Generating SSH Keys in Linux

1. Overview

In this tutorial, we’ll cover the basics of SSH keys and how to generate
an SSH key pair in Linux.

2. Secure Shell (SSH)

Secure Shell (SSH) is a secure remote login protocol that leverages
public-key cryptography to encrypt the communication between a client
and a server.

2.1. Public-Key Encryption

In general, public-key encryption (also called asymmetric encryption)
requires a key pair — a public key and a private key — that act as
complements of one another. We use a public key to decrypt a message
encrypted with a corresponding private key and vice versa.

Note that we cannot decrypt a message with the same key that encrypted
it. Therefore, we cannot decrypt a message using a private key if the
corresponding private key encrypted it.

Likewise, we cannot decrypt a message using a public key if the same
public key encrypted it. Thus, we can share the public key freely, so
long as we don’t share the private key since both are required to
encrypt and decrypt messages.

2.2. Authenticating a Sender

SSH uses public-key encryption to ensure that a client is who it claims
to be. First, the client must register with the server by sending the
client’s public key to the server. The server then records this public
key in a list of authenticated clients and assigns it an ID. Both the
server and client know this ID.

Once registration is complete, a client can later authenticate with the
server using the following steps:

  1. The client and server agree on a secret key using the
    Diffie-Hellman
    key exchange algorithm    .

  2. The client sends the server its ID.

  3. The server checks to ensure that the received ID is in its list of
    authenticated clients.

  4. The server creates a random number, encrypts it using the client’s
    public key corresponding to the received ID, and sends it to the client.

  5. The client decrypts the random number with its private key.

  6. The client combines the random number with the secret key, hashes it,
    and sends it to the server.

  7. The server computes the hash of the combined random number and secret.

  8. The server compares the computed hash with the one received from the
    client.

If the computed and received hashes match, authentication is successful.

Essentially, SSH tests the client by encrypting some data with the
recorded public key, sending it to the client, and requiring that the
client decrypt and send back the same data. If the client can
successfully decrypt and send back the same data, it must have the
private key associated with the recorded public key. Therefore, the
client is who it claims to be.

3. Generating SSH Keys

Unsurprisingly, many of the most popular websites, including
GitHub and GitLab, use
SSH authentication.

To use this mechanism on these websites, we must create an SSH key pair.
To generate a key-pair for the current user, execute:

ssh-keygen

We will be prompted to enter a location to save the key pair, a
passphrase, and a passphrase confirmation. Select the defaults for all
three by hitting the Enter key at each prompt.

By default, ssh-keygen will save the key pair to ~/.ssh. In that
directory, we see two files — id_rsa and id_rsa.pub — corresponding
to the private and public keys, respectively.

Note that the private key (id_rsa) should never be shared.

Additionally, we can view the contents of the public key by executing
cat ~/.ssh/id_rsa.pub. The output will resemble:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD1Y6mRUepVaEZ+6ghg+ju/iirHQqQbuE3Wy6aEb+b
nKlzqFgAyGFuQSw+DuDqyZkWFd9O4Al4TOr7bQsS6Xji2GUt0ikr9/gv2pVwUd9LBiEAks+HEfb4tMO
77FMGQ4BytU9ssYCjCRT4F7rx0li0qUqhgao7syaxu4PTI+p+Auz1Y1wwVf7T4Pwd9YFcThTa6+Lr5r
vbft8Ws2KwHDEzNH2lf9UoiN1Lcd5szHpT1iXz9jvb3Fmd2I8d8seThde5WHI7N6t+ojyqntIc9bMW9
TL2uw/kFtZfIsC4/OKDVscWRBxY7xkb/4N5UJJ9OL2cpu1fZBHL9T6TG4lOyIEMj
[email protected]

3.1. Changing Default Location

To save the key pair to a specific location, we execute ssh-keygen and
enter the location when prompted:

Enter file in which to save the key (/home/my-username/.ssh/id_rsa):

While the prompt only includes the name of the private key,
ssh-keygen will generate a public key file with the .pub
extension in the same directory.

We can also generate a key pair in the current directory with a specific
file name using the -f flag:

ssh-keygen -f example

The above command will generate a key pair of example
and example.pub in the current directory.

3.2. Adding a Passphrase

Also, we can require a passphrase to unlock our generated key pair. To
add a passphrase, we execute ssh-keygen and enter the passphrase when
prompted:

Enter passphrase (empty for no passphrase):

ssh-keygen will prompt us to confirm the passphrase. If the
passphrases don’t match, ssh-keygen will prompt us to enter a
passphrase and reconfirm again.

3.3. Selecting an Algorithm and Length

Unless otherwise specified, ssh-keygen uses the
Rivest–Shamir–Adleman
(RSA) algorithm when generating the key pair. We can specify another
algorithm using the -t flag. For example:

ssh-keygen -t dsa

By default, this will generate a key pair of id_dsa and id_dsa.pub.
In general, the default file names of the generated pair will have the
format id<algorithm>_ and id<algorithm>.pub_.

We can view the list of supported algorithms by supplying the –help
flag:

ssh-keygen --help

This will result in an output resembling the following:

usage: ssh-keygen ... [-t dsa | ecdsa | ed25519 | rsa]
    ...

If required, the length of the generated key can also be specified in
bytes using the -b flag:

ssh-keygen -b 4096

4. Conclusion

In this quick tutorial, we learned the basics of SSH and how it can be
used to authenticate a user. Using this understanding, we can use the
ssh-keygen command to generate SSH key pairs using various algorithms
and of varying lengths.

We can then use these key pairs to authenticate automatically with
applications that support SSH.

Leave a Reply

Your email address will not be published.