Create RSA and DSA Keys for SSH
Posted March 5th, 2004 in Linux/Unix/BSD (Updated May 24th, 2005)
Private and public RSA and DSA keys can be generated on Unix based
systems (such as Linux and FreeBSD) to provide greater security when
logging into a server using SSH. The ssh-keygen command
allows you to generate, manage and convert these authentication keys.
Refer also to the Logging into an SSH Server Using PuTTY article for more information about how to use RSA and DSA keys with PuTTY on Windows, if you are connecting to an SSH server with Windows.
Create a new RSA or DSA keyfile
To create a new key it's as simple as entering the following command,
where the -t flag is used to specify the type of key to be
generated:
ssh-keygen -t rsa
OR
ssh-keygen
-t dsa
After entering the above command you will be prompted for the location
to save the file. By default this will be either
~/.ssh/id_rsa or ~/.ssh/id_dsa depending on the
type of key generated. Just hit the enter key to save it to the default
location, or specify a different name. You will then be prompted for a
passphrase. Type this in and hit the enter key; you will then be prompted
to re-enter to confirm. After doing so, two files will be created: the
private keyfile is the name specified (by default id_rsa or
id_dsa) and the public one the same but with a
.pub extension.
You can also specify the filename on the command line with the
-f flag like so:
ssh-keygen -t rsa -f
/path/to/my_rsa
Purpose of the passphrase
When creating a new RSA or DSA key you can choose to leave the passphrase blank by simply hitting the enter key twice when prompted to enter one. This will allow you to log into an SSH server without entering a passphrase. For heightened security you should always save a passphrase; when you log into the SSH server using your private keyfile you will be prompted to enter the passphrase. Without one, if someone were to get hold of your private keyfile they would be able to log into the SSH server without any further validation.
Comments
The public key file that is generated contains a comment at the end of
it as a reference for the file. Some SSH clients (such as the Windows
client PuTTY) show this comment when
logging into the remote server. By default the comment will be
user@hostname but you can change it to a different name using
the -C flag like so:
ssh-keygen -t rsa -C "Chris
Hope"
Without the comment specified the public RSA file generated might look like so (note the data will be all on one line; it's had line breaks added here to make it present on the page nicely):
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAxBMcq75vmnWnTFDVOkNn
qJzAj9JfEqqN4m5/7kxcey7ZxKswGlYDZpkETce6INXfiGU9Xd1GY4WC
enqN6iWu99lNqvMrJoAH/L1v6r6UPEjpc7QE1SeSQvdTYzx9xgXtCxg3
JbAXykjUcDbsRngHy1AglkKvJr6UWu8csifM2yM= chris@toolbox
With the comment specified as in the above example it would look like this instead:
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAxBMcq75vmnWnTFDVOkN
nqJzAj9JfEqqN4m5/7kxcey7ZxKswGlYDZpkETce6INXfiGU9Xd1GY4
WCenqN6iWu99lNqvMrJoAH/L1v6r6UPEjpc7QE1SeSQvdTYzx9xgXtC
xg3JbAXykjUcDbsRngHy1AglkKvJr6UWu8csifM2yM= Chris Hope
Read the manpage for ssh-keygen for more information about the ssh-keygen command.
Subscribe!
If you found this post interesting and would like to be notified the next time something is posted, please subscribe to my RSS Feed. Thanks for visiting!
RSS Feed