Page tree
Skip to end of metadata
Go to start of metadata

Creating an SSH key pair with OpenSSH

These instructions are suitable for Linux, Mac and Cygwin users. For Windows users, we recommend the PuTTY application. See Generating SSH keys with PuTTYgen in our Windows area

Ensure that the directory ~/.ssh exists (where "~" refers to your Unix home directory) before trying to create an ssh key and ensure that it is only readable and writable by yourself, i.e. the output of the command "ls -ld ~/.ssh" should start with "drwx------".

Using the OpenSSH program suite, a 2048 bit RSA key pair can be created by

$ ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa

The output will be something similar to:

Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
5d:0d:2b:c7:44:2c:6c:39:f6:09:9c:55:3e:5f:9b:bf xxx@yyy

The private key

The private key file (called id_rsa in the example above) needs to be kept secret and well-protected by the user who uses it to identify herself. It is handy to store the corresponding public key along with the private key for easy access (e.g. when you have to provide it to a service provider).

Private key files are sensitive

It is recommended (though not strictly required) to protect the private key file with a passphrase. The important point to keep in mind is that whoever manages to get hold of the private key file will be able to access the service protected by the key (e.g. the subversion repository account) with your user privileges, if the private key file is not protected by a passphrase.

Additionally or alternatively the directory containing the private key file can be encrypted. All modern operating systems support transparent directory encryption. How to configure directory encryption depends on your operating system and is beyond the scope of this HOWTO. If unsure, ask your IT support group.

The public key

The public key file is the entity that is exchanged between the user and the service provider (e.g. the subversion administrator in the case where the service provided is access to a subversion repository). If generated via OpenSSH, it usually ends in .pub (see example above) and looks something like:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2KZp+OEKJu4IYC81ydFG4P/tVYJondVrKIEznxonQ8EEhdlY
lhGLHrqcBB+il8lCWVsuHRakTEmuh3v3TAWkFlOhs1oRCkx+Gc3sXl86H0hj5meCddVjVV+FeVLRtuCahh6H
6pt4USZtK/g+K3p5w5Pyao1B1ZESr1cdqIX30r2Nnj/fCJ54A9TuvNSwRsqISQ/PPmCT00oAHusBtKqU1f6Q
aD3CrtsejHYBYPiomOQRRcRdk0Jyrf/o5sgLs53zLdgw8dn7xuQ14YBQxY9+StqlSuTzyET9EB6CDHsoRbx/
L5pXhId/LCrWYk7qsxRrc0xMmTQ7hDgQsy4qwoXtIw== xxx@yyy

Note that the first and second field must not be changed. Only the third field (xxx@yyy) can be changed deliberately, since it is a comment relevant only to the human reader, but irrelevant to the machine.

Fingerprints can help you identifying keys

If you are ever in doubt whether you have the right public key, call

$ ssh-keygen -l -f id_rsa.pub

on the public key file (id_rsa.pub in this example). The output will look something like:

2048 5d:0d:2b:c7:44:2c:6c:39:f6:09:9c:55:3e:5f:9b:bf id_rsa.pub

The first field will show the length of the key (2048 bit in this case), the second field is the fingerprint of the key. The fingerprints of the two keys is what you should compare if you are unsure whether the two keys are the same.


Fingerprints can help you comparing keys

The same trick works on private RSA key files, too. Thus if you want to know whether a private and a public key match, type

$ ssh-keygen -l -f id_rsa ; ssh-keygen -l -f id_rsa.pub

and compare the output.


Public keys can be derived from private keys

If you have lost the public key file but still have the private key file, the public key can easily be reconstructed from the private key file by

$ ssh-keygen -y -f id_rsa