How to create ssh keys, how to get them safely to your server, and how to manage multiple keys and make ssh-ing into a machine really easy.
List files in the default, hidden, ssh directory:
$ ls -la ~/.ssh
If you don’t have an
~/.ssh directory, go ahead and make it:
$ mkdir ~/.ssh
Make a key using the
ssh-keygen utility, run that command on your local machine:
$ ssh-keygen -t rsa
It’ll ask you where to save it, if this is the first key you’re making, then just hit enter and it’ll make it in
~/.ssh/id_rsa. If you already have a key, and want to make new key, then use a different name, like
~/.ssh/id_rsa_foo, it can be anything though.
Generating public/private rsa key pair. Enter file in which to save the key (/Users/bob/.ssh/id_rsa): /Users/bob/.ssh/id_rsa_foo
Next it asks to make a passphrase, it’s a password you have to type when logging in with the key. It can be left blank by hitting enter.
Two files were created:
Now you have the key, go ahead and pop it open to a text editor, or cat it
$ cat id_rsa_foo.
-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAn5EYBOxjQ6gPDmhQi1P2tQIKRVQc7XjzClkgjfCynAFCXwwj 8U1iBY4jwiD/e7cpHZ6gZzdu3Ty965RktoVB6rAtqh4COGrgR/+TfHqNnqS9jF09 zff3vruhGKoWSMT3PIBei1r7mngVEFbb8fpGZZ7Ey2x1yVY2Ez7XKlh3QgV8EmNE bDKUwXguUKpXxz6C5vHnbJh1L9Yx+KB5Lll+RBZOLhSGNmqz/CcyPYTiucR64u9E BiozlC8Oyzx/yiFHGRHLMUcwqQx2zT/AdbVExPx5hh63Gs3lVKEkHZVtaihmMXTb N+OSmiJZ3eb37b2GQ2Nt4xwzt5sTti/CW4OYLwIDAQABAoIBABivntKsK5M8/c9R zhwwCjvoq+Qb5jnK+3a/YSz0bv15qGYB/9GGEkMfwWJ4Lm5aYM8HSnONfOZXTl6S VFe0S43PKUz7Y6GZZ9ZEY49WjmS1K/Xs2i0vfthe3hBlqYxy1gOvBqQdu7crvrwy 9ByPlNVQfxPJpChcyCRRy3c8q6p1A7IakK/ylVht3GKCfv0OxZu5iYnQsF+nwBqu 2zNl2/QnQgr5bV+xLqlDBq3vL8kaA2HSatuG1HRKPwkD9ev9YeV40Az0XJVx0zeU MRrzz7kCgYEAzuTGEkUiIwMy/tlcPWt8ingrowp9bAtt+zhrTOHa3MCOK0YnRaTe +2c6JQBpmBaZr/LMLZiXZ6lmDKCA1VeH+h8RCRh8En89y9QTmj3c196DC4d1dh4s AZwVe2pxNX6xtuxyL3dcxbsxRc/FRcTb8Fr6RmofZenXLXF33kSMulMCgYEAxXCn q/P37T1bHaimC/aziqMDg1nKCoIRw3cRsLeO7o0eO2PukQmBaBxJpTY8RO2InUJx PRi61Ylk+foUyEctMVdyK5QUKJUc0diNPBpG+2fR30GPKa3Q62ketftU9MZ6lgZS d0k1HsAexVjrXJETh/LlfhUq65o/Mvb90EP8RzUCgYEAsS8fqnnmeFG/FJ6V7kvl RrkPtfu/2g4XzHRPAHLUewW1O75C19QQ2wFWvGWUCRoh2Jt43Pu3fqGGsf2rGAp0 e3Krpjx/1V9/TtZ7Szb7sSvw0qjZoaTJTz+a7i0EcynjjKMGTzxMCVL9Kap8afnj 2f4wJKmx5hfTnil03LecRd0CgYBj7frPSzHGv3Eod71i/MAugQc8Kevama6H8fHg FhjPqQKBgQCEvylEWoEkAldKvtt2MEbl1MZdaBVS//AukAtCIOn2Lyyj4Xn20ZoO mBLN6c/4Mcy8K2D2e61J7sx1qAcIE8Ry7XOzkDG7pGztWhJMRSSAWhL0WENLGcfl kOYqzHLPk7qcX9a/o1MEITR85A1kdfN76FN5lZWq86e2+3xvd3hY7w== -----END RSA PRIVATE KEY-----
And the public file looks approximately like this:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOGfrmloAfkrrigjJjgGjr2aCM0z++bKJk9H6iJHc2jCB8l3T1KNGy+G0V4xe60XFm2i7/CaV4MjAhM9bSXBxxdga2ZlfhDNB4JTs0wanWzJxPqGeiMvLjtjTbGg3nuF1gR5ZLSMs8V4QAtsvAPVR6iE5TnqRtQwgb67OGCuwi44askvtveVXWtgIUsrDYxzfSHfgDPyhNXPMG9Ci7NxltMhiqUiuNkMJxtZ/pktTUJmlwCifQS/1g5YPU/ywPizeyqzoWo7o0pp823LIgiFPN9uyiWdwdB3+Qc7zfcKNYuXxRV5U6Ne3znXQRxiMi05D0jDv682JRE5NQEXF bob@localbob
If you used something like DigitalOcean to create your cloud server, then the key is already there. It’s in
/root/.ssh/authorized_keys, to be precise.
But if you don’t have it, there are clever ways to copy it over.
In the remote machine there is a file
~/.ssh/authorized_keys, we need to upload the public key there, there are few way to go about this.
Probably the most painless solution, downside being it won't work on OS X (scroll to method #2 if you’re on OS X).
$ ssh-copy-id email@example.com
The syntax in whole goes like:
ssh-copy-id [-i [identity_file]] [user@]machine
So the custom named pub file would go like this
$ ssh-copy-id -i id_rsa_foo.pub firstname.lastname@example.org
This is more verbose but it should work:
$ cat ~/.ssh/id_rsa_foo.pub | ssh -p 5555 email@example.com "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Note that a port is specified
-p 5555, if you have your ssh listening to a default port, you might not need that.
Just copy and paste manually the public key, cat it out and just copy it:
$ cat ~/.ssh/id_rsa_foo.pub
Login to the remote server and find the
~/.ssh/authorized_keys and paste it at the end.
Now it should work, test it by exiting your box (
$ exit). Then try to ssh back into it by using the new key:
$ ssh -i ~/.ssh/id_rsa_foo firstname.lastname@example.org
-i flag stands for identify, and should be a path to the file we just created.
It’s probably good to have many keys, e.g. one for GitHub, one for BitBucket, one for your server. By default ssh looks for the key called
id_rsa.pub, we have to tell ssh to look for a different public key file depending on the service. This is where the
config file comes handy.
The config file lives in
~/.ssh/config, if it’s not there, go ahead and make it:
sudo touch ~/.ssh/config.
Contents of the file should looks something like:
# ~/.ssh/config Host myserver HostName 126.96.36.199 Port 5555 IdentityFile ~/.ssh/id_rsa_foo User bob
Now, logging in is as easy as:
$ ssh myserver.
Add more servers after the first one, if needed:
Host myserver HostName 188.8.131.52 Port 5555 IdentityFile ~/.ssh/id_rsa_foo User bob Host mysecondserver HostName example.net Port 6666 IdentityFile ~/.ssh/id_rsa_bar User alice
If you ever have a whiff of doubt that your key is compromised, then make a new one.
Hope this was helpful.
Comments would go here, but the commenting system isn’t ready yet, sorry. Tweet me @hiljaa if you want to make a correction etc.