ssh-keygen

2024-07-19

Understanding SSH Keys

Before diving into ssh-keygen, let’s briefly understand the key concept. SSH utilizes a pair of cryptographic keys:

Public Key: This key is freely distributed and can be placed on remote servers. It’s used to verify the authenticity of your connection.
Private Key: This key is kept secret and should never be shared. It’s used to encrypt the connection and prove your identity to the remote server.

Any attempt to compromise your private key would render your SSH connections vulnerable.

Generating an SSH Key Pair

The core function of ssh-keygen is to generate this key pair. The simplest command is:

ssh-keygen

This will prompt you for:

File in which to save the key (/home/user/.ssh/id_rsa): Accept the default location or specify a custom path. It’s generally recommended to use the default.
Passphrase (empty for no passphrase): A passphrase adds an extra layer of security. While convenient to omit, it’s strongly advised to create a strong, memorable passphrase. If you forget it, you will lose access to your key.

The command will then generate your key pair. You’ll find your public key (id_rsa.pub by default) and private key (id_rsa by default) in the specified directory (.ssh within your home directory).

Specifying Key Types and Algorithms

ssh-keygen offers flexibility in specifying key types and algorithms. For instance, to generate an RSA key with a 4096-bit key size:

ssh-keygen -t rsa -b 4096

To generate an ECDSA key with the secp256r1 curve:

ssh-keygen -t ecdsa -b 256 -C "your_comment@example.com"

The -C option allows you to add a comment to your key, useful for identification.

Converting Existing Keys

You might need to convert keys from one format to another. For example, to convert an existing RSA key to PEM format:

ssh-keygen -p -m PEM -f id_rsa

This will prompt you for your old passphrase and then for a new one. Remember, securely store this new passphrase.

Managing Existing Keys

You can change the passphrase of an existing key using:

ssh-keygen -p -f id_rsa

This will prompt you for the old passphrase and then for a new one (or to remove the passphrase entirely – not recommended).

Adding your Public Key to Authorized Keys

Once you’ve generated your key pair, the next step is to add your public key to the authorized_keys file on the server you want to access. This file is typically located at /home/user/.ssh/authorized_keys on the remote server. You can copy the contents of your id_rsa.pub file and append it to this file on the server.

Alternatively, you can use ssh-copy-id (if installed):

ssh-copy-id user@remote_host

This command simplifies the process of securely copying your public key to the remote server.

Troubleshooting Common Errors

Common errors often stem from incorrect permissions on the .ssh directory and its contents. Ensure that the .ssh directory has permissions of 700 and the authorized_keys file has permissions of 600.

By understanding the capabilities of ssh-keygen and following best practices, you can greatly improve the security of your SSH connections. Remember to prioritize strong passphrases and maintain the confidentiality of your private key.