Create RSA and DSA Keys for SSHCreate RSA and DSA Keys for SSH

Posted March 5th, 2004 in Linux/Unix/BSD (Updated May 24th, 2005)

Private and public RSA and DSA keys can be generated on Unix based systems (such as Linux and FreeBSD) to provide greater security when logging into a server using SSH. The ssh-keygen command allows you to generate, manage and convert these authentication keys.

Refer also to the Logging into an SSH Server Using PuTTY article for more information about how to use RSA and DSA keys with PuTTY on Windows, if you are connecting to an SSH server with Windows.

Create a new RSA or DSA keyfile

To create a new key it's as simple as entering the following command, where the -t flag is used to specify the type of key to be generated:

ssh-keygen -t rsa
ssh-keygen -t dsa

After entering the above command you will be prompted for the location to save the file. By default this will be either ~/.ssh/id_rsa or ~/.ssh/id_dsa depending on the type of key generated. Just hit the enter key to save it to the default location, or specify a different name. You will then be prompted for a passphrase. Type this in and hit the enter key; you will then be prompted to re-enter to confirm. After doing so, two files will be created: the private keyfile is the name specified (by default id_rsa or id_dsa) and the public one the same but with a .pub extension.

You can also specify the filename on the command line with the -f flag like so:

ssh-keygen -t rsa -f /path/to/my_rsa

Purpose of the passphrase

When creating a new RSA or DSA key you can choose to leave the passphrase blank by simply hitting the enter key twice when prompted to enter one. This will allow you to log into an SSH server without entering a passphrase. For heightened security you should always save a passphrase; when you log into the SSH server using your private keyfile you will be prompted to enter the passphrase. Without one, if someone were to get hold of your private keyfile they would be able to log into the SSH server without any further validation.


The public key file that is generated contains a comment at the end of it as a reference for the file. Some SSH clients (such as the Windows client PuTTY) show this comment when logging into the remote server. By default the comment will be user@hostname but you can change it to a different name using the -C flag like so:

ssh-keygen -t rsa -C "Chris Hope"

Without the comment specified the public RSA file generated might look like so (note the data will be all on one line; it's had line breaks added here to make it present on the page nicely):

JbAXykjUcDbsRngHy1AglkKvJr6UWu8csifM2yM= chris@toolbox

With the comment specified as in the above example it would look like this instead:

xg3JbAXykjUcDbsRngHy1AglkKvJr6UWu8csifM2yM= Chris Hope

Read the manpage for ssh-keygen for more information about the ssh-keygen command.

Related posts:


blog comments powered by Disqus