Question
- How do I generate an SSH public/private key pair?
Environment
- Oregon State University
- Mac
- Linux
Explanation
This article will walk you through the steps to create and use key authentication for SSH server login.
Key authentication is a more secure log-in process that eliminates the use of passwords in favor of cryptological keys. Generally, a user generates a key pair using their computer. These keys use complex encryption algorithms to produce an irreplicable code consisting of letters and numbers. The complexity of these keys makes them virtually impossible to “crack”. When creating a key pair, you will receive both a private and public key.
Your Private Key is secret and should never be shared – treat it as you would your password. It is protected by a passphrase and stored (only) on your computer. Private keys prove your identity when logging in to an SSH server.
Your Public Key is meant to be shared. This is the key that will be placed on any SSH server you access. The public key can only be decrypted when paired with the private key.
Think of your keys as mathematically dependent functions. When your corresponding public key is paired with your private key, it acts as a one-way decryption cipher. Your private key cannot be derived from your public key.
Resolution
Generating an SSH Key Pair
Both Mac and Linux operating systems offer a built-in command to generate keys.
-
Open the “Terminal” application – your window may look different than the one in this demo
-
Once your username appears, type ssh-keygen
and press Enter
-
When asked to enter the file path, press Enter to use the default
-
Next, it will ask you to create a passphrase. This will not be your ONID password, but the password you will enter each time you use the key. In the event someone does get your private key, they won’t be able to use it without this passphrase. (Note: it will not look like you are entering any text on screen, but this is a security measure – just type as normal!) Press Enter each time you finish typing it
-
Once you enter your passphrase, the system will create two files in the /home/user/.ssh folder: id_rsa and id_rsa.pub. As mentioned previously, these are your private and public keys respectively. You’ll see a “key fingerprint” and “randomart image” displayed if the command completed successfully. You do not need to save these.
Finding your SSH public key
After successfully creating your authentication keys, you’ll need to get them to the owner of the server(s) you need to access.
- Navigate to the directory where your keys are saved using the
cd
command (this should be cd ~/.ssh
)
- Confirm this is the right directory by using the
ls
command and press Enter look for the two id_rsa files
- To view your public key, use the command
cat id_rsa.pub
and press Enter
- Lastly, hold down your left mouse button and select ALL the text from the key (including “ssh-rsa” and your computer’s name.) Use the right-click on your mouse (or the Enter key) to copy the entire public key to your clipboard
- Now that you have your public key, send it over to the server owner whose system you’re trying to access. They will need to place it in the server’s authorized keys file to allow you access with key authentication. Since your public key can be shared freely, the best way to share your key is using a (still secure) service like Box Drive. Check with the server owner or IT support group to confirm their process.
- Alternatively, you can copy the file over to your remote host if logged in directly. (e.g. Logged into shell.onid.oregonstate.edu or flip.engr.oregonstate.edu)
- One method is copying the file itself to the .ssh directory of the remote host. Make sure it's the public key!
- Another method is using cat and redirecting that output to append/create a new file on remote host.
- command: cat ~/.ssh/id_rsa.pub | ssh user@hostname 'cat >> .ssh/authorized_keys' (fill in hostname and user with username and host
- This is effectively the same as copying the text of your public key and pasting that into a file on the remote host. the >> part of the command will append an existing file, if it exists.
- The best command to use is ssh-copy-id. This will effectively copy the proper key to the proper directory when connected to the remote host successfully. to use:
ssh-copy-id -i ~/.ssh/mykey user@host (fill in mykey, user, and host with your info)
Information on using this command, and troubleshooting it can be found here: https://www.ssh.com/academy/ssh/copy-id
Logging-in to an SSH server using key authentication
- To log in using an SSH key, the process if almost identical to standard password login. For shell access, run the command
ssh user@serveraddress
and press Enter
- Instead of entering your user password, you’ll be prompted for your key passphrase that you set in step 4 of the key generation process. Again, text will not appear while you type, but it is being entered. Type normally
- After typing your passphrase, press enter. You should be successfully logged in
For assistance, contact the Service Desk.