Secure Shell (SSH) keys are a widely used method for secure authentication between systems, especially in managing remote servers. Using SSH keys eliminates the need for password-based logins, enhancing both security and convenience. Below is a guide on how to generate two types of SSH keys: RSA and ED25519.
Generating an RSA Key
To create an RSA key with 4096-bit encryption, use the following command:
ssh-keygen -o -t rsa -b 4096 -C "your_username"
-o: Use the new OpenSSH format for private keys.
-t rsa: Specifies the RSA key type.
-b 4096: Sets the key length to 4096 bits for added security.
-C “your_username”: Adds a label (comment) to the key, typically your email or username.
Generating an ED25519 Key
ED25519 is a newer algorithm that offers stronger security with a shorter key length. To generate an ED25519 key, use the following command:##
ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "your_username"
-o: Use the new OpenSSH private key format.
-a 100: Sets the number of rounds for key derivation (higher values increase security).
-t ed25519: Specifies the key type as ED25519.
-f ~/.ssh/id_ed25519: Specifies the filename and location for the key.
-C “your_username”: Adds a comment to identify the key.
These commands will prompt you to save the key in a specific location (default is ~/.ssh) and to set a passphrase for an extra layer of protection.
Adding the SSH Key to ssh-agent
Once you have generated your SSH key, you can add it to ssh-agent for easier management during your session.
1. Start the ssh-agent
To start ssh-agent, run the following command:
eval "$(ssh-agent -s)"
This will start the agent and display its process ID.
2. Add your SSH key to ssh-agent
Once the agent is running, you can add your private key with:
ssh-add ~/.ssh/id_rsa
For an ED25519 key:
ssh-add ~/.ssh/id_ed25519
3. Verify the key has been added
To verify that the key has been added successfully, use:
ssh-add -l
This will list the currently loaded keys.
Automating ssh-agent with macOS Keychain
If you’re on macOS and want to avoid entering your passphrase each time, you can store your passphrase in the macOS Keychain. To do this, add your key with:
ssh-add --apple-use-keychain ~/.ssh/id_ed25519
You can also ensure that the key is automatically loaded in new terminal sessions by adding the following lines to your ~/.ssh/config file:
Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_ed25519
If you have multiple keys, you can list them all with additional IdentityFile entries.
Using ssh-copy-id to Copy Your Public Key to a Remote Server
Once you’ve generated your SSH key, you’ll need to copy the public key to the remote server to enable passwordless authentication. The ssh-copy-id command simplifies this process by automatically copying the public key to the correct location on the remote machine.
Command to Copy the Key
Run the following command, replacing username with your remote username and host with the remote server’s address (IP or hostname):
ssh-copy-id -i ~/.ssh/id_ed25519.pub username@host
This command will:
Prompt you for the password of the remote user.
Copy your public key (~/.ssh/id_rsa.pub or ~/.ssh/id_ed25519.pub) to the ~/.ssh/authorized_keys file on the remote server.
Verify the Connection
After copying the key, you can verify that SSH key-based authentication works by logging into the remote server without a password:
ssh username@host
If the key was correctly copied, you should be able to log in without needing to enter a password.