version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=w3m/0.5.3+git20210102 author=jrmu charset=UTF-8 csum= ctime=1628528591 host=38.87.162.8 name=OpenSSH.Keygen rev=2 targets=Sshd.Disablepassword,Opensshd.Configure,OpenSSH.Connect text=(:title Generating Keys with OpenSSH:)%0a%0a!! Generating Public/Private Keys%0a%0aFor additional security, you can use a public/private key pair to login. If you disable [[sshd/disablepassword|password authentication]], your [[opensshd/configure|sshd setup]] will be more secure.%0a%0aKeys can be generated with [[https://man.openbsd.org/ssh-keygen|ssh-keygen]]. In the next example, we use the ED25519 algorithm:%0a%0a[@%0a$ ssh-keygen -t ed25519%0aGenerating public/private ed25519 key pair.%0aEnter file in which to save the key (/home/username/.ssh/id_ed25519): %0aEnter passphrase (empty for no passphrase): %0aEnter same passphrase again: %0aYour identification has been saved in /home/username/ssh/id_ed25519%0aYour public key has been saved in /home/username/ssh/id_ed25519.pub%0aThe key fingerprint is:%0a...%0a@]%0a%0aThe private key will be stored in id_ed25519. '''WARNING''': Never share the private key!%0a%0aIf you provide a passphrase, make sure to write it down securely. WARNING: If you lose the passphrase, the key becomes worthless!%0a%0aSave the key fingerprint and image art to a file; you will use it for verifying the key later.%0a%0a'''NOTE''': You can use ssh-keygen for other keys like RSA or ECDSA keys:%0a%0a[@%0a$ ssh-keygen -t rsa -b 4096 -o -a 100%0a$ ssh-keygen -t ecdsa -a 100%0a@]%0a%0aFor this article, we assume you generated an ED25519 key. Now, read the public key, ~/.ssh/id_ed25519.pub:%0a%0a[@%0a$ cat .ssh/id_ed25519.pub%0assh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKKJaexpzvheOmsc+Pv1ekn294Beug2tHgGoYjuXqFk username@example.com%0a@]%0a%0aCopy this line.%0a%0aIn another terminal, [[OpenSSH/connect|connect to your server]] with a password as usual.%0a%0aOn the server, add that ssh public key to the end of ~/.ssh/authorized_keys on the server.%0a%0aTo verify that you can now login by private key, log out by typing @@ctrl+d@@, then login again:%0a%0a[@%0a$ ssh username@example.com%0a@]%0a%0aIf your private key has no passphrase, you should login without typing any passphrase.%0a%0aIf your private key has a passphrase, your ssh client may prompt you with:%0a%0a[@%0aEnter passphrase for key '/home/username/.ssh/id_ed25519': %0a@]%0a%0aType in the passphrase. Afterwards, you should login without typing your normal user password.%0a%0a'''NOTE''': The key passphrase is '''not''' the same as the normal user login password. If your SSH keys have been configured properly, ssh should never ask you for your normal user password.%0a time=1628533670 title=Generating Keys with OpenSSH author:1628533670=jrmu diff:1628533670:1628528591:=1,8c1,2%0a%3c (:title Generating Keys with OpenSSH:)%0a%3c %0a%3c !! Generating Public/Private Keys%0a%3c %0a%3c For additional security, you can use a public/private key pair to login. If you disable [[sshd/disablepassword|password authentication]], your [[opensshd/configure|sshd setup]] will be more secure.%0a%3c %0a%3c Keys can be generated with [[https://man.openbsd.org/ssh-keygen|ssh-keygen]]. In the next example, we use the ED25519 algorithm:%0a%3c %0a---%0a> !! Generating SSH Keys%0a> %0a21,28c15,20%0a%3c The private key will be stored in id_ed25519. '''WARNING''': Never share the private key!%0a%3c %0a%3c If you provide a passphrase, make sure to write it down securely. WARNING: If you lose the passphrase, the key becomes worthless!