Ssh-keygen
Encyclopedia
SSH-Keygen is a Unix
utility that is used to generate, manage, and convert authentication keys for ssh
authentication. With the help of the SSH-Keygen tool, a user can create passphrase
keys for both SSH
protocol version 1 and version 2. SSH-keygen creates RSA keys for SSH protocol version 1 and RSA or DSA
keys for use by SSH protocol version 2.
[axl@asterisk1 axl]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
...
Enter file in which to save the key (/home/axl/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/axl/.ssh/id_rsa.
Your public key has been saved in /home/axl/.ssh/id_rsa.pub.
The key fingerprint is:
0b:fa:3c:b8:73:71:bf:58:57:eb:2a:2b:8c:2f:4e:37 axl@myLocalHost
ssh-keygen [options]
Some of the important options of ssh-keygen command are as follows:
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
utility that is used to generate, manage, and convert authentication keys for ssh
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
authentication. With the help of the SSH-Keygen tool, a user can create passphrase
Passphrase
A passphrase is a sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security. Passphrases are often used to control both access to, and operation of, cryptographic programs...
keys for both SSH
Secure Shell
Secure Shell is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client...
protocol version 1 and version 2. SSH-keygen creates RSA keys for SSH protocol version 1 and RSA or DSA
Digital Signature Algorithm
The Digital Signature Algorithm is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology in August 1991 for use in their Digital Signature Standard , specified in FIPS 186, adopted in 1993. A minor...
keys for use by SSH protocol version 2.
Working
The SSH-keygen tool stores the private key in $HOME/.ssh/id_rsa and the public key in $HOME/.ssh/id_rsa.pub in the user’s home directory. The user should then copy the id_rsa.pub to $HOME/.ssh/authorized_keys in his home directory on the remote machine. It also asks for a passphrase. The passphrase may be empty to indicate no passphrase (host keys must have an empty passphrase), or it may be a string of arbitrary length. Instead of RSA, DSA can also be used. The steps to create authorization keys by using the SSH-keygen tool are as follows:- Start the SSH-keygen tool by using the following command to generate an RSA authentication key:
[axl@asterisk1 axl]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
...
- Enter the path to the file that will hold the key: By default, the file name $HOME/.ssh/id_rsa, which represents an RSA v2 key, appears in parentheses.
Enter file in which to save the key (/home/axl/.ssh/id_rsa):
- Enter a passphrase for using your key: The passphrase you will enter will be used for encrypting your private key. A good passphrase should be alphanumeric having 10-30 character length. You can also use the null passphrase however it can be a loophole for the security.
Enter passphrase (empty for no passphrase):
- Re-enter the passphrase to confirm it: Type your passphrase once again to confirm it.
Enter same passphrase again:
Your identification has been saved in /home/axl/.ssh/id_rsa.
Your public key has been saved in /home/axl/.ssh/id_rsa.pub.
The key fingerprint is:
0b:fa:3c:b8:73:71:bf:58:57:eb:2a:2b:8c:2f:4e:37 axl@myLocalHost
- Check the Passphrase Key: The private key was saved in .ssh/id_rsa file which is the read-only file. No one else must see the content of that file, as it is used to decrypt all correspondence encrypted with the public key. The public key is save in .ssh/id_rsa.pub file.
- Copy the Public Key onto remote systems' .ssh/authorized_keys file: Now, you have to copy the public key onto a remote systems' .ssh/authorized_keys file and make the file permissions 0x600, so it is only read/writable by you. Without these permissions, ssh will refuse to use the key. And now you can SSH to the remote systems's account without using a password. The "ssh-copy-id remotehost" command makes this 3 step process into one - logins, copies keys and changes permissions all in one go.
ssh-keygen command syntax
The syntax of the ssh-keygen file is as follows:ssh-keygen [options]
Some of the important options of ssh-keygen command are as follows:
| ssh-keygen command options | description |
|---|---|
| -b bits | Specifies the number of bits in the key to create. The minimum bit length is 768 bits and the default length is 2048 bits. |
| -p | Requests changing the passphrase of a private key file instead of creating a new private key. |
| -t | Specifies the type of key to create. |
| -q | quiets ssh-keygen. It is used by the /etc/rc file while creating a new key. |
| -N | Provides a new Passphrase. |
| -F | For ssh-keygen2, dumps the key's fingerprint in Bubble Babble format |
Files Used by SSH-Keygen utility
The SSH-Keygen utility uses various files for storing public and private keys. The files used by SSH-Keygen utility are as follows:- $HOME/.ssh/identity: The $HOME/.ssh/identity file contains the RSA private key when using the SSH protocol version 1.
- $HOME/.ssh/identity.pub: The $HOME/.ssh/identity.pub file contains the RSA public key for authentication when you are using the SSH protocol version 1. A user should copy its contents in the $HOME/.ssh/authorized_keys file of the remote system where a user wants to log in using RSA authentication.
- $HOME/.ssh/id_dsa: The $HOME/.ssh/id_dsa file contains the protocol version 2 DSA authentication identity of the user.
- $HOME/.ssh/id_dsa.pub: The $HOME/.ssh/id_dsa.pub file contains the DSA public key for authentication when you are using the SSH protocol version 2. A user should copy its contents in the $HOME/.ssh/authorized_keys file of the remote system where a user wants to log in using DSA authentication.
- $HOME/.ssh/id_rsa: The $HOME/.ssh/id_rsa file contains the protocol version 2 RSA authentication identity of the user. This file should not be readable by anyone but the user.
- $HOME/.ssh/id_rsa.pub: The $HOME/.ssh/id_rsa.pub file contains the protocol version 2 RSA public key for authentication. The contents of this file should be added to $HOME/.ssh/authorized_keys on all computers where a user wishes to log in using public key authentication.