Ssh key generator linux

10 examples to generate SSH key in Linux (ssh-keygen)

We use ssh-keygen tool to generate SSH keys which are used for Public Key Based Authentication with SSH. As the time of writing this article, there are 6 different types of authentication methods possible with SSH. But Public key Authentication is one of the most used authentication methods used across production environment.

To use public key based authentication you would need a public and private key pair.

• The public key content must be added to the authorized_keys file of server
• The private key will be stored on the client

So when a client tries to make a secure connection, it will use this private and public key pair combination to establish the connection

Overview on ssh-keygen

• ssh-keygen is a utility provided by openssh rpm which should be installed by default on all the Linux distributions.
• ssh-keygen generates, manages and converts authentication keys for ssh version 2.0 and higher
• This tool supports different arguments which can be used to create keys as per the requirement
• If you wish to use SSH with public key authentication then use this once to create the authentication key in ~/.ssh/id_dsa , ~/.ssh/id_ecdsa , ~/.ssh/id_ed25519 or ~/.ssh/id_rsa
• If you forgot the passphrase then there is no way to reset the passphrase and you must recreate new passphrase and place they key pairs at respective locations to re-activate public key authentication

Let us explore the ssh-keygen tool to generate different types of key pairs in Linux

1. Generate ssh key without any arguments

• You can execute ssh-keygen without any arguments which will generate key pairs by default using RSA algorithm
• The tool will prompt for the location to store the RSA key pairs.
• The default location would be inside user’s home folder under .ssh i.e. ~/.ssh
• The tool will create ~/.ssh if the directory does not exists already
• The default naming syntax used for the private RSA key will be id_rsa and public key will be id_rsa.pub
• Next provided the passphrase, you can just press ENTER to create passphrase less key pair

2. Define Key Type

• By default ssh-keygen will create RSA type key
• You can create key with dsa , ecdsa , ed25519 , or rsa type
• Use -t argument to define the type of the key
• In this example I am creating key pair of ED25519 type

3. Define Bit size

By default ssh-keygen generates SSH key with 2048 bit size. You can also specify the number of bits to be used for the keys by using -b

In this example i will generate keys with 4096 bit size

4. Assign Passphrase

By default ssh-keygen will prompt for the passphrase before creating the key pairs. But we can also assign passphrase with using -P

5. Change passphrase of the private key

• You can also change the existing passphrase of your private key
• Use ssh-keygen with -p which will prompt you for the location of your private key file
• Next provide the existing passphrase of your private key
• If the provided passphrase is correct, you will get the prompt to assign new passphrase to your existing private key

# ssh-keygen -p Enter file in which the key is (/root/.ssh/id_rsa): Enter old passphrase: Key has comment 'root@rhel-8.example.com' Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase.

To automate this step you can use ssh-keygen with -f to provide the private key file, -P to define your old passphrase and -N to define new passphrase

# ssh-keygen -p -f ~/.ssh/id_rsa -P "old_password" -N "new_password" Key has comment 'root@rhel-8.example.com' Your identification has been saved with the new passphrase.

6. Create keys with custom filename

• By default ssh-keygen creates private key with the name id_rsa and public key as id_rsa.pub
• We can also create keys with custom filename using -f
• This will create and keep the certificates in the current location from where you execute ssh-keygen tool
• In this example my private key will be my-own-rsa-key and public key would be my-own-rsa-key.pub

7. Add custom comment to the key

You can also add custom comment to your private key for more identification. Use -C to generate keys with your custom comment

# ssh-keygen -C "This is for server1.example.com"

We can use -l to print the fingerprint and comment of the private key

# ssh-keygen -l Enter file in which the key is (/root/.ssh/id_rsa): 3072 SHA256:JxBpArCDsIVME0HDtQG7FqFQefaS9ommeohVoEmg39g This is for server1.example.com (RSA)

8. Change comment of the key

You can also change the existing comment of your private key using -c argument

# ssh-keygen -c Enter file in which the key is (/root/.ssh/id_rsa): Key now has comment 'This is for server1.example.com' Enter new comment: This is for rhel-8.example.com The comment in your key file has been changed.

