Working With SSH Keys
- Genrate New Keys
- Specify Key Type
- Specify Bit Length
- Specify Comment
- Specifying File Name
- Generate Public Key from Private Key
- Copy Public Key to Remote Server
- Authorized_Keys
- Known_Hosts
- Related
- Links
Generate New Key
On a fresh install ~/.ssh directory is empty.
To generate a new key using defaults.
ssh-keygenGenerating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa Your public key has been saved in /home/user/.ssh/id_rsa.pub The key fingerprint is: SHA256:7yeMbaYdSlfHolr8R8/99GFGqkr9oFwaK0L716XZh99 user@computer The key's randomart image is: +---[RSA 3072]----+ | . | | o | | . + | | . ..o .| | . So == o .| | . . oEB=o=.. | | o ..XX o o.| | o.oO*….o| | .=+oo.. .+| +----[SHA256]-----+
ls /home/user/.sshid_rsa id_rsa.pub
Specify Type
ssh-keygen -t | dsa | ecdsa | ed25519 | rsaSpecify Bits
ssh-keygen -t rsa -b 4096ssh-keygen -t ecdsa -b 521Specify Comment
ssh-keygen -C contractorSpecifying File Name
ssh-keygen -f ~/contractor Generate Public Key from Private Key
ssh-keygen -y -f server.id_rsa > server.id_rsa.pubCopy Public Key to Remote Server
This will copy the public key into remote_server:/home/remote_user/.ssh/authorized_keys
Default Key
ssh-copy-id remote_user@remote_hostSpecify Key
ssh-copy-id -i ~/.ssh/contractor remote_user@remote_hostAuthorized_Keys
~/.ssh/authorized_keys holds a list of public keys that are authorised to login to the computer.
authorized_key file is maintained on the ssh server, known_hosts file is maintained on ssh client
Known_Hosts
When a SSH SERVER is provisioned it creates a bunch of key-pairs in its /etc/ssh directory.
For Example
- ssh_host_dsa_key.pub
- ssh_host_ed25519_key.pub
- ssh_host_ecdsa_key
- ssh_host_rsa_key
- ssh_host_ecdsa_key.pub
- ssh_host_rsa_key.pub
- ssh_host_dsa_key
- ssh_host_ed25519_key
The first time you SSH into a SERVER its public key is copied/hashed into your local computers ~/.ssh/known_hosts file.
The authenticity of host 'server (10.10.10.10)' can't be established. ECDSA key fingerprint is SHA256:1234567891011121314+7777+999999999999999999. Are you sure you want to continue connecting (yes/no/[fingerprint])?
Connecting to a ssh server via ip address then next time via ip address will result in 2 entries in the ssh clients ~/.ssh/known_hosts file
known_hosts file is maintained on ssh client, authorized_key file is maintained on the ssh server.
Related
Links
- ssh.com/keygen