SSH keys:Linux, MacOS X, Cygwin, and other UNIX variants

From CELS IT Wiki

< SSH keys

Contents

Generate keys.

The "ssh-keygen" command is used to create keys. There are many options for it. We recommend that you run it this way:

ssh-keygen -t rsa -b 2048

This will create and store keys in your ~/.ssh directory. It will overwrite any existing keys as well. The default keytype in MCS is RSA for SSH 2. To generate this key (id_rsa), simply type "ssh-keygen -t rsa -b 2048" and follow the prompts. Example:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/some/path/.ssh/id_rsa):

Just accept the default here unless you have a good reason not to. This will put your key in ~/.ssh/id_rsa and your public key in ~/.ssh/id_rsa.pub. The rest of these instructions assume that's what you've done.

Enter passphrase (empty for no passphrase): 

We require the use of a passphrase. There are a very limited number of circumstances where a key without a passphrase is acceptable. If you are in doubt, ask us.

Enter same passphrase again:

We require SSH2.

Some machines may put these files in a different spot. If this is the case, make a note of where it puts them and what it names them. The id_rsa (and, if they exist, id_dsa or identity) file is your private key. Keep it secret, keep it safe.

Add your key to MCS account profile

Login to https://accounts.mcs.anl.gov and click the "Add New SSH Public Key" button for each key you want to add.

If you used the defaults, you can see your key from a command line which you can copy and paste into the accounts page:

cat ~/.ssh/id_rsa.pub


Using your ssh-key

  • if ssh-key files are in your ~/.ssh folder then type:
    • ssh username@login.mcs.anl.gov
  • if ssh-key files are not in your ~/.ssh folder then type:
    • ssh -i path/to/private/ssh-key username@login.mcs.anl.gov

(Optional): Agents

If you run an ssh-agent, it will remember the passphrase for your key while it's running.

If you login to an MCS linux workstation locally through X-Windows, an agent is launched automatically. If not, you can launch one by running:

ssh-agent

To add your keys to the agent:

ssh-add

If your keys have a non-standard name or path, you'll need to specify the full path after the ssh-add command.

You will be asked for the passphrase for your .ssh/id_rsa (and .ssh/id_dsa, if applicable).

Now you can ssh to other machines that have your public key and never have a password.

Mac OS X Leopard (10.5) and newer has built-in SSH-agent and key management through the Keychain.

Earlier Mac OS users can use GUI tools such as the following to manage keys and agents:

Personal tools