How to create ssh keys and manage multiple keys

Ssh keys make possible fast, secure, and passwordless login to a server. Plus it's easy to manage multiple keys with a config file.

First step: check for SSH keys

$ ls -al ~/.ssh
# This shows all your keys, if there is any

If you don’t have an ~/.ssh directory, go ahead and make it:

$ mkdir ~/.ssh

Second step: setup an ssh key

First, lets make a key. On your local machine, issue:

$ ssh-keygen -t rsa

It’ll ask you where to save it, if this is the first key you’re making, then just hit enter and it’ll make it in /Users/hilja/.ssh/id_rsa. If you already have a key, and want to make new key, then use a different name, like /Users/hilja/.ssh/id_rsa_xxx, it can be anything though.

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/hilja/.ssh/id_rsa): /Users/hilja/.ssh/id_rsa_xxx

Next it asks to make a passphrase, what it means is that in addition you are required to type in a password when logging in with the key. I usually leave it blank by hitting enter.

Two files were created:

  1. id_rsa_xxx – this is your key file that sits on the local machine.
  2. id_rsa_xxx.pub – this is the public file that goes to your remote server.

Now you have the key, go ahead and pop it open to a text editor, or cat it $ cat id_rsa_xxx, it should look something like this:

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAn5EYBOxjQ6gPDmhQi1P2tQIKRVQc7XjzClkgjfCynAFCXwwj
8U1iBY4jwiD/e7cpHZ6gZzdu3Ty965RktoVB6rAtqh4COGrgR/+TfHqNnqS9jF09
zff3vruhGKoWSMT3PIBei1r7mngVEFbb8fpGZZ7Ey2x1yVY2Ez7XKlh3QgV8EmNE
bDKUwXguUKpXxz6C5vHnbJh1L9Yx+KB5Lll+RBZOLhSGNmqz/CcyPYTiucR64u9E
BiozlC8Oyzx/yiFHGRHLMUcwqQx2zT/AdbVExPx5hh63Gs3lVKEkHZVtaihmMXTb
N+OSmiJZ3eb37b2GQ2Nt4xwzt5sTti/CW4OYLwIDAQABAoIBABivntKsK5M8/c9R
zhwwCjvoq+Qb5jnK+3a/YSz0bv15qGYB/9GGEkMfwWJ4Lm5aYM8HSnONfOZXTl6S
VFe0S43PKUz7Y6GZZ9ZEY49WjmS1K/Xs2i0vfthe3hBlqYxy1gOvBqQdu7crvrwy
9ByPlNVQfxPJpChcyCRRy3c8q6p1A7IakK/ylVht3GKCfv0OxZu5iYnQsF+nwBqu
2zNl2/QnQgr5bV+xLqlDBq3vL8kaA2HSatuG1HRKPwkD9ev9YeV40Az0XJVx0zeU
MRrzz7kCgYEAzuTGEkUiIwMy/tlcPWt8ingrowp9bAtt+zhrTOHa3MCOK0YnRaTe
+2c6JQBpmBaZr/LMLZiXZ6lmDKCA1VeH+h8RCRh8En89y9QTmj3c196DC4d1dh4s
AZwVe2pxNX6xtuxyL3dcxbsxRc/FRcTb8Fr6RmofZenXLXF33kSMulMCgYEAxXCn
q/P37T1bHaimC/aziqMDg1nKCoIRw3cRsLeO7o0eO2PukQmBaBxJpTY8RO2InUJx
PRi61Ylk+foUyEctMVdyK5QUKJUc0diNPBpG+2fR30GPKa3Q62ketftU9MZ6lgZS
d0k1HsAexVjrXJETh/LlfhUq65o/Mvb90EP8RzUCgYEAsS8fqnnmeFG/FJ6V7kvl
RrkPtfu/2g4XzHRPAHLUewW1O75C19QQ2wFWvGWUCRoh2Jt43Pu3fqGGsf2rGAp0
e3Krpjx/1V9/TtZ7Szb7sSvw0qjZoaTJTz+a7i0EcynjjKMGTzxMCVL9Kap8afnj
2f4wJKmx5hfTnil03LecRd0CgYBj7frPSzHGv3Eod71i/MAugQc8Kevama6H8fHg
FhjPqQKBgQCEvylEWoEkAldKvtt2MEbl1MZdaBVS//AukAtCIOn2Lyyj4Xn20ZoO
mBLN6c/4Mcy8K2D2e61J7sx1qAcIE8Ry7XOzkDG7pGztWhJMRSSAWhL0WENLGcfl
kOYqzHLPk7qcX9a/o1MEITR85A1kdfN76FN5lZWq86e2+3xvd3hY7w==
-----END RSA PRIVATE KEY-----