%0a%3c %0a%3c Save the key fingerprint and image art to a file; you will use it for verifying the key later.%0a%3c %0a%3c '''NOTE''': You can use ssh-keygen for other keys like RSA or ECDSA keys:%0a%3c %0a---%0a> Save the key fingerprint and image art, you will use it for verifying the key later.%0a> %0a> You can repeat this process with other types of keys:%0a> %0a> Now, read ~/.ssh/id_ed25519.pub:%0a> %0a30,31c22%0a%3c $ ssh-keygen -t rsa -b 4096 -o -a 100%0a%3c $ ssh-keygen -t ecdsa -a 100%0a---%0a> $ cat .ssh/id_ed25519.pub%0a34,35c25,26%0a%3c For this article, we assume you generated an ED25519 key. Now, read the public key, ~/.ssh/id_ed25519.pub:%0a%3c %0a---%0a> You will add this line to the bottom of ~/.ssh/authorized_keys on the server. So, we login then edit that file:%0a> %0a37,38c28,29%0a%3c $ cat .ssh/id_ed25519.pub%0a%3c ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKKJaexpzvheOmsc+Pv1ekn294Beug2tHgGoYjuXqFk username@example.com%0a---%0a> $ ssh username@example.ircnow.org%0a> $ vi .ssh/authorized_keys%0a41,48c32,35%0a%3c Copy this line.%0a%3c %0a%3c In another terminal, [[OpenSSH/connect|connect to your server]] with a password as usual.%0a%3c %0a%3c On the server, add that ssh public key to the end of ~/.ssh/authorized_keys on the server.%0a%3c %0a%3c To verify that you can now login by private key, log out by typing @@ctrl+d@@, then login again:%0a%3c %0a---%0a> !! Alternative SSH Keys%0a> %0a> On your desktop PC, you can generate other ssh key types:%0a> %0a50c37,38%0a%3c $ ssh username@example.com%0a---%0a> $ ssh-keygen -t ecdsa -a 100%0a> $ ssh-keygen -t rsa -b 4096 -o -a 100%0a53,63d40%0a%3c If your private key has no passphrase, you should login without typing any passphrase.%0a%3c %0a%3c If your private key has a passphrase, your ssh client may prompt you with:%0a%3c %0a%3c [@%0a%3c Enter passphrase for key '/home/username/.ssh/id_ed25519': %0a%3c @]%0a%3c %0a%3c Type in the passphrase. Afterwards, you should login without typing your normal user password.%0a%3c %0a%3c '''NOTE''': The key passphrase is '''not''' the same as the normal user login password. If your SSH keys have been configured properly, ssh should never ask you for your normal user password.%0a host:1628533670=38.87.162.8 author:1628528591=jrmu diff:1628528591:1628528591:=1,40d0%0a%3c !! Generating SSH Keys%0a%3c %0a%3c [@%0a%3c $ ssh-keygen -t ed25519%0a%3c Generating public/private ed25519 key pair.%0a%3c Enter file in which to save the key (/home/username/.ssh/id_ed25519): %0a%3c Enter passphrase (empty for no passphrase): %0a%3c Enter same passphrase again: %0a%3c Your identification has been saved in /home/username/ssh/id_ed25519%0a%3c Your public key has been saved in /home/username/ssh/id_ed25519.pub%0a%3c The key fingerprint is:%0a%3c ...%0a%3c @]%0a%3c %0a%3c Save the key fingerprint and image art, you will use it for verifying the key later.%0a%3c %0a%3c You can repeat this process with other types of keys:%0a%3c %0a%3c Now, read ~/.ssh/id_ed25519.pub:%0a%3c %0a%3c [@%0a%3c $ cat .ssh/id_ed25519.pub%0a%3c @]%0a%3c %0a%3c You will add this line to the bottom of ~/.ssh/authorized_keys on the server. So, we login then edit that file:%0a%3c %0a%3c [@%0a%3c $ ssh username@example.ircnow.org%0a%3c $ vi .ssh/authorized_keys%0a%3c @]%0a%3c %0a%3c !! Alternative SSH Keys%0a%3c %0a%3c On your desktop PC, you can generate other ssh key types:%0a%3c %0a%3c [@%0a%3c $ ssh-keygen -t ecdsa -a 100%0a%3c $ ssh-keygen -t rsa -b 4096 -o -a 100%0a%3c @]%0a%3c %0a host:1628528591=38.87.162.8