Creating a SSH private:public key pair

Creating a SSH key pair is easy using the ssh-keygen utility - there are quite a lot of options to this but by default it will create keys suitable for most users (a 2048 bit RSA key pair for use with ssh protocol 2 connections). But do note that you must create a keypair with no passphrase; if you specify a passphrase, it defeats the whole object of the private/public keypair scheme as you'll then be prompted for the passphrase instead of the password! So in the example ssh-keygen session shown below, simply hit return both times you are prompted for a passphrase and it will create a keypair that does not use or require a passphrase:

andy@macomp05:~ $ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ma/a/andy/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/ma/a/andy/.ssh/id_rsa.
Your public key has been saved in /home/ma/a/andy/.ssh/
The key fingerprint is:

This will create two keys in your .ssh folder:

andy@macomp05:~ $ ls -l .ssh
total 64
-rw------- 1 andy mastaff   883 Nov 10 14:50 id_rsa
-rw-r--r-- 1 andy mastaff   222 Nov 10 14:50

The id_rsa key is your private key which you should look after and never give to anyone else; note that its permissions are such that only yourself can read it or change it and if you relax these permissions in any way, the key becomes insecure. Most ssh clients (including the ones on the Linux & Linux computers in Maths) will warn or even prevent you from using the key until the permissions have been set correctly. On the other hand your public key is which can be read by anyone - this is intentional otherwise the remote system will not be able to use your public key.

The private key, id_rsa, needs to be in your .ssh folder on the computer you are making the ssh connection from while the public key must be in your .ssh folder on the computer you want to connect to. If you are using systems in Maths with a networked home directory on either ICNFS or Clustor, you won't actually have to worry about copying public keys to other computers because whenever you log into another system in Maths, you will be using exactly the same home directory containing the same .ssh folder and its keys. In this case you can skip the next step and go on to creating the authorized_keys file.

Assuming you want to connect to a computer that doesn't share the same home directory with the one you are connecting from, you will have to copy your key across to the .ssh folder on the other system using scp.

Once you have created your key pair and (if applicable) copied your public key to the other system, you need to create a file called authorized keys. This file simply contains one (or more) keys from system(s) that are allowed to connect to it. If you will only ever connect to the remote system containing your key from one system, then you can either rename the key to authorized_keys or, alternatively, you can simply create a soft symbolic link (symlink) to it as in this example:

andy@macomp05:~ $ cd .ssh
andy@macomp05:~/.ssh $ ln -s authorized_keys

On the other hand if you want to be able to connect to the remote system from more than one other computer, you will have a separate key for each of these. You will need to copy each one across (remembering to rename them so they do not overwrite each other in your .ssh folder) and add them to your authorized_keys file on the remote system, something like this:

andy@macomp05:~ $ cd .ssh
andy@macomp05:~/.ssh $ cat id_rsa.pub_from_computer1 id_rsa.pub_from_computer2 > authorized_keys

Now you can connect to the remote system from either of computer_1 or computer_2 since their different ssh public keys are both in your ~/.ssh/authorized_keys file.

Andy Thomas

Research Computing Manager,
Department of Mathematics

last updated: 25.03.2011