Check the new comment of your private key

# ssh-keygen -l Enter file in which the key is (/root/.ssh/id_rsa): 3072 SHA256:JxBpArCDsIVME0HDtQG7FqFQefaS9ommeohVoEmg39g This is for rhel-8.example.com (RSA)

9. Hash the content of known_hosts file

• Every time you do SSH to another server, the SSH fingerprint for the secure connection is added to the client’s ~/.ssh/known_hosts file
• This is used to verify the authenticity of the SSH connection
• The content of known_hosts file would be in this format

# cat .ssh/known_hosts 10.10.10.10 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGlXmWjH3Ly6ty9O3hYeg8p/ld7Isl65DaoxqTclbPrAdvDKrsB12MJlJS7oNur2TNUKfU24N+UKn7fqyUeEGWZrIh2DIaPC2Msq132x2P3IBeposynhfBmk6ZoJi58WjddIInQnaAJ/OJZB2waOp+RdtW53lP7zkPTny6yOUYUmFuC93mEMTAf6CpHEoBsNB/OH8km11kpjbbZ4QUx/1shXNnXo5El0/2Cqn7g/s0hi1EuDysDxAj2BkH8fsNyHitNhattf6NIL4akKagcZUhY/9Oj3TikM05MR5Jf72w8EQTtr9vNMTkxlaz/G66GeJR0TAd7CUCux+7KJ8KSH6r 192.168.43.22 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCGtytDuWTzCZJ4FGy5OBKTgYwllftrmgZ3Z+mSTTRmNVlTCEDygSzALLdtC7MEilv/ezTN2uA3HIC72jYegrMc=

• Any intruder can use this information to get the fingerprint details of individual hostname .
• You can use ssh-keygen to hash the hostname entries in the known_hosts file using -H argument
• This option will not modify existing hashed hostname and is therefore safe to use on files that mix hashed and non-hashed names.
• This will create a backup file with .old extension in the same location

Next check the content of known_hosts file

# cat .ssh/known_hosts |1|DnQfHwXX0E78Kqd9sM+jhKICLhM=|A7gki0vPIUajFlROxDljIxE6rGM= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGlXmWjH3Ly6ty9O3hYeg8p/ld7Isl65DaoxqTclbPrAdvDKrsB12MJlJS7oNur2TNUKfU24N+UKn7fqyUeEGWZrIh2DIaPC2Msq132x2P3IBeposynhfBmk6ZoJi58WjddIInQnaAJ/OJZB2waOp+RdtW53lP7zkPTny6yOUYUmFuC93mEMTAf6CpHEoBsNB/OH8km11kpjbbZ4QUx/1shXNnXo5El0/2Cqn7g/s0hi1EuDysDxAj2BkH8fsNyHitNhattf6NIL4akKagcZUhY/9Oj3TikM05MR5Jf72w8EQTtr9vNMTkxlaz/G66GeJR0TAd7CUCux+7KJ8KSH6r |1|RK+RdFcebk+2EK81Rs16e9Im6Hk=|b7QKZly3lm6mBEzIvsLDps4x44I= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCGtytDuWTzCZJ4FGy5OBKTgYwllftrmgZ3Z+mSTTRmNVlTCEDygSzALLdtC7MEilv/ezTN2uA3HIC72jYegrMc=

As you see now the hostname can not be understood as they are hashed. A backup file is also created at the same location

# ls -l ~/.ssh/known_hosts* -rw------- 1 root root 664 May 23 18:37 /root/.ssh/known_hosts -rw-r--r-- 1 root root 568 Mar 27 13:09 /root/.ssh/known_hosts.old

10. Remove keys for hostname from known_hosts file

• Every time you do SSH, the RSA key for the SSH connection for respective hostname is stored inside ~/.ssh/known_hosts file
• But if you re-install the target server and attempt to do SSH then it is possible the SSH may fail due to mis-match in the fingerprint
• So you can either manually search and delete the RSA fingerprint of your server from known_hosts file or you can use ssh-keygen to do the job
• Use -R to automatically search and delete all fingerprint and RSA key entries for the provided hostname from known_hosts file
• For example to delete all the keys related to 192.168.43.22 host from known_hosts file

# ssh-keygen -R 192.168.43.22 # Host 192.168.43.22 found: line 2 /root/.ssh/known_hosts updated. Original contents retained as /root/.ssh/known_hosts.old

Источник

Generate SSH Keys with ssh-keygen Command

Linux and other operating systems provide the ssh-keygen command in order to generate SSH keys. SSH keys consist of a key pair which are called Public Key and Private Key. These cans can be used to automatic or passwordless certificate-based login to the remote SSH server.

