ssh-keygen is a command-line utility in Unix-like operating systems, including Linux, used to generate, manage, and convert authentication keys for SSH (Secure Shell). SSH keys are a more secure alternative to passwords for logging into remote servers because they use public-key cryptography, which is much harder to crack.
Basic Concepts:
- Public Key: This is the key you share with others or place on the remote server. It allows others (or the server) to encrypt data that only your private key can decrypt.
- Private Key: This key is kept secret and never shared. It is used to decrypt data that was encrypted with the corresponding public key.
Generating a New SSH Key Pair:
- Run ssh-keygen:
ssh-keygenThis command will start the process of generating a new SSH key pair.
- Choose a Location to Save the Key:
By default, ssh-keygen saves the key pair in the~/.ssh/directory under the filenamesid_rsafor the private key andid_rsa.pubfor the public key. You can press Enter to accept the default location or specify a different one. - Set a Passphrase (Optional):
You can choose to protect your private key with a passphrase. This adds an extra layer of security but requires you to enter the passphrase each time you use the key. If you don’t want a passphrase, just press Enter.
Common ssh-keygen Commands:
- Specify a Key Type: By default, ssh-keygen generates RSA keys. You can generate other types, such as Ed25519, using the
-toption:
ssh-keygen -t ed25519- Specify Key Size: For RSA keys, you can specify the key size (2048, 3072, or 4096 bits):
ssh-keygen -t rsa -b 4096- Add a Comment: You can add a comment to your key, such as your email address, for identification purposes:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"- Convert Key Formats: Convert between different key formats, such as PEM to PKCS8:
ssh-keygen -p -m PEM -f ~/.ssh/id_rsaCopying the Public Key to a Server:
After generating your SSH key pair, you need to copy the public key to the remote server’s ~/.ssh/authorized_keys file so you can use the key for authentication.
- Using ssh-copy-id:
ssh-copy-id user@remote-serverThis command automatically appends your public key to the ~/.ssh/authorized_keys file on the remote server.
- Manually Copying:
If ssh-copy-id is not available, you can manually copy the public key:
cat ~/.ssh/id_rsa.pub | ssh user@remote-server "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"Example Workflow:
- Generate a Key Pair:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"- Copy the Public Key to the Server:
ssh-copy-id user@remote-server- Log in Using the SSH Key:
ssh user@remote-serverSecurity Considerations:
- Use a Strong Passphrase: If your private key is compromised, a passphrase helps protect it.
- Keep Your Private Key Secure: Never share your private key, and store it in a secure location.
- Use Ed25519: Consider using Ed25519 keys, as they are faster and potentially more secure than RSA keys.
ssh-keygen is a fundamental tool for setting up secure SSH access, providing a more robust and secure alternative to password-based authentication for remote server management.
