[axl@asterisk1 axl]$ ssh-keygen -t rsa -C "my comment" Generating public/private rsa key pair. ...
- Enter the path to the file that will hold the key: By default, the file name $HOME/.ssh/id_rsa, which represents an RSA v2 key, appears in parentheses.
Enter file in which to save the key (/home/axl/.ssh/id_rsa): <return>
- Enter a passphrase for using your key: The passphrase you enter will be used for encrypting your private key. A good passphrase should be alphanumeric having 10-30 character length. You can also use a null passphrase however this can cause a security loophole.
Enter passphrase (empty for no passphrase): <Type the passphrase>
- Re-enter the passphrase to confirm it: Type your passphrase once again to confirm it.
Enter same passphrase again: <Type the passphrase> Your identification has been saved in /home/axl/.ssh/id_rsa. Your public key has been saved in /home/axl/.ssh/id_rsa.pub. The key fingerprint is: 0b:fa:3c:b8:73:71:bf:58:57:eb:2a:2b:8c:2f:4e:37 axl@myLocalHost
- Check the Private Key: The private key was saved in .ssh/id_rsa file which is a read-only file. No one else must see the content of that file, as it is used to decrypt all correspondence encrypted with the public key. The public key is saved in .ssh/id_rsa.pub file.
- Copy the Public Key onto remote systems' .ssh/authorized_keys file: Now, you have to copy the public key onto a remote systems' .ssh/authorized_keys file and make the filesystem permissions 0640, and change the permissions of .ssh to 700 so it is only read/writable by you. Without these permissions, ssh will refuse to use the key. And now you can SSH to the remote systems's account without using a password (use the "-i" option of the ssh command, in case you provided a non-default file name when creating the keys). The "ssh-copy-id remotehost" command makes this 3 step process into one - logins, copies keys and changes permissions all in one go.
ssh-keygen command syntax
The syntax of the ssh-keygen file is as follows:
Some of the important options of ssh-keygen command are as follows:
|ssh-keygen command options||description|
|-b bits||Specifies the number of bits in the key to create. The minimum bit length is 768 bits and the default length is 2048 bits.|
|-C comment||Provides new comment.|
|-p||Requests changing the passphrase of a private key file instead of creating a new private key.|
|-t||Specifies the type of key to create.|
|-q||quiets ssh-keygen. It is used by the /etc/rc file while creating a new key.|
|-N||Provides a new Passphrase.|
|-F||For ssh-keygen2, dumps the key's fingerprint in Bubble Babble format|
Files used by the ssh-keygen utility
The ssh-keygen utility uses various files for storing public and private keys. The files used by ssh-keygen utility are as follows:
- $HOME/.ssh/identity: The $HOME/.ssh/identity file contains the RSA private key when using the SSH protocol version 1.
- $HOME/.ssh/identity.pub: The $HOME/.ssh/identity.pub file contains the RSA public key for authentication when you are using the SSH protocol version 1. A user should copy its contents in the $HOME/.ssh/authorized_keys file of the remote system where a user wants to log in using RSA authentication.
- $HOME/.ssh/id_dsa: The $HOME/.ssh/id_dsa file contains the protocol version 2 DSA authentication identity of the user.
- $HOME/.ssh/id_dsa.pub: The $HOME/.ssh/id_dsa.pub file contains the DSA public key for authentication when you are using the SSH protocol version 2. A user should copy its contents in the $HOME/.ssh/authorized_keys file of the remote system where a user wants to log in using DSA authentication.
- $HOME/.ssh/id_rsa: The $HOME/.ssh/id_rsa file contains the protocol version 2 RSA authentication identity of the user. This file should not be readable by anyone but the user.
- $HOME/.ssh/id_rsa.pub: The $HOME/.ssh/id_rsa.pub file contains the protocol version 2 RSA public key for authentication. The contents of this file should be added to $HOME/.ssh/authorized_keys on all computers where a user wishes to log in using public key authentication.