Generating Keys with OpenSSH

Generating Public/Private Keys

For additional security, you can use a public/private key pair to login. If you disable password authentication, your sshd setup? will be more secure.

Keys can be generated with ssh-keygen. In the next example, we use the ED25519 algorithm:

$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/username/.ssh/id_ed25519): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/username/ssh/id_ed25519
Your public key has been saved in /home/username/ssh/id_ed25519.pub
The key fingerprint is:
...

The private key will be stored in id_ed25519. WARNING: Never share the private key!

If you provide a passphrase, make sure to write it down securely. WARNING: If you lose the passphrase, the key becomes worthless!

Save the key fingerprint and image art to a file; you will use it for verifying the key later.

NOTE: You can use ssh-keygen for other keys like RSA or ECDSA keys:

$ ssh-keygen -t rsa -b 4096 -o -a 100
$ ssh-keygen -t ecdsa -a 100

For this article, we assume you generated an ED25519 key. Now, read the public key, ~/.ssh/id_ed25519.pub:

$ cat .ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKKJaexpzvheOmsc+Pv1ekn294Beug2tHgGoYjuXqFk username@example.com

Copy this line.

In another terminal, connect to your server with a password as usual.

On the server, add that ssh public key to the end of ~/.ssh/authorized_keys on the server.

To verify that you can now login by private key, log out by typing ctrl+d, then login again:

$ ssh username@example.com

If your private key has no passphrase, you should login without typing any passphrase.

If your private key has a passphrase, your ssh client may prompt you with:

Enter passphrase for key '/home/username/.ssh/id_ed25519': 

Type in the passphrase. Afterwards, you should login without typing your normal user password.

NOTE: The key passphrase is not the same as the normal user login password. If your SSH keys have been configured properly, ssh should never ask you for your normal user password.