Generating Keys with OpenSSH
Generating Public/Private Keys
Keys can be generated with ssh-keygen. In the next example, we use the ED25519 algorithm:
$ ssh-keygen -t ed25519 Generating public/private ed25519 key pair. Enter file in which to save the key (/home/username/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/username/ssh/id_ed25519 Your public key has been saved in /home/username/ssh/id_ed25519.pub The key fingerprint is: ...
The private key will be stored in id_ed25519. WARNING: Never share the private key!
If you provide a passphrase, make sure to write it down securely. WARNING: If you lose the passphrase, the key becomes worthless!
Save the key fingerprint and image art to a file; you will use it for verifying the key later.
NOTE: You can use ssh-keygen for other keys like RSA or ECDSA keys:
$ ssh-keygen -t rsa -b 4096 -o -a 100 $ ssh-keygen -t ecdsa -a 100
For this article, we assume you generated an ED25519 key. Now, read the public key, ~/.ssh/id_ed25519.pub:
$ cat .ssh/id_ed25519.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKKJaexpzvheOmsc+Pv1ekn294Beug2tHgGoYjuXqFk firstname.lastname@example.org
Copy this line.
In another terminal, connect to your server with a password as usual.
On the server, add that ssh public key to the end of ~/.ssh/authorized_keys on the server.
To verify that you can now login by private key, log out by typing
ctrl+d, then login again:
$ ssh email@example.com
If your private key has no passphrase, you should login without typing any passphrase.
If your private key has a passphrase, your ssh client may prompt you with:
Enter passphrase for key '/home/username/.ssh/id_ed25519':
Type in the passphrase. Afterwards, you should login without typing your normal user password.
NOTE: The key passphrase is not the same as the normal user login password. If your SSH keys have been configured properly, ssh should never ask you for your normal user password.