How do I manage SSH keys?

Table of Contents

 

It is possible to open an SSH connection without having to type your password everytime. Instead, you can use a passphrase in combination with SSH "key pairs". On Mac OS X or UNIX, you will be able to type in your passphrase once at login, and during that session, connect to different remote computers without typing in a password or passphrase each time. On Windows PCs, using the passphrase enables you to connect to different accounts or hosts in the same session seamlessly, without having to type in a password or passphrase every time.

You will need to create an SSH keypair to facilitate this process. One key, the private key, stays on the machine you will connect from. The other key, the public key, can be put in any account you connect to. Think of this process as leaving a real key (the public key) in a remote door. The door will only open if you have the associated private key as you approach. This is why you must keep the private key to yourself, otherwise people who have a copy of it can pass through all the doors in which you left your public key.

On Windows

Creating the key pair

From within the Windows SSH client, first connect to the computer where you will be installing the public key. Then choose Settings from the Edit menu. In the Settings window, choose Global Settings + User Authentication + Keys from the tree on the left side. Depending on your version of the software, it may be under User Keys. Initiate the key generation by clicking the Generate New... button in the pane on the right.

In the following Wizard window, you can choose the key type and length. The recommended key type is DSA, though you can alternatively choose RSA. The default key length is fine. When prompted, I recommend choosing sshcom as the filename so you will remember it was the Windows SSH Communications client that created it. Write nothing or anything for your comment.

Choose to upload the public key to the remote site.

Uploading and converting the public key

If you created the key with Windows SSH software and chose to upload the file, it will have been put in ~/.ssh2/. Otherwise, go back to the User Keys section as described above, select your key, and then choose to upload it now.

Since you created your key pair with the Windows ssh client, you will need to convert the key file to a format OpenSSH understands. This can be accomplished by running 'ssh-keygen -i -f ~/.ssh2/sshcom.pub > ~/mynewkey.pub' on the remote machine.

Installing the public key

See the UNIX instructions for this step below as they are identical.

On UNIX and Mac OS X

Generating SSH Keys

You can generate keys with the 'ssh-keygen' command:

% ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key ($HOME/.ssh/id_rsa):    
Enter passphrase (empty for no passphrase): 
Enter same passphrase again:  Your identification has been saved in $HOME/.ssh/id_rsa.
our public key has been saved in $HOME/.ssh/id_rsa.pub.

 

Uploading the public key

Once you have generated the key pair, you will need to transfer the public key, e.g. id_dsa.pub, to the remote site. You can transfer the public key in any number of ways, such as FTP, SFTP, or even by email as an attachment. The public key file is actually just a text file. Upload the file to anyplace in the top-level of your home directory.

To transfer the file to the remote machine using SCP, execute 'scp ~/.ssh/id_dsa.pub username@remotehost:mynewkey.pub'.

Installing the public key

Append the public key to ~/.ssh/authorized_keys on the remote machine. SSH to that computer and run:

$ cat ~/mynewkey.pub >> ~/.ssh/authorized_keys
$ rm ~/mynewkey.pub