Generating SSH Keys
Written by Sam Moffatt   
Tuesday, 16 October 2007 05:15
Article Index
Generating SSH Keys
Generating a key
Transferring your key
Using an SSH Agent
Keychain and SSH
Wrapping Up
All Pages

This article was posted as a follow up to the SCP and SSH article and covers the creation and distribution of SSH keys.

SSH Keys

SSH keys are public/private keys that are used to provide easier methods of authentication and 'single sign on' with SSH sessions. SSH attempts to use keys to authenticate where it can instead of using interactive password authentication. When used with an agent, you can enter your key's password once and SSH will then use that key to connect to all available servers. This is handy for using multitudes of commands from just logging into servers interactively via SSH, noninteractively for tunnelled applications or for disk mounts (e.g. sshfs) or through other applications (like Nautilus). If you are running an environment like GNOME, you can connect to its SSH Agent and run a script on login to ask for a password which will be retained for the rest of the session.

Generating a key

On your local machine if you haven't already got a ".ssh" folder in your home directory and change to this directory. This directory is where SSH keeps track of your private keys, authorized public keys and known hosts. Your private keys are used by SSH to login into servers where your public keys are stored and the known hosts file stores the identifier of all of the servers you have connected to so you can verify that that haven't been altered or are being redirected some how (this why it prompts you when you connect to a new host if you want to trust the host).

To generate the key we use ssh-keygen, in this case we're going to generate a RSA key: ssh-keygen -b 1024 -t rsa

This will result in the following output:

moffats@shadow:~/.ssh> ssh-keygen -b 1024 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/moffats/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/moffats/.ssh/id_rsa.
Your public key has been saved in /home/moffats/.ssh/
The key fingerprint is: 28:08:8b:d9:50:a4:83:b6:51:69:d4:ab:9a:ae:25:c1
moffats@shadow moffats@shadow:~/.ssh>

Since we're going to be creating a new key for ourselves we can accept the default file to save the key but we will want to specify our own passphrase. A passphrase is used to 'unlock' the key before it is used and will be equivalent to your password.

Transferring your key

Before you can get started using SSH Key's you need to distribute your SSH public key. The easiest way to do this is to secure copy the file to the remote server as the "authorized_keys" file in the ".ssh" directory on that server. SCP (like cp) cannot create directories if they don't exist if you're only copying a single file, however your can recursively copy a directory which will create it remotely for you automatically. Since typically we will be transferring our key to new servers we can create a template ".ssh" directory with an authorized keys file. Please note this will only work if you don't already have a .ssh directory on the server already, otherwise it will create a new template directory within your .ssh directory.

In our .ssh directory again:

moffats@shadow:~/.ssh> mkdir template
moffats@shadow:~/.ssh> cd template/
moffats@shadow:~/.ssh/template> cp ../ authorized_keys
moffats@shadow:~/.ssh/template> cd ..
moffats@shadow:~/.ssh> scp -r template/ dev1:.ssh
authorized_keys 100% 224 0.2KB/s 00:00

If you have more than one public key you will have to append it, something like this will work:

scp /home/moffats/.ssh/ remoteserver:my_key
ssh remoteserver mkdir .ssh (if the folder doesn't already exist)
cat mykey >> .ssh/authorized_keys (Note: >> is the append output redirector, it will create a new file or append to an existing one).

Now we have our SSH key on a remote server, we can use the key when we SSH into it:

Enter passphrase for key '/home/moffats/.ssh/id_rsa':

And we can use this password to log into those servers to validate the key works. If you hit enter at the passphrase prompt (without entering anything else in) you are prompted for the password as per normal.

Using an SSH agent

An SSH agent is a program that asks for your passphrase and then authenticates you against your key and stores this for the duration of its execution. It hands unlocked keys to requesting processes to allow them to use the key without asking for the password again. If you use SSH regularly this is highly desireable as it allows you to log into different servers or use SSH based services (like SCP/SFTP or X11 tunnelling) without having to manually re-enter your password.

