Ssh Keygen G3

Generate ssh key without any arguments. You can execute ssh-keygen without any arguments. Ssh-keygen supports signing of keys to produce certificates that may be used for user or host authentication. Certificates consist of a public key, some identity information, zero or more principal (user or host) names and a set of options that are signed by a Certification Authority (CA) key.

Did you know you can passwordless SSH? Here's how, and how to decide whether you should.

If you interact regularly with SSH commands and remote hosts, you may find that using a key pair instead of passwords can be convenient. Instead of the remote system prompting for a password with each connection, authentication can be automatically negotiated using a public and private key pair.

  • Ssh-keygen-g3 commandline tool Alternatively, you can use the ssh-keygen-g3 tool to generate the key on the command line. See 'man ssh-keygen-g3' for the available.
  • The Tectia ssh-keygen-g3 utility (in FIPS mode) will not allow key pair generation with an empty passphrase. This led to our testing the Tectia software with passphrases. I do not need a work-around immediately, since I am working to meet currently draft standards that do not yet have an announced implementation date.

The private key remains secure on your own workstation, and the public key gets placed in a specific location on each remote system that you access. Your private key may be secured locally with a passphrase. A local caching program such as ssh-agent or gnome-keyring allows you to enter that passphrase periodically, instead of each time you use the key to access a remote system.

[ Free download: Advanced Linux commands cheat sheet. ]

Generating a key pair and propagating the public key

Generating your key pair and propagating your public key is simpler than it sounds. Let’s walk through it.

Generating the key

The minimum effort to generate a key pair involves running the ssh-keygen command, and choosing the defaults at all the prompts:

The default location to store the keys is in the ~/.ssh directory, which will be created if it does not exist:

Allowing this command to create the directory also ensures that the owner and permissions are set correctly. Some applications will not use keys if the permissions to the private key are too open.

The file ending in .pub is the public key that needs to be transferred to the remote systems. It is a file containing a single line: The protocol, the key, and an email used as an identifier. Options for the ssh-keygen command allow you to specify a different identifier:

After generating the key pair, the ssh-keygen command also displays the fingerprint and randomart image that are unique to this key. This information can be shared with other people who may need to verify your public key.

Ssh keygen g3 downloadSsh Keygen G3

Later you can view these with:

The -l option lists the fingerprint, and the -v option adds the ASCII art.

Propagating the public key to a remote system

If password authentication is currently enabled, then the easiest way to transfer the public key to the remote host is with the ssh-copy-id command. If you used the default name for the key all you need to specify is the remote user and host:

Following the instructions from the output, verify that you can connect using the key pair. If you implemented a passphrase, you will be prompted for the passphrase to use the private key:

Examine the resulting authorized key file. This is where the public key was appended. If the directory or file did not exist, then it was (or they were) created with the correct ownership and permissions. Each line is a single authorized public key:

To revoke access for this key pair, remove the line for the public key.

There are many other options that can be added to this line in the authorized key file to control access. These options are usually used by administrators placing the public keys on a system with restrictions. These restrictions may include where the connection may originate, what command(s) may be run, and even a date indicating when to stop accepting this key. These and more options are listed in the sshd man page.

Changing the passphrase

If you need to change a passphrase on your private key or if you initially set an empty passphrase and want that protection at a later time, use the ssh-keygen command with the -p option:

You can add additional options to specify the key (-f), and the old (-P) or new (-N) passphrases on the command line. Remember that any passwords specified on the command line will be saved in your shell history.

See the ssh-keygen man page for additional options.

Rotating keys

While the public key by itself is meant to be shared, keep in mind that if someone obtains your private key, they can then use that to access all systems that have the public key. These key pairs also do not have a period of validity like GNU Privacy Guard (GPG) keys or public key infrastructure (PKI) certificates.

If you have any reason to suspect that a private key has been stolen or otherwise compromised, you should replace that key pair. The old public key has to be removed from all systems, a new key has to be generated with ssh-keygen, and the new public key has to be transferred to the desired remote systems.

If you are rotating keys as a precaution and without any concern of compromise, you can use the old key pair to authenticate the transfer of the new public key before removing the old key.

Is using empty passphrases ever a good idea?

There are several things to think about when considering an empty passphrase for your SSH private key.

How secure is the private key file?

If you tend to work from multiple client systems and want to either have multiple copies of your key or keep a copy on removable media, then it really is a good idea to have a passphrase on the private key. This practice is in addition to protecting access to the key file with encrypted media.

However, if you have only one copy of the private key and it is kept on a system that is well secured and not shared, then having a passphrase is simply one more level of protection just in case.

