Congratulations, you’ve just created you own public key using ssh-keygen. After printing the key information the program will terminate. If you create a passphrase-less key just make sure you only put it on trusted hosts as it may compromise the remote machine if the key falls to the wrong hands.Īfter entering you passphrase twice the program will print the key fingerprint, which is some kind of hashing used to distinguish different keys, followed by the default key comment (more on key comments later). If you intend to use the key for accessing a remote machine from inside an automated script you may wish to enter an empty password, so the script won’t need user interaction. I usually use a randomly generated passphrase, as this kind is considered the most secure. One should stay away from English sentences as their entropy level is just too low to be used as a safe passphrase. A good passphrase should be at least 10 characters long. When a key is generated with a passphrase, the key can’t be used without the passphrase, so by using a passphrase one can prevent others from using his private keys without first guessing the passphrase. Each generated key can be protected by a passphrase. Next you’ll be prompted to enter a passphrase. You should make sure that the key can only be read by you and not by any other user for security reasons. The public key will have the same filename but it will end with. When the key generation is done you would be prompted to enter a filename in which the key will be saved. The number after the -b specifies the key length in bits.Īfter executing the command it may take some time to generate the keys (as the program waits for enough entropy to be gathered to generate random numbers). You can use “dsa” instead of the “rsa” after the -t to generate a DSA key. To generate a pair of public and private keys execute the following command: Another reason for not using DSA is that DSA is a government standard and one may wonder if the key length was limited deliberately so it will be possible for government agencies to decrypt it. Because DSA key length is limited to 1024, and RSA key length isn’t limited, so one can generate much stronger RSA keys than DSA keys, I prefer using RSA over DSA. The key length for DSA is always 1024 bits as specified in FIPS 186-2. When generating new RSA keys you should use at least 2048 bits of key length unless you really have a good reason for using a shorter and less secure key. RSA keys have a minimum key length of 768 bits and the default length is 2048.
ssh-keygen can generate both RSA and DSA keys.
Generating public keys for authentication is the basic and most often used feature of ssh-keygen.
I will also explain how to maintain those keys by changing their associated comments and more importantly by changing the passphrases using this handy utility. ssh-keygen is the basic way for generating keys for such kind of authentication.
Public key authentication for SSH sessions are far superior to any password authentication and provide much higher security. In this post I will walk you through generating RSA and DSA keys using ssh-keygen.