How to create an SSH Key

Summary hide
1 What is an SSH Key
1.1 Why is it useful
1.2 What is it
1.3 How does it work
2 Creating an SSH Key
2.1 Choosing the key type
2.2 Choosing the key length
2.3 Create the key
2.4 To go further
2.4.1 Adding a comment
2.4.2 Specifying the password
2.4.3 Specifying the file

What is an SSH Key

Why is it useful

An SSH Key is a means to secure the authentication to an SSH server.
It allows a more robust connection to the server compared to password authentication. We will see in another tutorial how to set up this authentication on a server.

When authenticating to a server with your SSH key, your client will choose a key that is recognized by the server and then ask you the passphrase for this key. This passphrase will be used only by your computer to decipher your private key in order to prove to the server that you are who you say you are.

Example of use:

  • SSH Server
    Most SSH servers are configured to accept SSH Keys as a means of connection and many of them only accept this means of connection.
    It is more secure and easier to use for the user. Many operating systems carry an SSH Agent (software that stores unlocked SSH Keys) which prevents having to type every times the passphrase to the key; making the connections look instantaneous without user input
  • Git server
    For example, GitHub, GitLab, and GitTea use SSH connection to perform remote actions on Git repositories, such as fetching, pushing, cloning, …
    Using an SSH connection allows easier use of git; you do not need to authenticate every time using your username and your password.

What is it

An SSH Key is composed of two files/keys:

  • The private key: it is usually named id_<something>.
    This file is, most of the time, protected by a passphrase, it should never be shared, copied, or moved.
    As its name suggests, it is private, it is the part of the key that proves you own the key. If someone were to acquire this file and break its passphrase it could impersonate you for the service that recognizes this key.
  • The Public Key: it is usually named like the private key but ends with a .pub.
    This file can be shared with anyone you want to identify you; for example an SSH server, GitHub, GitLab, …

These files are most of the time stored in a folder name .ssh in your home. For example on Linux, the folder is $HOME/.ssh

How does it work

The working principle of the SSH Key:

  1. Your computer will look at available SSH Keys in specific folders, usually .ssh
  2. It will propose some keys to the SSH Server
  3. If one of the keys is recognized by the server, the server will offer to continue the authentication using this key
  4. The server then generates a message, cipher it with the public key, and sends it to you
  5. Your client then deciphers it using your private key (that is the moment when it asks for the passphrase) and sends back the deciphered message to the server
  6. If the message is the correct one, the server recognizes you as the rightful person and connects you

This works because something ciphered with the public key can only be deciphered using the private key. Using any other method would be too hard. With keys strong enough, the current best computer (and the one in the foreseeable future) would take longer than the age of the Univers to decypher it without the private key.

Creating an SSH Key

In this post, we are going to cover how to create an SSH Key.
This is aimed to be used on Linux but should be working on Windows and MacOS

To create the key, we are going to use the ssh-keygen utility.
It should already be installed on your computer. If this is not the case, you can install it by installing openssh-client or openssh-clients depending on your distribution.

Choosing the key type

Several types of keys are available. The main two are the following.

  • RSA Keys: RSA is a rather old protocol (1977) based on the factoring of large prime numbers.1
    While still being pretty robust, it needs rather big keys to offer satisfactory security.
  • ED25519 Keys: ED25519 is a newer protocol (2011) based on EdDSA using elliptic curves.2
    It is faster and requires smaller keys to have the same security as RSA. But being newer, some old systems may not support it.

Some other schemes exist (DSA, ECDSA) but are not relevant here, DSA is obsolete and ECDSA is harder to configure while offering similar security.

Choosing the key length

  • RSA Keys: I recommend using a key of 4096 bits, as it is currently the longest available.
    Under 2048 bits the key cannot be considered secure.
    The default length is 3072 bits and is considered sufficient.
  • ED25519: These keys have a fixed length (256 bits), so we do not need to choose.

Create the key

Now that we know what to take into account to create a key, we are going to create one.

Using the following command create the default ED25519 key.

ssh-keygen -t ed25519

To create the default RSA key of 4096 bits, we would use the command :

ssh-keygen -t rsa -b 4096

To go further

Adding a comment

By default, the comment of the created key is <username>@<computer>.
You can change this to be anything, for example, a message about the use of the key.

This is done with the option -C:

ssh-keygen -C "Comment"

Specifying the password

By default, you will be prompted to enter the passphrase, but you can specify it directly in the command, using the option -N:

ssh-keygen -N "<passphrase>"

Specifying the file

By default, you will be prompted to set the path and filename to store the key, usually ~/.ssh/id_<type>.
You can change this behavior by specifying the path with the option -f:

ssh-keygen -f "$HOME/.ssh/id_git"

This tutorial is mainly inspired by the man page of ssh-keygen

  1. https://en.wikipedia.org/wiki/RSA_(cryptosystem) ↩︎
  2. https://en.wikipedia.org/wiki/EdDSA#Ed25519 ↩︎

Leave a comment

Your email address will not be published. Required fields are marked *