How to use SSH keys
First we need to create our SSH key pair to use this feature. Later we can add our public key to the list of authorized keys to grant access using our key. Optionally we can use an SSH authentication agent to securely remember our key so we won't have to reenter the passphrase each time we login to a host.
Generate SSH key-pair (ed25519)
First we need to generate an SSH key-pair. We will use the
ed25519 algorithm, which is both fast and secure.
Open a terminal and enter or paste the text below. Replace the last parameter with your email address (preferably your D-PHYS mail address).
ssh-keygen -t ed25519 -C "firstname.lastname@example.org"
This creates a new ssh key pair:
Generating public/private ed25519 key pair.
When prompted to enter a file name, press Enter. This accepts the default file location.
Enter file in which to save the key (/home/rda/.ssh/id_ed25519): [Enter]
At the prompt, type a secure passphrase. For more information on secure passphrases see How to handle passwords. You can use an authentication agent so that you won't have to re-enter your passphrase every time you use your SSH keys (see Use an SSH agent below).
Enter passphrase (empty for no passphrase): [Type a passphrase] Enter same passphrase again: [Type passphrase again]
Now let's see what we have created:
user@host:~$ cd ~/.ssh user@host:~/.ssh$ ls id_ed25519 id_ed25519.pub
The SSH key pair consists of two files - a public key and a private key. The private key must be protected (it's like a key to open a door), the public key should be distributed to all machines you like to log in without a password.
Continue with the steps below (Add your SSH key to the list of allowed keys) to add your key to the list of allowed keys.
Generate RSA key-pair (optional)
You may optionally also want to create another key-pair using the
RSA is still recommended as a gold standard (strong using a sufficiently large key length and wide compatible). The
ed25519 algorithm may not be compatible with all old clients.
Use a key length of
4096 and replace the last parameter with your email address. Follow the same steps as for the
ed25519 key (see above):
ssh-keygen -t rsa -b 4096 -C "email@example.com"
This will create two more files:
user@host:~$ ls ~/.ssh/id_rsa* /home/rda/.ssh/id_rsa /home/rda/.ssh/id_rsa.pub
Add your SSH key to the list of allowed keys
To allow authentication using our key, we add our public key to the list of allowed keys (
~/.ssh/authorized_keys) in our
user@host:~$ cat ~/.ssh/id_ed25519.pub > ~/.ssh/authorized_keys
If you also generated an RSA key-pair:
user@host:~$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
This will allow us to login using our key on all D-PHYS managed workstations and servers, where we are also allowed to login using our D-PHYS Account password.
How to prefer the newer ed25519 key
If you have both
RSA keys, you probably want to prefer the faster
ed25519 key. By default ssh uses the
rsa key first.
To do that, add the following lines to your ssh config (
IdentityFile ~/.ssh/id_ed25519 IdentityFile ~/.ssh/id_rsa IdentitiesOnly yes
This will only offer those 2 keys in the listed order, any other keys loaded in
ssh-agent will not be offered.
Login using the SSH key
Connect to the host (
ssh <username>@<host>) and enter your SSH key passphrase:
user@host:~$ ssh firstname.lastname@example.org Enter passphrase for key '/home/rda/.ssh/id_ed25519': [Type your passphrase]
Use an SSH agent
Our workstations automatically run the
ssh-agent which can hold your keys. The agent is running as long as you are logged in and allows logging in on another workstation without typing your passphrase. In case the agent doesn't know your keys yet, you can load them with
Add an SSH key:
user@host:~/.ssh$ ssh-add Enter passphrase for /home/rda/.ssh/id_ed25519: Identity added: /home/rda/.ssh/id_ed25519 (email@example.com)
List the agent's keys:
user@host:~$ ssh-add -l 256 SHA256:qmV/Q9Xqly06wFrNtVjNswEMAAydR9rPeut0BDQy4Zk firstname.lastname@example.org (ED25519)
Clean out all keys:
user@host:~$ ssh-add -D All identities removed.
Use the keychain
You can use
keychain to re-use ssh-agent and/or gpg-agent between logins.