Remember that changing the passphrase on one copy does not change the passphrase on other copies. The passphrase is simply locking access to a specific key file.

Why do think you need an empty passphrase?

Keygen

There are cases for keys with empty passphrases. Some utilities that need to automatically transfer files between systems need a passwordless method to authenticate. The kdump utility, when configured to dump the kernel to a remote system using SSH, is one example.

Another common use is to generate a key pair for a script that is designed to run unattended, such as from a cron job.

How about a middle ground alternative?

By itself, a passphrase-protected private key requires the passphrase to be entered each time the key is used. This setup does not feel like passwordless SSH. However, there are caching mechanisms that allow you to enter the key passphrase once and then use the key over and over without reentering that passphrase.

More Linux resources

OpenSSH comes with an ssh-agent daemon and an ssh-add utility to cache the unlocked private key. The GNOME desktop also has a keyring daemon that stores passwords and secrets but also implements an SSH agent.

The lifetime of the cached key can be configured with each of the agents or when the key is added. In many cases, it defaults to an unlimited lifetime, but the cache is cleared when the user logs out of the system. You will be prompted for the passphrase only once per login session.

If there is a scheduled application that needs to run outside of a user login session, it may be possible to use a secret or other password manager to automate the unlocking of the key. For example, Ansible Tower stores credentials in a secure database. This database includes an SSH private key used to connect to the remote systems (managed nodes), and any passphrases necessary for those private keys. Once those credentials are stored, a job can be scheduled to run a playbook on a regular schedule.

Automating propagation

A centralized identity manager such as FreeIPA can assist with key propagation. Upload the public key to the server as an attribute of a user account, and then propagate it to the hosts in the domain as needed. FreeIPA can also provide additional host-based access control for where a key may be used.

Keys can also be distributed using Ansible modules. The openssh_keypair module uses ssh-keygen to generate keys and the authorized_key module adds and removes SSH authorized keys for particular user accounts.

Wrapping up

SSH key pairs are only one way to automate authentication without passwords. Using the Generic Security Services Application Program Interface (GSSAPI) authentication is also common when trying to reduce the use of passwords on a network with centralized user management. SSH key pairs are the easier option to implement when single sign-on (SSO) is not already available.

Many source code repositories grant access using SSH keys. You can upload a public key to an account in the hosting organization such as the Fedora Account System, GitLab, or GitHub sites and use that key pair to authenticate when pulling and pushing content to repositories.

On Demand: Red Hat Summit 2021 Virtual Experience

Relive our April event with demos, keynotes, and technical sessions from
experts, and sign up to attend breakout sessions June 15–16.

Related Content

SSH Frequently Asked Questions

How do I get publickey user authentication to work?

The first thing to understand is that there is no one answer to thisquestion. The SSH protocol only specifies the syntax and semantics ofmessages passed on the network ('over the wire') between an SSH client andserver. It says nothing at all about host-dependent issues, such as howpublic keys may be encoded in files, or how to indicate that the holder ofa particular public key is authorized to log into a particular account.As a result, these issues vary from one implementation to another — andmay get especially interesting when connecting from one implementation toanother.

First, let's understand how publickey user authentication works ingeneral. In the SSH protocol, a client may make two different requestswith regard to publickey authentication. The first is a probe request: itsimply asks whether a given public key is authorized to access a givenaccount. The second is an actual authentication attempt: it includes adigital signature generated by the client, which should convince theserver that the client possesses the private component of the given publickey. The first form exists because generating a digital signature is acomputationally expensive operation, so if a client has several differentkeys available, it is better to test them first and only attemptauthentication for those keys which are authorized for login on theserver.

From this description, we can see that the client needs the privatekey, while the server needs the corresponding public key. While thepublic and private keys are usually written to a pair of files whengenerating a key, these files need not always be copied as a pairtogether, and in fact often should not be. For instance, there is no needto have a copy of your private key on a remote host, and you may not wantit exposed there if that host is less trusted than the local one.

Another point about key pairs: from following 'recipes' for setting uppublickey authentication, people sometimes get the idea that they mustrepeat this entire process for every client/host pair — that is, that youneed a separate key pair for each remote host. While you can dothat, it's not necessary; a single key may be authorized to log into manydifferent hosts.

