clubmate.fi

How to create ssh keys and manage multiple keys

How to create ssh keys, how to get them safely to your server, and how to manage multiple keys and make ssh-ing into a machine really easy.

Check for existing ssh keys

List files in the default, hidden, ssh directory:

$ ls -la ~/.ssh

If you don’t have an ~/.ssh directory, go ahead and make it:

$ mkdir ~/.ssh

Generate the ssh key

Make a key using the ssh-keygen utility, run that command on your local machine:

$ ssh-keygen -t rsa

It’ll ask you where to save it, if this is the first key you’re making, then just hit enter and it’ll make it in ~/.ssh/id_rsa. If you already have a key, and want to make new key, then use a different name, like ~/.ssh/id_rsa_foo, it can be anything though.

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/bob/.ssh/id_rsa): /Users/bob/.ssh/id_rsa_foo

Next it asks to make a passphrase, it’s a password you have to type when logging in with the key. It can be left blank by hitting enter.

Two files were created:

id_rsa_foo

This is your key file that sits on the local machine.

id_rsa_foo.pub

this is the public file that goes to your remote server.

Now you have the key, go ahead and pop it open to a text editor, or cat it $ cat id_rsa_foo.

-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAn5EYBOxjQ6gPDmhQi1P2tQIKRVQc7XjzClkgjfCynAFCXwwj 8U1iBY4jwiD/e7cpHZ6gZzdu3Ty965RktoVB6rAtqh4COGrgR/+TfHqNnqS9jF09 zff3vruhGKoWSMT3PIBei1r7mngVEFbb8fpGZZ7Ey2x1yVY2Ez7XKlh3QgV8EmNE bDKUwXguUKpXxz6C5vHnbJh1L9Yx+KB5Lll+RBZOLhSGNmqz/CcyPYTiucR64u9E BiozlC8Oyzx/yiFHGRHLMUcwqQx2zT/AdbVExPx5hh63Gs3lVKEkHZVtaihmMXTb N+OSmiJZ3eb37b2GQ2Nt4xwzt5sTti/CW4OYLwIDAQABAoIBABivntKsK5M8/c9R zhwwCjvoq+Qb5jnK+3a/YSz0bv15qGYB/9GGEkMfwWJ4Lm5aYM8HSnONfOZXTl6S VFe0S43PKUz7Y6GZZ9ZEY49WjmS1K/Xs2i0vfthe3hBlqYxy1gOvBqQdu7crvrwy 9ByPlNVQfxPJpChcyCRRy3c8q6p1A7IakK/ylVht3GKCfv0OxZu5iYnQsF+nwBqu 2zNl2/QnQgr5bV+xLqlDBq3vL8kaA2HSatuG1HRKPwkD9ev9YeV40Az0XJVx0zeU MRrzz7kCgYEAzuTGEkUiIwMy/tlcPWt8ingrowp9bAtt+zhrTOHa3MCOK0YnRaTe +2c6JQBpmBaZr/LMLZiXZ6lmDKCA1VeH+h8RCRh8En89y9QTmj3c196DC4d1dh4s AZwVe2pxNX6xtuxyL3dcxbsxRc/FRcTb8Fr6RmofZenXLXF33kSMulMCgYEAxXCn q/P37T1bHaimC/aziqMDg1nKCoIRw3cRsLeO7o0eO2PukQmBaBxJpTY8RO2InUJx PRi61Ylk+foUyEctMVdyK5QUKJUc0diNPBpG+2fR30GPKa3Q62ketftU9MZ6lgZS d0k1HsAexVjrXJETh/LlfhUq65o/Mvb90EP8RzUCgYEAsS8fqnnmeFG/FJ6V7kvl RrkPtfu/2g4XzHRPAHLUewW1O75C19QQ2wFWvGWUCRoh2Jt43Pu3fqGGsf2rGAp0 e3Krpjx/1V9/TtZ7Szb7sSvw0qjZoaTJTz+a7i0EcynjjKMGTzxMCVL9Kap8afnj 2f4wJKmx5hfTnil03LecRd0CgYBj7frPSzHGv3Eod71i/MAugQc8Kevama6H8fHg FhjPqQKBgQCEvylEWoEkAldKvtt2MEbl1MZdaBVS//AukAtCIOn2Lyyj4Xn20ZoO mBLN6c/4Mcy8K2D2e61J7sx1qAcIE8Ry7XOzkDG7pGztWhJMRSSAWhL0WENLGcfl kOYqzHLPk7qcX9a/o1MEITR85A1kdfN76FN5lZWq86e2+3xvd3hY7w== -----END RSA PRIVATE KEY-----

