SSH Keys in Unix/Linux

SSH keys allow for a more secure login from one computer to another via ssh. The following instructions will show you how to setup an SSH key using ssh-keygen, ssh-copy-id, and ssh which should be available on any Unix-like system you use.

Step 1 Generating an ssh public key and private key pair 

In order to generate a public private key pair run the following command in a terminal:

ssh-keygen -t ed25519

This will ask you for a passphrase and then generate two files in the .ssh directory in your home folder: id_ed25519 and id_ed25519.pub. id_ed25519 is your private key and should NOT be given to anyone. If someone else does access this file they will be able impersonate you on any server you’ve uploaded that key to. id_ed25519.pub is the public key that will be added to the ~/.ssh/authorized_keys file on the server to allow you to login.

NOTE: USING A KEY PAIR WITHOUT A PASSPHRASE IS INSECURE AND SHOULD NOT BE DONE!

Other Key Formats

While all of the Computer Science department’s SSH servers accept newer key formats like Ed25519 this is not universally true. Some services outside the university might not. You may wish to consider another algorithm like RSA or ECDSA. You can generate those types of keys by changing which argument you give to ssh-keygen’s -t flag. For example, if you wanted to generate a 2048-bit RSA key you would do

ssh-keygen -t rsa -b 4096

Step 2 Setup the remote host to accept your public/private key pair

In order for the remote host to verify your login credentials you must tell it to accept id_ed25519 as an authorized key. To do this run

ssh-copy-id -p 922 ${username}@${hostname}

Be sure to replace ${username} with YOUR username. You can replace ${hostname} with the hostname of any CS lab machine (i.e. linux-01) currently running Linux.

This will ask for your password (not the passphrase you just set, but you Computer Science domain credentials). Once you’ve authenticated the contents of id_ed25519.pub will be copied into ~/.ssh/authorized_keys. To increase security you should make the ~/.ssh/authorized_keys file readable and writeable by only your user. To do this run

chmod 600 ~/.ssh/authorized_keys

In fact, you should be the only one to be able read and write to all files under the ~/.ssh directory.

You can accomplish all of this in one step by manually appending the contents of ~/.ssh/id_ed25519.pub to ~/.ssh/authorized_keys with

cat ~/.ssh/id_ed25519.pub | ssh -p 922 ${username}@${hostname} 'cat >> ~/.ssh/authorized_keys; chmod 600 ~/.ssh/authorized_keys'

Step 3 Check that everything is working

In order to verify that everthing is working you should try to login to the remote host using:

ssh -p 922 ${username}@${hostname}

Be sure to replace ${username} with YOUR username. You can replace ${hostname} with the hostname of any CS lab machine (i.e. linux-01) currently running Linux.

If you entered a passphase for you key then you will see the following:

Enter passphrase for key '/home/${username}/.ssh/id_ed25519':

Enter the passphrase for your key pair and you should be logged into the remote host.

Step 4 SSH Agent

Repeatedly typing your passphrase can be a bit of a bear. In order to avoid endlessly typing in your passphrase every time you connect to a machine see the article on using SSH Agent.