And the public file looks approximately like this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOGfrmloAfkrrigjJjgGjr2aCM0z++bKJk9H6iJHc2jCB8l3T1KNGy+G0V4xe60XFm2i7/CaV4MjAhM9bSXBxxdga2ZlfhDNB4JTs0wanWzJxPqGeiMvLjtjTbGg3nuF1gR5ZLSMs8V4QAtsvAPVR6iE5TnqRtQwgb67OGCuwi44askvtveVXWtgIUsrDYxzfSHfgDPyhNXPMG9Ci7NxltMhiqUiuNkMJxtZ/pktTUJmlwCifQS/1g5YPU/ywPizeyqzoWo7o0pp823LIgiFPN9uyiWdwdB3+Qc7zfcKNYuXxRV5U6Ne3znXQRxiMi05D0jDv682JRE5NQEXF bob@localbob

Third step: copy the key to remote server

Let’s set things up in the remote end next. In the remote machine there is a file ~/.ssh/authorized_keys, we need to put the public key there, there are few way to go about this.

Method #1 ssh-copy-id

Probably the most painless solution of these, downside being it won’t work on OS X (scroll to method #2 if you’re on OS X).

$ ssh-copy-id user@123.45.56.78

The syntax in whole goes like:

ssh-copy-id [-i [identity_file]] [user@]machine

So the custom named pub file would go like this

$ ssh-copy-id -i id_rsa_xxx.pub user@123.45.56.78

Method #2

This is more verbose but I’ve found it very successful:

$ cat ~/.ssh/id_rsa_xxx.pub | ssh -p 5555 user@123.45.56.78 "mkdir -p ~/.ssh && cat >>  ~/.ssh/authorized_keys"

Note that a port is specified -p 5555, if you have your ssh listening to a default port, you might not need that.

Method #3

Just copy and paste manually the public key, cat it out and just copy it:

$ cat ~/.ssh/id_rsa_xxx.pub

Login to the remote server and find the ~/.ssh/authorized_keys and paste it there.

Now it should work, test it by exiting your box and ssh back into it, there should be no password prompt.

Fourth step: multiple ssh keys

It’s good to have many keys, e.g. one for GitHub, one for BitBucket, one for your server. But, by default the id_rsa.pub file is always used, we have to tell ssh to look different public key file depending on the service. This is where the config files come in.

Config file

config file lives in ~/.ssh/config, if it’s not there, go ahead and make it.

Contents of it should looks something like:

Host           myserver
HostName       example.com
Port           5555
IdentityFile   ~/.ssh/id_rsa_xxx
User           bob
  • Host this can be anything, this is used to connect to the server
  • HostName IP or host name
  • Port open port in the server, might not need this
  • IdentityFile where the key file is
  • User user on the server, this is needed if your user on the server is different than on local machine

Now, logging in is as easy as: $ ssh myserver.

Add more servers after the first one, if needed.

Host           myserver
HostName       example.com
Port           5555
IdentityFile   ~/.ssh/id_rsa_xxx
User           bob

Host           mysecondserver
HostName       example.net
Port           6666
IdentityFile   ~/.ssh/id_rsa_zzz
User           slartibartfast

Conclusions

Club-Mate, the beverage → club-mate.fi