Username

OpenSSH client and server

Let's take the most common case: the client and server SSH software areboth OpenSSH. To generate a key pair on the client:

This generates a new RSA private key and places it in the defaultlocation, ~/.ssh/id_rsa. ssh-keygen saves the corresponding public key in~/.ssh/id_rsa.pub; you can recover this at any time from the private keywith ssh-keygen -y -f private-key-file. OpenSSH trieskeys in this and the other default location (~/.ssh/id_dsa) automaticallyduring client authentication. You can change this using the IdentityFileoption in ~/.ssh/config.

SSH protects your private key by encrypting it with the passphrase yousupply; you will need to supply the passphrase whenever the key needs tobe loaded from that file. You may be tempted to leave it blank to makethings easier; don't do it. There is a tool that gives the sameconvenience without completely compromising your key: ssh-agent. See this discussion for more details.

Now that you have a key, you need to authorize it to log into your accounton the remote host, let's say account pat on the hostremote. When asked to log into the account pat, the OpenSSHserver (sshd) on remote looks in a particular file for a list ofpublic keys authorized for the account:~pat/.ssh/authorized_keys. So, in order to authorize your newkey, you can copy id_rsa.pub to remote (e.g. using scp), and appendits contents to the authorized_keys file. Note that each public key isrepresented on a single line, usually quite long, like this:

Openssh - How Do I Convert A Ssh-keygen Public Key Into A ...

If you use a text editor, take care that it doesn't break the lines inthis file. Once you have added the key to authorized_keys, there is noneed to keep the id_rsa.pub file around. Also note that there isnever a need to copy the private key file (id_rsa) to the serverjust for authentication to work; in fact, you would not generally want to.If you need further authentication from that host, consider usingssh-agent together with agent forwarding to get this effect.

File and Directory Permissions

Here's an issue that frequently trips people up: by default, sshd hasrequirements for the permissions on the authorized_keys file, as well asits containing directory ~/.ssh, and the home directory.Specifically, none of these may be writable by any uid except the owner orroot. That means the most permissive modes you can have here are:

The reason for caring about the directory permissions, is that it doesn'tdo much good to protect the authorized_keys file, if someone else cansimply delete it and create a new one (by modifying the containingdirectories).

Try it!

Once everything is in place, try ssh pat@remote and see whathappens. You can omit the 'pat@' part if the local and remote accountnames are both the same. OpenSSH should prompt for your key passphrase,then log you into the remote host. If you have trouble, see our debugging hints. The ssh -v outputfrom a successful authentication will look like:

Server Host Keys

One source of occasional confusion, is that two different kinds ofauthentication take place with each SSH connection: server, and client.Here we are dealing with client (or user) authentication, but theclient also authenticates the server first, and this usually also entailssome keys called the server's hostkeys. In client authenticationwe have seen that the private key is on the client and the public key onthe server. With server authentication, then, the roles are reversed: theserver's private hostkeys are on the server (usually in /etc/ssh/), andthe user needs copies of the public hostkeys in order to authenticate theserver; these are kept in ~/.ssh/known_hosts. Be careful to distinguishbetween these: the hostkeys and known_hosts file have nothing to do withpublickey client authentication..

Tectia SSH (ssh.com)

SSH Communications Security (ssh.com) sells a suite of SSH software calledTectia. The concepts here are the same; only the detailsdiffer, such as file names and formats. Tectia also keeps key pairs infoo/foo.pub files, in the directory ~/.ssh2, and you can create them withthe Tectia version of ssh-keygen. On the server, there is a file~/.ssh2/authorization, which contains lines referring to authorized publickeys in separate files, rather than the keys themselves. E.g.:

Tectia has the same default requirements on server file permissions as thosementioned above for OpenSSH.

Mixing Implementations

You Can Use Expect To Send The 'enter' For You Cat Test.sh #!/bin/bash Set -x XYZ=$(expect -c ' Spawn Ssh-keygen -b 2048 -t Rsa -f /tmp/sshkey -q E...

Since the file formats used by OpenSSH and Tectia (and other SSH software)may differ, you usually have to convert key files from one format toanother when connecting between implementations. For example:
  • To convert a Tectia public key for use on an OpenSSH server:
    • OpenSSH: ssh-keygen -i -f [filename].
  • To convert an OpenSSH public key for use on a Tectia server:
    • OpenSSH: ssh-keygen -e -f [filename].
    • Tectia: ssh-keygen --import-public-key [infile] [outfile]
  • To convert a Tectia private key for use by an OpenSSH client:
    • OpenSSH: ssh-keygen -i -f [filename] (Tectia key must be unencrypted)
  • To convert an OpenSSH private key for use by a Tectia client:
    • Tectia: ssh-keygen --import-private-key [infile] [outfile] (OpenSSH key must be unencrypted)