SSH Keygen: The Perfect Guide for Beginners
SSH (Secure Shell) is an essential tool for securely accessing remote servers. The SSH key-based authentication method provides much stronger security than using passwords and is a crucial knowledge for every developer. In this post, I will explain the basic concepts of SSH key generation and its practical usage in an easy and detailed manner suitable for beginners.
Why do we need SSH Keygen?
The traditional password method has the downside of being exposed during input and is vulnerable to brute-force attacks. SSH keys solve these problems using a pair of keys: a public key and a private key.
- Private Key: Safely stored on the user's computer and should never be exposed to the outside. This key is required to access the server.
- Public Key: The key registered on the server you want to access. It can be publicly exposed without security issues.
When accessing via SSH, the server uses the user's public key to encrypt the authentication request, and if the user's private key on their computer successfully decrypts this, access is granted. This allows for secure communication without the need to share passwords.
How to Generate SSH Keys: ssh-keygen
Command
The most basic command to generate SSH keys is ssh-keygen
. Open your terminal and type the following command.
ssh-keygen
Once you run the command, you will be prompted with several questions. Let's go through them one by one.
-
Enter file in which to save the key (/home/youruser/.ssh/id_rsa):
-
This is a question about the saving path for the generated key file. Unless you have a specific reason, it's recommended to use the default path
.ssh/id_rsa
. Just pressEnter
.
-
-
Enter passphrase (empty for no passphrase):
-
This is a question about whether to set a password for the private key. It is strongly recommended to set one for enhanced security. If you set a password, even if the private key is leaked, it cannot be used without knowing the password, providing double security. Note that nothing will be displayed in the terminal as you type the password, so be careful and press
Enter
once you are done.
-
-
Enter same passphrase again:
- Re-enter the password entered previously for confirmation.
-
Expected Result:
Your identification has been saved in /home/youruser/.ssh/id_rsa
Your public key has been saved in /home/youruser/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx youruser@yourmachine
The key's randomart image is:
+---[RSA 3072]----+
| .=*o. |
| . +.E+ |
| . o.=. . |
| o . o |
| . S . |
| . . |
| . |
| |
| |
+----[SHA256]-----+
Once the key generation is complete, two files will be created in the ~/.ssh/
directory.
id_rsa
: Private Keyid_rsa.pub
: Public Key
RSA vs. Ed25519: Which Method Should You Choose?
When generating SSH keys, you can specify the encryption method for the key using the -t
option with the ssh-keygen
command. The commonly used methods are RSA and Ed25519.
1. RSA Method (-t rsa
)
- This method has been widely used since the early days of SSH.
- It is proven to be stable and is compatible with most systems.
- You can specify the key length, with
4096
bits generally recommended.- Example:
ssh-keygen -t rsa -b 4096
- Example:
2. Ed25519 Method (-t ed25519
)
- This is a more modern encryption method based on Curve25519 elliptic curve encryption.
- It provides equivalent or higher levels of security with shorter key lengths compared to RSA.
- Key generation and authentication speeds are faster, and it uses fewer resources.
- It is supported by most modern systems but may not be compatible with very old systems.
- Example:
ssh-keygen -t ed25519
- Example:
Recommended Method and Reasons
At this time, if there are no particular compatibility issues, it is highly recommended to use the Ed25519 method.
- Better Security: It offers strong security even with shorter key lengths, making it more resilient to brute-force attacks.
- Faster Performance: The key generation and authentication process is more efficient.
- Simplicity: It can be generated easily without having to worry about key length like RSA.
Example of Generating an Ed25519 Key
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_my_server -C "my_server_ssh_key"
-t ed25519
: Generates a key using the Ed25519 method.-f ~/.ssh/id_ed25519_my_server
: Sets the key file name toid_ed25519_my_server
. (You can specify a different name to distinguish it from the existingid_rsa
key.)-C "my_server_ssh_key"
: Adds a comment for the key. It's a good idea to label it so you can easily identify its purpose.
Expected Result:
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): # Enter password (recommended)
Enter same passphrase again: # Confirm password
Your identification has been saved in /home/youruser/.ssh/id_ed25519_my_server
Your public key has been saved in /home/youruser/.ssh/id_ed25519_my_server.pub
The key fingerprint is:
SHA256:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy my_server_ssh_key
The key's randomart image is:
+--[ED25519 256]--+
| .+=+ |
| . oE B |
| o + O |
| . + + |
| o . S |
| . = . |
| . B + |
| . * = o |
|+ o . = . |
+----[SHA256]-----+
Now you should understand the basic methods of generating and managing SSH keys. By registering the generated public keys (id_ed25519_my_server.pub
or id_rsa.pub
) in the ~/.ssh/authorized_keys
file on the remote server, you can access it securely without a password. In the next post, we will explore how to register and use the generated SSH keys on the server in detail.
If you have any questions, feel free to ask in the comments!
There are no comments.