Estimated reading time: 3 minutes
Generating a key pair for a host is an essential step in securing SSH communications. Key pairs consist of a public key, which resides on the host, and a private key, which remains securely with the user. SSH supports various algorithms for key generation, including RSA, ECDSA, and ED25519. Choosing the right algorithm depends on your security requirements and compatibility.
This article explains how to generate key pairs for a host using OpenSSH, provides examples for RSA, ECDSA, and ED25519 algorithms, and highlights best practices for managing and securing your keys.
TL;DR
- Use the
ssh-keygencommand to generate key pairs for RSA, ECDSA, or ED25519. - Store the private key securely and copy the public key to the host.
- Example for generating an ED25519 key pair:
ssh-keygen -t ed25519 -C "user@hostname" Prerequisites
1. OpenSSH Installed: Ensure that the ssh-keygen utility is available on your system.
Check Installation:
ssh -V 2. User Permissions: Use an account with permission to access the .ssh directory on the local and remote hosts.
Generating Key Pairs with OpenSSH
Step 1: Choose an Algorithm
OpenSSH supports multiple key generation algorithms:
- RSA:
- Widely compatible.
- Recommended key length: 2048 or 4096 bits.
- ECDSA:
- Faster and more secure than RSA for equivalent key lengths.
- ED25519:
- Faster, more compact, and highly secure.
Step 2: Generate the Key Pair
Use the ssh-keygen command to generate the key pair.
Generating an RSA Key Pair
Command:
ssh-keygen -t rsa -b 4096 -C "user@hostname" Here:
-t rsa: Specifies the RSA algorithm.-b 4096: Sets the key length to 4096 bits for enhanced security.-C "user@hostname": Adds a comment for easier identification.
Example Output:
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): Follow the prompts to save the key and set a passphrase.
Generating an ECDSA Key Pair
Command:
ssh-keygen -t ecdsa -b 521 -C "user@hostname" -t ecdsa: Specifies the ECDSA algorithm.-b 521: Sets the key length to 521 bits (maximum for ECDSA).
Generating an ED25519 Key Pair
Command:
ssh-keygen -t ed25519 -C "user@hostname" -t ed25519: Specifies the ED25519 algorithm.-C "user@hostname": Adds a comment for identification.
Advantages of ED25519:
- Fixed key length (256 bits).
- Faster key generation and authentication.
Step 3: Copy the Public Key to the Host
Use the ssh-copy-id command to copy the public key to the host.
Command:
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@hostname If ssh-copy-id is unavailable, manually copy the public key to the host’s ~/.ssh/authorized_keys file:
Command:
cat ~/.ssh/id_ed25519.pub | ssh user@hostname "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" Step 4: Test the Connection
After copying the public key, test the SSH connection:
ssh user@hostname If configured correctly, the connection should not prompt for a password.
Best Practices for Key Management
Use Strong Passphrases: Protect private keys with a passphrase to mitigate the impact of key theft.
Store Private Keys Securely: Restrict access to private keys using file permissions:
chmod 600 ~/.ssh/id_rsa Rotate Keys Periodically: Generate new key pairs periodically and replace old keys to enhance security.
Limit Key Access: Use separate key pairs for different hosts or services to reduce the risk of compromise.
Enable Two-Factor Authentication (2FA): Combine key-based authentication with a second factor for enhanced security.
Common Issues and Solutions
Permission Denied Errors:
- Cause: Incorrect permissions on the
.sshdirectory orauthorized_keysfile. - Solution: Set correct permissions:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys Key Not Recognized:
- Cause: The public key was not copied correctly.
- Solution: Verify the contents of the
authorized_keysfile on the host.
Passphrase Prompts:
- Cause: SSH agent not configured to cache the passphrase.
- Solution: Add the private key to the SSH agent:
ssh-add ~/.ssh/id_rsa 
