In this tutorial, we’ll cover the basics of SSH keys and how to generate an SSH key pair in Linux.
2. Secure Shell (SSH)
Secure Shell (SSH) is a secure remote login protocol that leverages public-key cryptography to encrypt the communication between a client and a server.
2.1. Public-Key Encryption
In general, public-key encryption (also called asymmetric encryption) requires a key pair — a public key and a private key — that act as complements of one another. We use a public key to decrypt a message encrypted with a corresponding private key and vice versa.
Note that we cannot decrypt a message with the same key that encrypted it. Therefore, we cannot decrypt a message using a private key if the corresponding private key encrypted it.
Likewise, we cannot decrypt a message using a public key if the same public key encrypted it. Thus, we can share the public key freely, so long as we don’t share the private key since both are required to encrypt and decrypt messages.
2.2. Authenticating a Sender
SSH uses public-key encryption to ensure that a client is who it claims to be. First, the client must register with the server by sending the client’s public key to the server. The server then records this public key in a list of authenticated clients and assigns it an ID. Both the server and client know this ID.
Once registration is complete, a client can later authenticate with the server using the following steps:
- The client and server agree on a secret key using the Diffie-Hellman key exchange algorithm.
- The client sends the server its ID.
- The server checks to ensure that the received ID is in its list of authenticated clients.
- The server creates a random number, encrypts it using the client’s public key corresponding to the received ID, and sends it to the client.
- The client decrypts the random number with its private key.
- The client combines the random number with the secret key, hashes it, and sends it to the server.
- The server computes the hash of the combined random number and secret.
- The server compares the computed hash with the one received from the client.
If the computed and received hashes match, authentication is successful.
Essentially, SSH tests the client by encrypting some data with the recorded public key, sending it to the client, and requiring that the client decrypt and send back the same data. If the client can successfully decrypt and send back the same data, it must have the private key associated with the recorded public key. Therefore, the client is who it claims to be.
3. Generating SSH Keys
Unsurprisingly, many of the most popular websites, including GitHub and GitLab, use SSH authentication.
To use this mechanism on these websites, we must create an SSH key pair. To generate a key-pair for the current user, execute:
We will be prompted to enter a location to save the key pair, a passphrase, and a passphrase confirmation. Select the defaults for all three by hitting the Enter key at each prompt.
By default, ssh-keygen will save the key pair to ~/.ssh. In that directory, we see two files — id_rsa and id_rsa.pub — corresponding to the private and public keys, respectively.
Note that the private key (id_rsa) should never be shared.
Additionally, we can view the contents of the public key by executing cat ~/.ssh/id_rsa.pub. The output will resemble:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD1Y6mRUepVaEZ+6ghg+ju/iirHQqQbuE3Wy6aEb+b nKlzqFgAyGFuQSw+DuDqyZkWFd9O4Al4TOr7bQsS6Xji2GUt0ikr9/gv2pVwUd9LBiEAks+HEfb4tMO 77FMGQ4BytU9ssYCjCRT4F7rx0li0qUqhgao7syaxu4PTI+p+Auz1Y1wwVf7T4Pwd9YFcThTa6+Lr5r vbft8Ws2KwHDEzNH2lf9UoiN1Lcd5szHpT1iXz9jvb3Fmd2I8d8seThde5WHI7N6t+ojyqntIc9bMW9 TL2uw/kFtZfIsC4/OKDVscWRBxY7xkb/4N5UJJ9OL2cpu1fZBHL9T6TG4lOyIEMj [email protected]
3.1. Changing Default Location
To save the key pair to a specific location, we execute ssh-keygen and enter the location when prompted:
Enter file in which to save the key (/home/my-username/.ssh/id_rsa):
While the prompt only includes the name of the private key, ssh-keygen will generate a public key file with the .pub extension in the same directory.
We can also generate a key pair in the current directory with a specific file name using the -f flag:
ssh-keygen -f example
The above command will generate a key pair of example and example.pub in the current directory.
3.2. Adding a Passphrase
Also, we can require a passphrase to unlock our generated key pair. To add a passphrase, we execute ssh-keygen and enter the passphrase when prompted:
Enter passphrase (empty for no passphrase):
ssh-keygen will prompt us to confirm the passphrase. If the passphrases don’t match, ssh-keygen will prompt us to enter a passphrase and reconfirm again.
3.3. Selecting an Algorithm and Length
Unless otherwise specified, ssh-keygen uses the Rivest–Shamir–Adleman (RSA) algorithm when generating the key pair. We can specify another algorithm using the -t flag. For example:
ssh-keygen -t dsa
By default, this will generate a key pair of id_dsa and id_dsa.pub. In general, the default file names of the generated pair will have the format id_<algorithm> and id_<algorithm>.pub.
We can view the list of supported algorithms by supplying the –help flag:
This will result in an output resembling the following:
usage: ssh-keygen ... [-t dsa | ecdsa | ed25519 | rsa] ...
If required, the length of the generated key can also be specified in bytes using the -b flag:
ssh-keygen -b 4096
In this quick tutorial, we learned the basics of SSH and how it can be used to authenticate a user. Using this understanding, we can use the ssh-keygen command to generate SSH key pairs using various algorithms and of varying lengths.
We can then use these key pairs to authenticate automatically with applications that support SSH.