Ssh is a secure and popular protocol for managing different types of IT devices like Linux systems, network devices, etc. What makes ssh secure is the encryption of network traffic. Network traffic is encrypted with different types of encryption algorithms. There is also user authentication done with encryption algorithms. These algorithms need keys to operate. Keys are generally produced with auxiliary tools. ssh-keygen is a defacto tool used by ssh and other applications to create different types of keys. In this tutorial, we will look at how it works.
We will look at some terms and concepts about public cryptography in this part. In public cryptography, there are two keys. These keys are called public and private. Public keys are known by others to create encrypted data. Private keys are only known by its owner. Data are encrypted by public keys by anyone but only the private key owner can decrypt the message. So keeping the private keys is important. ssh-keygen is used to create a different type of public-private keys.
There are some configurations files those used by ssh. We will look at the public-private keys related configuration files.
~/.ssh/identity.pubcontains the protocol version 1 RSA public key
~/.ssh/id_dsa contains the protocol version 2 DSA authentication identity of the user.
~/.ssh/id_dsa.pub contains the protocol version 2 DSA public key for authentication
~/.ssh/id_rsa contains the protocol version 2 RSA authentication identity of the user
~/.ssh/id_rsa.pub contains the protocol version 2 RSA public key for authentication
Generate Keys with ssh-keygen
Generating keys without any parameter is very easy. This will generate default values and options a key. This will take 3 steps just enter after issuing the
Set Key File Name and Path
Now we will specify the path key files to be saved. We do not enter a path if we want to use default path which is
Enter file in which to save the key (/home/ismail/.ssh/id_rsa):
Encrypt Private SSH Keys with ssh-keygen
Now we will enter passphrase but we will not. Where our private key will
Enter passphrase (empty for no passphrase):
Again do not enter passphrase
Enter same passphrase again:
Generate RSA Key with ssh-keygen
In previous example we have generated ssh key with default settings. The default settings was like below.
- 2048 bit
But we can specify the public key algorithm explicitly by using
-t option like below.
$ ssh-keygen -t rsa
Generate DSA Key with ssh-keygen
DSA is a less popular but useful public key algorithm. DSA keys can be generated by specifying key types with
$ ssh-keygen -t dsa
Set Key Size for ssh-keygen
Keys have different size for different purposes. Bigger size means more security but brings more processing need which is a trade of. We can specify the size of the keys according to our needs with
-s option and the length of key. The size count specifies bits in a key. So following example will create 1024 bit key.
$ ssh-keygen -b 1024
Write Keys To File with ssh-keygen
Created keys will be written to the
~/.ssh with related name. This default behavior can be changed with
-f option and file with path. In this example we will write keys to the current users home directory.
$ ssh-keygen -f ~/key
As we can see the path is not asked to us because we have all ready provided explicitly.
Encrypt Generated Keys with ssh-keygen
Private keys must be protected. There are different ways to protect privates. We should use symmetric cryptography to crypt private key.
ssh-key all ready provide this feature. We will set a password to access the private key. In an interactive run, the passphrase is asked but we can also specify explicitly while calling the command with
-N option like below. We will provide passphrase in cleartext. This passphrase also saved in a bash history file which will create a security vulnerability. Keep these while using option based encryption of public keys.
$ ssh-keygen -N Pp2013Pp -f ~/ke