Creating an SSH key pair with OpenSSH
Ensure that the directory
~/.ssh exists (where "
~" refers to your Unix home directory) before trying to create an ssh key and ensure that it is only readable and writable by yourself, i.e. the output of the command "
ls -ld ~/.ssh" should start with "
Using the OpenSSH program suite, a 2048 bit RSA key pair can be created by
The output will be something similar to:
The private key
The private key file (called
id_rsa in the example above) needs to be kept secret and well-protected by the user who uses it to identify herself. It is handy to store the corresponding public key along with the private key for easy access (e.g. when you have to provide it to a service provider).
Private key files are sensitive
It is recommended (though not strictly required) to protect the private key file with a passphrase. The important point to keep in mind is that whoever manages to get hold of the private key file will be able to access the service protected by the key (e.g. the subversion repository account) with your user privileges, if the private key file is not protected by a passphrase.
Additionally or alternatively the directory containing the private key file can be encrypted. All modern operating systems support transparent directory encryption. How to configure directory encryption depends on your operating system and is beyond the scope of this HOWTO. If unsure, ask your IT support group.
The public key
The public key file is the entity that is exchanged between the user and the service provider (e.g. the subversion administrator in the case where the service provided is access to a subversion repository). If generated via OpenSSH, it usually ends in
.pub (see example above) and looks something like:
Note that the first and second field must not be changed. Only the third field (
xxx@yyy) can be changed deliberately, since it is a comment relevant only to the human reader, but irrelevant to the machine.
Fingerprints can help you identifying keys
If you are ever in doubt whether you have the right public key, call
on the public key file (
id_rsa.pub in this example). The output will look something like:
The first field will show the length of the key (2048 bit in this case), the second field is the fingerprint of the key. The fingerprints of the two keys is what you should compare if you are unsure whether the two keys are the same.
Fingerprints can help you comparing keys
The same trick works on private RSA key files, too. Thus if you want to know whether a private and a public key match, type
and compare the output.
Public keys can be derived from private keys
If you have lost the public key file but still have the private key file, the public key can easily be reconstructed from the private key file by