wiki:OpenSsh
Last modified 7 years ago Last modified on 03/15/11 14:19:44

Creating a keypair

Creating a key for your user is straightforward. You will need to generate a new private key and put your public key (id_rsa.pub) in the ~/.ssh/authorized_keys file on any machine you want to connect to.

The command eval `ssh-agent`; ssh-add loads your private key into memory so that you don't need to type your passphrase more than once. You need to run that command each time you log in.

See the Red Hat Deployment Guide for more detailed step-by-step instructions. Here is a quick example:

ssh-keygen -b 4096 -t rsa # enter a passphrase different from your password
chmod 755 ~/.ssh
# tell ssh to allow connections using that key
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 644 ~/.ssh/authorized_keys
# load your new key into memory
eval `ssh-agent`; ssh-add

Multiple private keys

Best practice is to create a new keypair for connections to different systems. For example, say you get an account from the CS department for a project. Generate a new keypair with ssh-keygen and save it with a new name such as cs_rsa. By default ssh will not know to use that new key though, so you can either specify on the command line or create a ~/.ssh/config file. The format is like this:

Host *.cs.washington.edu
  User joshuadf
  IdentityFile ~/.ssh/cs_rsa

You can also load multiple private keys into a running copy of ssh-agent with a command like ssh-add ~/.ssh/cs_rsa.

Connecting from Windows

Putty is a small free client which also utilities for command-line connections (Plink) and generating keys (PuTTYgen). Make sure to export keys in the OpenSSH format for adding to your ~/.ssh/authorized_keys file.

More details

Most authentication between linux machines is done with SSH, specifically with public-key verification through host keys and personal keys. Host key signatures are kept on each machine in /etc/ssh/ssh_known_hosts so you should never see a message for a SIG machine like this one for vergil

 The authenticity of host 'vergil.u (140.142.12.6)' can't be established.
 DSA key fingerprint is 30:24:b6:7c:35:76:fd:c3:45:de:9d:02:ef:1f:cd:0d.
 Are you sure you want to continue connecting (yes/no)? no
 Host key verification failed.

RSA is the faster algorithm (and has some other advantages), but because for a long time it was patented the default algorithm was DSS (DSA host keys with SHA-1 encryption). The patent has now expired and RSA should be used in the future.

For more information, see