Creating a keypair
Creating a key for your user is straightforward. You will need to generate a new private key and put your public key (id_rsa.pub) in the ~/.ssh/authorized_keys file on any machine you want to connect to.
The command eval `ssh-agent`; ssh-add loads your private key into memory so that you don't need to type your passphrase more than once. You need to run that command each time you log in.
See the Red Hat Deployment Guide for more detailed step-by-step instructions. Here is a quick example:
ssh-keygen -b 4096 -t rsa # enter a passphrase different from your password chmod 755 ~/.ssh # tell ssh to allow connections using that key cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys chmod 644 ~/.ssh/authorized_keys # load your new key into memory eval `ssh-agent`; ssh-add
Multiple private keys
Best practice is to create a new keypair for connections to different systems. For example, say you get an account from the CS department for a project. Generate a new keypair with ssh-keygen and save it with a new name such as cs_rsa. By default ssh will not know to use that new key though, so you can either specify on the command line or create a ~/.ssh/config file. The format is like this:
Host *.cs.washington.edu User joshuadf IdentityFile ~/.ssh/cs_rsa
You can also load multiple private keys into a running copy of ssh-agent with a command like ssh-add ~/.ssh/cs_rsa.
Connecting from Windows
Putty is a small free client which also utilities for command-line connections (Plink) and generating keys (PuTTYgen). Make sure to export keys in the OpenSSH format for adding to your ~/.ssh/authorized_keys file.
Most authentication between linux machines is done with SSH, specifically with public-key verification through host keys and personal keys. Host key signatures are kept on each machine in /etc/ssh/ssh_known_hosts so you should never see a message for a SIG machine like this one for vergil
The authenticity of host 'vergil.u (220.127.116.11)' can't be established. DSA key fingerprint is 30:24:b6:7c:35:76:fd:c3:45:de:9d:02:ef:1f:cd:0d. Are you sure you want to continue connecting (yes/no)? no Host key verification failed.
RSA is the faster algorithm (and has some other advantages), but because for a long time it was patented the default algorithm was DSS (DSA host keys with SHA-1 encryption). The patent has now expired and RSA should be used in the future.
For more information, see