And the public file looks approximately like this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOGfrmloAfkrrigjJjgGjr2aCM0z++bKJk9H6iJHc2jCB8l3T1KNGy+G0V4xe60XFm2i7/CaV4MjAhM9bSXBxxdga2ZlfhDNB4JTs0wanWzJxPqGeiMvLjtjTbGg3nuF1gR5ZLSMs8V4QAtsvAPVR6iE5TnqRtQwgb67OGCuwi44askvtveVXWtgIUsrDYxzfSHfgDPyhNXPMG9Ci7NxltMhiqUiuNkMJxtZ/pktTUJmlwCifQS/1g5YPU/ywPizeyqzoWo7o0pp823LIgiFPN9uyiWdwdB3+Qc7zfcKNYuXxRV5U6Ne3znXQRxiMi05D0jDv682JRE5NQEXF bob@localbob

Third step: copy the key to remote server

If you used something like DigitalOcean to create your cloud server, then the key is already there. It’s in /root/.ssh/authorized_keys, to be precise.

But if you don’t have it, there are clever ways to copy it over.

In the remote machine there is a file ~/.ssh/authorized_keys, we need to upload the public key there, there are few way to go about this.

Method 1: ssh-copy-id

Probably the most painless solution, downside being it won't work on OS X (scroll to method #2 if you’re on OS X).

$ ssh-copy-id user@123.45.56.78

The syntax in whole goes like:

ssh-copy-id [-i [identity_file]] [user@]machine

So the custom named pub file would go like this

$ ssh-copy-id -i id_rsa_foo.pub user@123.45.56.78

Method 2: redirecting

This is more verbose but it should work:

$ cat ~/.ssh/id_rsa_foo.pub | ssh -p 5555 user@123.45.56.78 "mkdir -p ~/.ssh && cat >>  ~/.ssh/authorized_keys"

Note that a port is specified -p 5555, if you have your ssh listening to a default port, you might not need that.

Method 3: manual copy

Just copy and paste manually the public key, cat it out and just copy it:

$ cat ~/.ssh/id_rsa_foo.pub

Login to the remote server and find the ~/.ssh/authorized_keys and paste it at the end.

Test the ssh connection

Now it should work, test it by exiting your box ($ exit). Then try to ssh back into it by using the new key:

$ ssh -i ~/.ssh/id_rsa_foo user@123.45.56.78

The -i flag stands for identify, and should be a path to the file we just created.

Manage multiple ssh keys

It’s probably good to have many keys, e.g. one for GitHub, one for BitBucket, one for your server. By default ssh looks for the key called id_rsa.pub, we have to tell ssh to look for a different public key file depending on the service. This is where the config file comes handy.

SSH config file

The config file lives in ~/.ssh/config, if it’s not there, go ahead and make it: sudo touch ~/.ssh/config.

Contents of the file should looks something like:

# ~/.ssh/config
Host          myserver
HostName      123.45.56.78
Port          5555
IdentityFile  ~/.ssh/id_rsa_foo
User          bob

Host

This can be anything, it’s the shortname.

HostName

IP or host name.

Port

Open port in the server, might not need this.

IdentityFile

Where the key file is.

User

User on the server, this is needed if your user on the server is different than on local machine.

Now, logging in is as easy as: $ ssh myserver.

Add more servers after the first one, if needed:

Host           myserver
HostName       123.45.56.78
Port           5555
IdentityFile   ~/.ssh/id_rsa_foo
User           bob

Host           mysecondserver
HostName       example.net
Port           6666
IdentityFile   ~/.ssh/id_rsa_bar
User           alice

Conclusions

If you ever have a whiff of doubt that your key is compromised, then make a new one.

Hope this was helpful.