Using SSH Agent on the command line

To start the SSH agent type the following: eval `ssh-agent`


moffats@shadow:~> eval `ssh-agent`
Agent pid 20692

This sets up your session though as soon as you quit your terminal you will lose your connection to your ssh-agent, however there are tools around it (see Using Keychain below). Now we have an agent running we need to authenticate our key(s), we do this with ssh-add:

moffats@shadow:~> ssh-add
Enter passphrase for /home/moffats/.ssh/id_rsa:
Identity added: /home/moffats/.ssh/id_rsa (/home/moffats/.ssh/id_rsa)

We enter the passphrase we used when we created the key and we can see that it has added our identity to the agent. Then when we SSH to a server instead of being prompted for our passphrase for the key or the pasword for the server. We can use this with other tools on the command line like scp. However this is limited to this session, which is annoying, enter Keychain.

Using Keychain and SSH Agent

Keychain ( is tool that aids the user in finding an existing ssh-agent or creating a new one (not to be confused with the Keychain tool for GNOME or Mac OS X). Keychain is available on Debian systems via APT and Gentoo via emerge. You can acquire the source from the above stated URL. I personally use Keychain on my Mac because it is the easiest way of managing SSH keys because I run it in my BASH start up:

keychain source ~/.keychain/$(HOSTNAME)-sh

On login I see this message (or messages saying its creating various files for me, see next example)

KeyChain 2.6.8;
Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL
* Found existing ssh-agent (250)

This finds an existing ssh-agent session and connects me to it. The first time it runs we have to still add our passphase using ssh-add:

KeyChain 2.6.8;
Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL
* Initializing /Users/moffats/.keychain/bigmac-sh file...
* Initializing /Users/moffats/.keychain/bigmac-csh file...
* Initializing /Users/moffats/.keychain/bigmac-fish file...
* Starting ssh-agent
bigmac:~ moffats$ ssh-add
Enter passphrase for /Users/moffats/.ssh/id_rsa:
Identity added: /Users/moffats/.ssh/id_rsa (/Users/moffats/.ssh/id_rsa)

Once we've done this, we don't need to run ssh-add until we next reboot as Keychain will continue to find the existing session. It will fail if your hostname changes on your machine, however this is usually only an issue for laptops (specifically ones that are set to reconfigure their hostname based on their DNS name, such as Mac's).

SSH Agents and GNOME

GNOME runs its own session agent when it starts, which has the advantage that every application started in a GNOME desktop session is aware of an SSH Agent. This means that applications like Nautilus and even applications started in terminals on the desktop can access the agent. There isn't anything needed to do to start it, though you do need to add your key again. However using the terminal to add your key isn't the best way of doing things, especially if you want to prompt the user when they login, so it is useful to install and askpass helper program.

For Debian, you can install a few options such as:

* gtk-led-askpass

* ssh-askpass-fullscreen

* ssh-askpass-gnome

* ssh-askpass

I use ssh-askpass-fullscreen and gtk-led-askpass at home and work respectively to enter my password on login. Once one of these packages are installed we can add 'ssh-add' to our GNOME start up list and it will graphically ask us for our passphrase. Within GNOME go to the Session Manager configuration application to add a new application on the third tab. All you need to do is click add and type 'ssh-add'. Under Debian, the session manager is found under the User Menu. Once you've added the key, applications like Nautilus will start using it to log into SSH server.

Wrapping Up

Last but not least, this barely covers the surface of what SSH is capable of and what is built from the project. There are tools like rsync (from the same guy who wrote Samba) that utilise SSH to provide secure transmission of files. SSH also supports comprehensive tunnelling which makes it useful for building limited VPN style solutions or for forwarding systems like X11 to remote systems. VNC uses SSH by default for its "-via" option which allows VNC to be tunnelled through another system. Good luck!

Last Updated on Wednesday, 09 April 2008 06:57