ssh-keygen for fast and secure logins

Howto login fast and securely with SSH keys

This guide will generate an identity key pair. The key pair consists of a private and public key. They should be treated as such respectively.

Keep in mind

  • Who has access to the system? If someone else has physical access to the machine it’s the same as they can read the contents of your drive. Make sure you use a well-encrypted filesystem or a very good passphrase.
  • The passphrase. If you’re setting a passphrase it shouldn’t be the same as your login password. When you feel the passphrase should be updated, just generate a new key-pair and distribute it. Make sure the revoked pair is taken out of circulation.
  • Never ever copy your private key anywhere. This is a unique identification and if you’re setting up another machine you should generate a new key-pair. Portable keys can be put on USB sticks (protected by a good passphrase).

Generating an identity key-pair

Bring up your terminal and run the command ssh-keygen. You will be asked to input a filename, where I recommend you don’t enter anything, assuming this is your first time. A default value will then be used as you can see below:

$ ssh-keygen
Generating public/private rsa key pair.
Your identification has been saved in /home/mmn/.ssh/id_rsa.
Your public key has been saved in /home/mmn/.ssh/

The above is the result of a successful key-pair generation for the user mmn. The “identification” file is your private key, which is a secret of utmost importance. When asked for it you should enter a passphrase if deemed necessary for security, which will encrypt the private key. However that may make non-interactive scripts require input so consider that if you have a specific automation scenario in mind.

Distributing the public key

To be able to identify yourself using the private key the remote computer requires a copy of the public key. This makes it possible to interchange secrets and establish a secure, non-eavesdropped communication channel.

The public key file contains a single line which must be put in the list of authorized keys at the remote server. If you have to supply the public key to an administrator, you can simply e-mail the file or copy-paste its contents. If you already can login with a password on the remote machine it’s easiest use ssh-copy-id:

ssh-copy-id user@server

What ssh-copy-id does is append your public key signature to the file ~/.ssh/authorized_keys for your remote account. This can also be done manually as it’s all just text-files.

Configuring several identities

If you want to generate and select between several private keys, just enter a different filename for each when running ssh-keygen. When connecting to various computers you must supply the key to ssh which is done with the -i switch. Here are a couple of examples:

  • ssh host
    Login with your own username on server host using default private key
  • ssh -i ~/.ssh/testkey mikael@host2
    Login as user ‘mikael’ on server ‘host2’ using alternative private key testkey.
  • ssh -t -i ~/.ssh/testkey mikael@host2 'screen -Dr irc || screen -S irc irssi'
    Login as user mikael on server host2 using testkey. Use pseudo tty-allocation (-t) and take control over screen OR start irssi in a new screen.

To make the various commands more easily accessible and much quicker to use you can configure ssh or setup aliases in your shell. Look below for an example you can use to start configuring ssh. The default filepath is ~/.ssh/config.

Sample ssh config file

# Global section
IdentitiesOnly yes
Compression yes

# uses default identity file
Host host
User mmn
Port 443

# uses specific testkey identity
Host host2
IdentityFile ~/.ssh/testkey
User mikael

4 thoughts on “ssh-keygen for fast and secure logins”

  1. > When you feel the passphrase should be updated, just generate a new key-pair and distribute it.

    Why? The passphrase is used to protect the secret key, which is stored locally. It can also easily be changed/added/removed with `ssh-keygen -p`.

    And if you are distributing new keys, you’ll probably want to nuke the old one.

    1. Assuming one occasionally makes insecure backups, is sloppy with physical system access or anything else everyone can happen to do, you should assume someone has also taken possession of your passphrased private key file.

      Given enough time, your passphrase will be cracked. If someone has a copy with an old passphrase, they have all the time in the world. Therefore it’s better to have revoked the old private key rather than keeping it in use. It’s quick, easy and will ensure you there’s no old private key in the hands of a cracker.

      And yes, it’s implied that the old key should be taken out of use. I’ll make sure that’s clear in the text above.

  2. I tried the ssh-copy-id, but got the following:
    bash: ssh-copy-id: command not found

    1. I suppose it depends on which system (and software packaging) you use. My experience has been with Ubuntu mainly, but I’m fairly certain I remember using ssh-copy-id under both Debian as well as Fedora.

Leave a Reply

Your email address will not be published. Required fields are marked *

Skrafsplatta för