Ssh is a secure and popular protocol for managing different type of IT devices like Linux systems, Network devices etc. What makes ssh secure is the encryption of the network traffic. Network traffic is encrypted with different type of encryption algorithms. There is also user authentication done with encryption algorithms. These algorithms needs keys to operate. Keys are generally produced with auxiliary tools. ssh-keygen is defacto tool used by ssh and other applications to create different type of keys. In this tutorial we will look how it works.
We will look some terms and concepts about public cryptography in this part. In public cryptography there is two keys. These keys are called public and private. Public keys are known by others to create encrypted data. Private keys are only known by its owner. Data are encrypted by public keys by anyone but only the private key owner can decrypt the message. So keeping private key is important.
ssh-keygen is used to create different type of public-private keys.
There are some configurations files those used by ssh. We will look the public private keys related configuration files.
~/.ssh/identity.pubcontains the protocol version 1 RSA public key
~/.ssh/id_dsa contains the protocol version 2 DSA authentication identity of the user.
~/.ssh/id_dsa.pub contains the protocol version 2 DSA public key for authentication
~/.ssh/id_rsa contains the protocol version 2 RSA authentication identity of the user
~/.ssh/id_rsa.pub contains the protocol version 2 RSA public key for authentication
Generating key without any parameter is very easy. This will generate with default values and options a key. This will take 3 step just enter after issuing the
Set Key File Name and Path
Now we will specify the path key files to be saved. We do not enter a path if we want to use default path which is
Enter file in which to save the key (/home/ismail/.ssh/id_rsa):
Encrypt Private Ssh Keys
Now we will enter passphrase but we will not. Where our private key will
Enter passphrase (empty for no passphrase):
Again do not enter passphrase
Enter same passphrase again:
Generate RSA Key
In previous example we have generated ssh key with default settings. The default settings was like below.
- 2048 bit
But we can specify the public key algorithm explicitly by using
-t option like below.
$ ssh-keygen -t rsa
Generate DSA Key
DSA is less popular but useful public key algorithm. DSA keys can be generated by specifying key types with
$ ssh-keygen -t dsa
Set Key Size
Keys have different size for different purposes. Bigger size means more security but brings more processing need which is a trade of. We can specify the size of the keys according to our needs with
-s option and the length of key. The size count specifies bits in a key. So following example will create 1024 bit key.
$ ssh-keygen -b 1024
Write Keys To File
Created keys will be written to the
~/.ssh with related name. This default behavior can be changed with
-f option and file with path. In this example we will write keys to the current users home directory.
$ ssh-keygen -f ~/key
As we can see the path is not asked to us because we have all ready provided explicitly.
Encrypt Generated Keys
Private keys must be protected. There are different ways to protect privates. We should use symmetric cryptography to crypt private key.
ssh-key all ready provide this feature. We will set password to access to the private key. In interactive run the passphrase is asked but we can also specify explicitly while calling command with
-N option like below. We will provide passphrase in clear text. This passphrase also saved in bash history file which will create a security vulnerability. Keep these while using option based encryption of public keys.
$ ssh-keygen -N Pp2013Pp -f ~/ke