I use Git Bash on Windows but these instruction should work on just about any Bash-based system (Linux, Mac, etc).
- Create the RSA Key Pair
- Store the Keys and the Private Key Passphrase
- Copy the Public Key to Your Server
- Add Your Remote Server to Your SSH
configFile
ssh-keygen -t rsaOnce you have entered the ssh-keygen command, you will get a few more questions:
Enter file in which to save the key (/home/<user>/.ssh/id_rsa):You can press enter here in order to save the file in your home .ssh directory.
I like to store my keys in a non-standard path, that only I know about. If you do too, enter the path to the new key. You'll also need to set permissions on the secret path.
Enter passphrase (empty for no passphrase):It's up to you whether you want to use a passphrase.
Entering a passphrase does have its benefits: the security of a key, no matter how well encrypted, still depends on the fact that it is not visible to anyone else. Should a passphrase-protected private key fall into an unauthorized users possession, they will be unable to log in to its associated accounts until they figure out the passphrase, buying the hacked user some extra time. The only downside, of course, is then having to type the passphrase in each time you use the key pair.
The entire key generation process looks like this:
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/<user>/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/<user>/.ssh/id_rsa.
Your public key has been saved in /home/<user>/.ssh/id_rsa.pub.
The key fingerprint is:
4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 demo@a
The key's randomart image is:
+--[ RSA 2048]----+
| .oo. |
| . o.E |
| + . o |
| . = = . |
| = S = . |
| o + = + |
| . o + o . |
| . o |
| |
+-----------------+The public key is now located in /home/<user>/.ssh/id_rsa.pub (or wherever you told ssh-keygen to store it).
The private key is now located in /home/<user>/.ssh/id_rsa (or whatever path you supplied to ssh-keygen).
Once the key pair is generated, it's time to place the public key on the server that we want to use.
You can copy the public key into the new remote machine's ~/.ssh/authorized_keys file with the ssh-copy-id command. Make sure to replace the example username and IP address below.
ssh-copy-id [email protected]You should see something like this:
The authenticity of host '12.34.56.78 (12.34.56.78)' can't be established.
RSA key fingerprint is b1:2d:33:67:ce:35:4d:5f:f3:a8:cd:c0:c4:48:86:12.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '12.34.56.78' (RSA) to the list of known hosts.
[email protected]'s password:
Now try logging into the machine, with:
ssh [email protected]
You should now be able to log into [email protected] without being prompted for a password. However, if you set a passphrase, you will be asked to enter the passphrase at that time (and whenever else you log in in the future).
By default, SSH looks for a config file in ~/.ssh/config. If this file does not already exist, go ahead and create it.
Make sure that the permissions are correct on this file.
chmod 600 ~/.ssh/configThe SSH config file is super handy and allows you to manage many separate public/private keys for many different servers. It also allows nicknaming your server so connecting to your server is as trivial as: ssh myserver Here's an example of a SSH config file:
Host myserver
HostName mydomain.com
# Optional. If your SSH connection keeps timing out, try this.
ServerAliveInterval 30
# The path to this server's private key file.
IdentityFile ~/some/secret/path/.ssh/id.myserver
# The unix username to use on the remote server.
User rover
Host anotherserver
HostName myotherdomain.com
IdentityFile ~/some/secret/path/.ssh/id.anotherserver
User whatever