Skip to Content

Create SSH Key Pair with ssh-keygen Command in Linux

Security has reached a tipping point for the IT industry. If you’re looking for an alternative to passwords, key-based authentication in SSH might be the right solution for you.

This type of authentication uses a public and private key pair to verify your identity, and it’s much more secure than a password.

In this blog post, we will discuss how to generate SSH Key Pair in Linux with detailed steps.

When you’re finished, you’ll have a solid understanding of SSH so that you can more securely remote into your Linux servers.

What are SSH Key Pairs?

SSH Key pairs are the foundation of digital security. Key pairs are based on public key infrastructure(PKI) Technology.

They are used to provide secure methods for authentication.  This is the reason why they’re so important to our personal life or business activities.

SSH keys always come in pairs, and every pair is made up of a private key and a public key.

A public key can be known by everyone, but the private key can be known or used only by the owner.

Public keys can be distributed to anyone in any mechanism. There is no need to protect the secrecy of the public key.

Can we have more than one SSH key pair?

You can have more than one SSH key pair. In fact, it’s common to have multiple key pairs for different purposes or to use with different services.

For example, you might have one key pair for personal use and another key pair for work-related accounts. You might also have separate key pairs for different servers or services.

What are the benefits of using key authentication in SSH?

  • Easy and non-interactive login. Users don’t have to type the password for every new session
  • More secure compared to passwords as it works on public-private key cryptography
  • More reliable
  • Better authentication and authorization management
  • A good solution for both small and large infrastructure
  • Easy to build and maintain

 

How SSH key works in SSH?

SSH keys are used to authenticate and establish an encrypted communication channel between a client and a remote machine over the internet. 

The public key is stored on the system, and the private key is stored in a secure local location.

Here’s how SSH key works in SSH:

The user generates a pair of keys on their local machine using a tool such as ssh-keygen. The private key is kept secret and stored securely on the user’s local machine, while the public key is shared with the remote server.

The public key is added to a file on the remote server called the authorized_keys file. This file lists all of the public keys that are authorized for logging in to the user’s account on the remote server.

When the user attempts to log in to the remote server using SSH, the SSH client on their local machine uses the private key to sign a challenge sent by the remote server.

The SSH client sends the signed challenge back to the remote server, along with the user’s public key.

The remote server checks the authorized_keys file for the user’s public key and verifies that the signature sent by the SSH client is valid and matches the public key in the authorized_keys file.

If the verification is successful, the user is granted access to the remote server.

The remote server checks the authorized_keys file for the user’s public key and verifies that the signature sent by the SSH client is valid and matches the public key in the authorized_keys file.

Generate a SSH key pair with ssh-keygen command

we are going to use the ssh-keygen command to generate SSH public and private key files.

By default, these files are created in the ~/.ssh directory. You can specify a different location, and an optional password (passphrase) to access the private key file.

If an SSH key pair with the same name exists in the given location, those files are overwritten. The following command creates an SSH key pair using RSA encryption and a bit length of 4096:

ssh-keygen -m PEM -t rsa -b 4096

You can verify the presence of these files by typing:

ls -l

This will display a list of all the files in the directory, including the id_rsa and id_rsa.pub files.

Understanding ssh-keygen Command in Linux

ssh-keygen command will generate two files: a private key file named id_rsa and a public key file named id_rsa.pub. The following example shows additional command options.

ssh-keygen -m PEM -t rsa -b 4096 -C "[email protected]" -f ~/.ssh/mykeys/myprivatekey

ssh-keygen = the command used to create the keys

  • -m PEM = format the key as PEM
  • -t rsa = type of key to create, in this case in the RSA format
  • -b 4096 = the number of bits in the key, in this case 4096
  • -C “[email protected]” = a comment appended to the end of the public key file to easily identify it. Normally an email address is used as the comment, but use whatever works best for your infrastructure.
  • -f ~/.ssh/mykeys/myprivatekey = the filename of the private key file, if you choose not to use the default name. A corresponding public key file appended with .pub is generated in the same directory. The directory must exist.

 

Which SSH Key type is safe?

SSH protocol supports several public key types for authentication keys. The key type and key size both matter for security.

Based on the difference of each SSH key type, we recommend the following ways to generate SSH key file.

  • ssh-keygen -t rsa -b 4096
  • ssh-keygen -t dsa
  • ssh-keygen -t ecdsa -b 521
  • ssh-keygen -t ed25519

 

Detailed Example of ssh-keygen

ssh-keygen -t rsa -m PEM -b 4096 -C "[email protected]"

Generating public/private rsa key pair.
Enter file in which to save the key (/home/howtouselinux/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/howtouselinux/.ssh/id_rsa.
Your public key has been saved in /home/howtouselinux/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:vFfHHrpSGQBd/oNdvNiX0sG9Vh+wROlZBktNZw9AUjA [email protected]
The key’s randomart image is:
+—[RSA 4096]—-+
| .oE=*B*+ |
| o+o.*++|
| .oo++*|
| . .B+.O|
| S o=BO.|
| . .o++o |
| . … . |
| .. . |
| .. |
+—-[SHA256]—–+

Display SSH Key with Linux Cat command

If you’re not familiar with the format of an SSH public key, we can display our public key with the following cat command.

Replace ~/.ssh/id_rsa.pub with the path and filename of our own public key file if needed:

cat ~/.ssh/id_rsa.pub

A typical public key value looks like this:

ssh-rsa AAAAB3NzaC1gR5mKnGpKWR...jieHsxe [email protected]

Copy the SSH Public Key to remote Server

Once the key pair is generated, it’s time to place the public key on the server that we want to connect to.

We can copy the public key into the server’s authorized_keys file with the ssh-copy-id command.

Make sure to replace the example username and address:

ssh-copy-id  -i keyfile how@howtouselinux

How to login Linux with SSH key?

We can add the -i flag and the path to your private key in ssh command.

For example, to invoke the private key host_key, stored in the ~/.ssh/ directory, when connecting to your account on a remote host (for example, [email protected]), enter:

ssh -i ~/.ssh/host_key [email protected]

We can also setup this up from ssh client configuration file.The SSH client configuration file is a text file containing keywords and arguments.

To specify which private key should be used for connections to a particular remote host, use a text editor to create a ~/.ssh/config that includes the Host and IdentityFile keywords.

For example,  we can add the following lines for host www.howtouselinux.com to use the private key host_key.

Host www.howtouselinux.com
IdentityFile ~/.ssh/host_key

Understanding host fingerprint with ssh-keygen Command

If we’re connecting to the remote server for the first time, we’ll be asked to verify the host’s fingerprint.

It’s tempting to simply accept the fingerprint that’s presented, but that approach exposes us to a possible person-in-the-middle attack.

We should always validate the host’s fingerprint. We need to do this only the first time we connect from a client.

To obtain the host fingerprint,  execute the command

ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub | awk '{print $2}'.