This guide will teach you to generate SSH key for authenticating Linux servers and applications that support SSH protocol using ssh-keygen.
Every DevOps engineer has to use SSH key-based authentication when working with Linux servers. Also, most cloud platforms offer and recommend SSH key-based server authentication for enhanced security
SSH-Keygen
ssh-keygen
is the utility to create SSH ssh keys. It is part of every Linux and MAC systems.
You can use the man command below to understand the ssh-keygen
utility and all available options.
man ssh-keygen
Or you can refer the ssh-keygen online man page
Lets look at different ways and options to generate SSH keys.
Generate SSH Keys With Default Options
Execute the following ssh-keygen
command to generate the SSH key pair. It generates and save the Keys in the default $HOME/.ssh
location. By default, the private key is named ad id_rsa
and public key is named as id_rsa.pub
ssh-keygen
The above command will prompt for the following options.
- Enter file in which to save the key:- Local of the SSH private key to be saved. If you dont specify any location, it gets stored the default SSH location. ie,
$HOME/.ssh
- Enter passphrase: A passphrase is used to protect the SSH private key. You can leave this empty. If you choose to add a passphrase, you will have to enter it again.
Generate SSH Keys With Custom Options
Lets take a look an example ssh-keygen
command to generate SSH keys with custom options.
The following command generates SSH key named ssh-key in the $HOME/.ssh
location with username vagrant
with -C flag and passphrase mysecret
with -q -P
flag.
ssh-keygen -t rsa -f ~/.ssh/ssh-key -C vagrant -b 4096 -q -P "mysecret"
Lets understand the flags.
- -t rsa: It is the public key algorithm. It is the default algorithm used by
ssh-keygen
. - -f : keyfile name.
- -q -P: To add passphrase without prompt
- -b: Key Encryption Level. Default is 2048 bits
- -C: To set the comment in the last line of the public key. It is typically used to replace the default username set by the command. You can also use this flag to set the server username.
If you add the Linux username to the key file with -C
, you can directly perform ssh without specifying the username in the SSH command.
For example,
ssh -i ~/.ssh/ssh-key 192.81.209.247
If you dont a want passphrase and create the keys without a passphrase prompt, you can use the flag -q -N
as shown below.
ssh-keygen -t rsa -f ~/.ssh/ssh-key -C vagrant -b 2048 -q -N ""
Supported SSH key algorithms
Following are the supported SSH key algorithms.
- Rivest-Shamir-Adleman (RSA)
- Digital Signature Algorithm (DSA)
- Elliptic Curve Digital Signature Algorithm (ecdsa)
- Ed25519 – EdDSA signature scheme using SHA-512 (SHA-2) and Curve25519
SSH Key FAQs
How do I manually generate SSH keys?
You can manually generate SSK key using he ssh-keygen
command. It creates the public and private in the $HOME/.ssh location.
Is it possible to use ssh-keygen to create an SSH key without a password?
Yes. If you leave the passphrase prompt empty, the ssh keys get generated without any password. You can also pass the flag -q -N “” to the ssh-keygen command to avoid the prompt.
Conclusion
In this guide, we looked at important commands to create SSH public/private key pair.
When it comes to SSH keys, always follow the security best practices to avoid private key misuse.
If you are learning linux, checkout the Best Linux Networking and Troubleshooting Commands.
Also, If you are starting your journey as a DevOps Engineer, checkout my comprehensive guide to become a DevOps engineer.