How to create ssh keys and manage multiple keys
Ssh keys make possible fast, secure, and passwordless login to a server. Plus it's easy to manage multiple keys with a config file.
First step: check for SSH keys
$ ls -al ~/.ssh # This shows all your keys, if there is any
If you don’t have an
~/.ssh directory, go ahead and make it:
$ mkdir ~/.ssh
Second step: setup an ssh key
First, lets make a key. On your local machine, issue:
$ ssh-keygen -t rsa
It’ll ask you where to save it, if this is the first key you’re making, then just hit enter and it’ll make it in
/Users/hilja/.ssh/id_rsa. If you already have a key, and want to make new key, then use a different name, like
/Users/hilja/.ssh/id_rsa_xxx, it can be anything though.
Generating public/private rsa key pair. Enter file in which to save the key (/Users/hilja/.ssh/id_rsa): /Users/hilja/.ssh/id_rsa_xxx
Next it asks to make a passphrase, what it means is that in addition you are required to type in a password when logging in with the key. I usually leave it blank by hitting enter.
Two files were created:
id_rsa_xxx– this is your key file that sits on the local machine.
id_rsa_xxx.pub– this is the public file that goes to your remote server.
Now you have the key, go ahead and pop it open to a text editor, or cat it
$ cat id_rsa_xxx, it should look something like this:
-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAn5EYBOxjQ6gPDmhQi1P2tQIKRVQc7XjzClkgjfCynAFCXwwj 8U1iBY4jwiD/e7cpHZ6gZzdu3Ty965RktoVB6rAtqh4COGrgR/+TfHqNnqS9jF09 zff3vruhGKoWSMT3PIBei1r7mngVEFbb8fpGZZ7Ey2x1yVY2Ez7XKlh3QgV8EmNE bDKUwXguUKpXxz6C5vHnbJh1L9Yx+KB5Lll+RBZOLhSGNmqz/CcyPYTiucR64u9E BiozlC8Oyzx/yiFHGRHLMUcwqQx2zT/AdbVExPx5hh63Gs3lVKEkHZVtaihmMXTb N+OSmiJZ3eb37b2GQ2Nt4xwzt5sTti/CW4OYLwIDAQABAoIBABivntKsK5M8/c9R zhwwCjvoq+Qb5jnK+3a/YSz0bv15qGYB/9GGEkMfwWJ4Lm5aYM8HSnONfOZXTl6S VFe0S43PKUz7Y6GZZ9ZEY49WjmS1K/Xs2i0vfthe3hBlqYxy1gOvBqQdu7crvrwy 9ByPlNVQfxPJpChcyCRRy3c8q6p1A7IakK/ylVht3GKCfv0OxZu5iYnQsF+nwBqu 2zNl2/QnQgr5bV+xLqlDBq3vL8kaA2HSatuG1HRKPwkD9ev9YeV40Az0XJVx0zeU MRrzz7kCgYEAzuTGEkUiIwMy/tlcPWt8ingrowp9bAtt+zhrTOHa3MCOK0YnRaTe +2c6JQBpmBaZr/LMLZiXZ6lmDKCA1VeH+h8RCRh8En89y9QTmj3c196DC4d1dh4s AZwVe2pxNX6xtuxyL3dcxbsxRc/FRcTb8Fr6RmofZenXLXF33kSMulMCgYEAxXCn q/P37T1bHaimC/aziqMDg1nKCoIRw3cRsLeO7o0eO2PukQmBaBxJpTY8RO2InUJx PRi61Ylk+foUyEctMVdyK5QUKJUc0diNPBpG+2fR30GPKa3Q62ketftU9MZ6lgZS d0k1HsAexVjrXJETh/LlfhUq65o/Mvb90EP8RzUCgYEAsS8fqnnmeFG/FJ6V7kvl RrkPtfu/2g4XzHRPAHLUewW1O75C19QQ2wFWvGWUCRoh2Jt43Pu3fqGGsf2rGAp0 e3Krpjx/1V9/TtZ7Szb7sSvw0qjZoaTJTz+a7i0EcynjjKMGTzxMCVL9Kap8afnj 2f4wJKmx5hfTnil03LecRd0CgYBj7frPSzHGv3Eod71i/MAugQc8Kevama6H8fHg FhjPqQKBgQCEvylEWoEkAldKvtt2MEbl1MZdaBVS//AukAtCIOn2Lyyj4Xn20ZoO mBLN6c/4Mcy8K2D2e61J7sx1qAcIE8Ry7XOzkDG7pGztWhJMRSSAWhL0WENLGcfl kOYqzHLPk7qcX9a/o1MEITR85A1kdfN76FN5lZWq86e2+3xvd3hY7w== -----END RSA PRIVATE KEY-----
And the public file looks approximately like this:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOGfrmloAfkrrigjJjgGjr2aCM0z++bKJk9H6iJHc2jCB8l3T1KNGy+G0V4xe60XFm2i7/CaV4MjAhM9bSXBxxdga2ZlfhDNB4JTs0wanWzJxPqGeiMvLjtjTbGg3nuF1gR5ZLSMs8V4QAtsvAPVR6iE5TnqRtQwgb67OGCuwi44askvtveVXWtgIUsrDYxzfSHfgDPyhNXPMG9Ci7NxltMhiqUiuNkMJxtZ/pktTUJmlwCifQS/1g5YPU/ywPizeyqzoWo7o0pp823LIgiFPN9uyiWdwdB3+Qc7zfcKNYuXxRV5U6Ne3znXQRxiMi05D0jDv682JRE5NQEXF bob@localbob
Third step: copy the key to remote server
Let’s set things up in the remote end next. In the remote machine there is a file
~/.ssh/authorized_keys, we need to put the public key there, there are few way to go about this.
Method #1 ssh-copy-id
Probably the most painless solution of these, downside being it won’t work on OS X (scroll to method #2 if you’re on OS X).
$ ssh-copy-id email@example.com
The syntax in whole goes like:
ssh-copy-id [-i [identity_file]] [user@]machine
So the custom named pub file would go like this
$ ssh-copy-id -i id_rsa_xxx.pub firstname.lastname@example.org
This is more verbose but I’ve found it very successful:
$ cat ~/.ssh/id_rsa_xxx.pub | ssh -p 5555 email@example.com "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Note that a port is specified
-p 5555, if you have your ssh listening to a default port, you might not need that.
Just copy and paste manually the public key, cat it out and just copy it:
$ cat ~/.ssh/id_rsa_xxx.pub
Login to the remote server and find the
~/.ssh/authorized_keys and paste it there.
Now it should work, test it by exiting your box and
ssh back into it, there should be no password prompt.
Fourth step: multiple ssh keys
It’s good to have many keys, e.g. one for GitHub, one for BitBucket, one for your server. But, by default the
id_rsa.pub file is always used, we have to tell ssh to look different public key file depending on the service. This is where the
config files come in.
config file lives in
~/.ssh/config, if it’s not there, go ahead and make it.
Contents of it should looks something like:
Host myserver HostName example.com Port 5555 IdentityFile ~/.ssh/id_rsa_xxx User bob
Hostthis can be anything, this is used to connect to the server
HostNameIP or host name
Portopen port in the server, might not need this
IdentityFilewhere the key file is
Useruser on the server, this is needed if your user on the server is different than on local machine
Now, logging in is as easy as:
$ ssh myserver.
Add more servers after the first one, if needed.
Host myserver HostName example.com Port 5555 IdentityFile ~/.ssh/id_rsa_xxx User bob Host mysecondserver HostName example.net Port 6666 IdentityFile ~/.ssh/id_rsa_zzz User slartibartfast