Install ssh-keygen Command

All Linux distributions like Ubuntu, Debian, Mint, Kali CentOS, Fedora, RHEL, SUSE, and BSD variants provide the ssh-keygen as a package. In can be installed for apt, apt-get, yum, dnf package managers like below.

Ubuntu, Debian Mint, Kali with apt:

sudo apt install openssh-client

Ubuntu, Debian Mint, Kali with apt-get:

sudo apt-get install openssh-client

CentOS Fedora, RHEL with yum:

sudo yum install openssh-client

CentOS Fedora, RHEL with dnf:

sudo dnf install openssh-client

Generate SSH Keys (Public Key, Private Key)

As a secure protocol SSH uses public-key cryptography for encryption and authentication for hosts and users. The authentication keys which are consist of Public Key and Private key are created with the ssh-keygen command which can generate different types of keys like RSA, DSA, ECDSA, ED25519.

If the ssh-keygen is called without any options and parameters it will create a RSA key by defualt which size is 2048 bit.

Generating public/private rsa key pair. Enter file in which to save the key (/home/ismail/.ssh/id_rsa): /home/ismail/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ismail/.ssh/id_rsa Your public key has been saved in /home/ismail/.ssh/id_rsa.pub The key fingerprint is: SHA256:EMYPpCNIVLAJepvKRSVhKwtLCzSpL43Dftlr44V2uXg ismail@ubuntu The key's randomart image is: +---[RSA 3072]----+ |o+=.++ | |=o= +oo. | |=ooo .o | |=o=+ . .. | |o*o. S | |=o+ . . | |o+ oo + | | . o.++E. | | . o++. | +----[SHA256]-----+

If there is already a key with the same file name you will be asked whether overwrite or not. If you type Y and continue the SSH key creation continue.

Generate RSA SSH Keys (Public Key, Private Key)

The RSA is the most popular public and private key algorithm which can be generated with the ssh-keygen command. The RSA keys can be generated by specifying the type with the -t option and rsa parameter like below.

Generate DSA SSH Keys (Public Key, Private Key)

The DSA is another popular cryptographic algorithm that is used to generate SSH keys too. The DSA is a very fast and feasible alternative to the RSA algorithm. The DSA keys can be generated by specifying the type with the -t option and dsa parameter like below.

Generate ECDSA SSH Keys (Public Key, Private Key)

Generate ED25519 SSH Keys (Public Key, Private Key)

Set SSH Key Size

By default the RSA key size is 2048 bit, DSA key size is 1024 bit. But the key size can be changed where increasing the key size makes the keys and communication more secure. But the downside is if the data or bandwidth is high the performance will be lower but this is not a problem for SSH and SSH communication. The -b options and the bit size can be specified to the ssh-keygen like below. This key size option can be used for all algorithms.

ssh-keygen -t rsa -t 4096 ssh-keygen -t dsa -t 1024 ssh-keygen -t ecdsa -t 512 ssh-keygen -t ed25519 -t 512

Copy SSH (Public) Key To Remote SSH Server

Generated keys can be used for passwordless or key-based authentication which makes the SSH connection easier and more practical. The ssh-copy-id command is used to copy the current user default SSH keys to the specified remote SSH server.

By default, the username is set as the current username but different usernames can be specified explicitly. The @ sign is used to separate the username from the remote host IP address or hostname.

ssh-copy-id ismail@192.168.10.10

Alternatively the remote system hostname can be used to copy SSH key. But the hostname should be successfully resolved into the IP address.

ssh-copy-id ismail@linuxtect.com

Источник