ssh-keygen generates, manages and converts the authentication keys (private and public keys) used by SSH. You can generate both RSA and DSA keys. You can also generate Diffie-Hellman groups.
1. Create RSA Keys
This is the default behaviour of ssh-keygen without any parameters. By default it creates RSA keypair, stores key under ~/.ssh directory. Note that the file name it created was id_rsa for private key and id_rsa.pub for public key.
2. Create DSA keys
A public and private key are generated. Add the public SSH key to your GitLab account and keep the private key secure. Configure SSH to point to a different directory. If you did not save your SSH key pair in the default directory, configure your SSH client to point to the directory where the private key is stored. Open a terminal and run this. The ssh client allows you to selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is /.ssh/identity for protocol version 1, and /.ssh/idrsa and /.ssh/iddsa for protocol version 2. Identity files may also be specified on a per-host basis in the configuration file.
To create DSA key, pass -t dsa as an argument.
Please note that it still stores the keys under ~/.ssh directory. But now the file name it created was id_dsa for private key and id_dsa.pub for public key.
3. Specify Key Filename and Location
If you don’t want to store the key files under the default location use the -f option. Apart from storing it in a different directory, you can also specify your own name for the key files.
The following example will store the key files under /root directory. The name of the files will be my-key for private key, and my-key.pub for public key.
4. Specify Custom Comment to the Keys
By default, the keys generated will have “username@hostname” as comment. In all the above example, you can see “root@devdb” as the comment.
The following example will generate the RSA keys with the comment specified.
5. Convert SSH keys to Different Format
By default the keys generated by ssh-keygen will be used by the OpenSSH implementation. But, if you want to convert those keys to SSH comercial implementations (for example: SSH2), use the -e option as shown below.
You can use the following to specify the file and store the output to a different file.
6. Search Known Hosts File
You can also use ssh-keygen to search for keys in the ~/.ssh/known_hosts files. This is helpful when you have lot of entries in the known_hosts file.
The following output indicates that it found the entry for “dev-db” in the known-hosts file at line#10.
7. Display the Public Key for given Private
The following example will display the public key for the default /root/.ssh/id_rsa private key.
You can also specify the priviate key using -f option. In this example, it will display the public key for ~/.ssh/id_dsa private key.
ssh-agent is used to hold the private keys of remote server, which can be used to authenticate from the local machine.
The idea is once you add private keys using ssh-add command to the ssh-agent, you can login to the remote machine without having to enter the password.
If you are new to this, you should first understand how ssh-add command works.
1. Start the ssh-agent
You can start the ssh-agent from your session, as shown below. By default, you can start it without any parameter as shown below.
In this case, the parent PID for the ssh-agent will be 1. So, it is not tied to the current terminal.
If you want to start ssh-agent only for your terminal session, it is recommend that you pass the shell command variable (i.e /bin/bash to the ssh-agent while starting it as shown below). In this case, the ssh-agent will be forked from the current terminal, as you see below, the parent PID of the ssh-agent is the current terminal’s bash process.
2. Stop / Kill the ssh-agent
While you can use kill -9 command to kill the ssh-agent process, it is recommend that you use the -k option as shown below.
3. Run ssh-agent in debug mode
For some reason, after you’ve added the keys ot the ssh-agent, if it still asks for password when you ssh to remote server, you may want to debug and see if ssh-agent has the right keys.
Connect Ssh With Key
You can run ssh-agent in the debug mode as shown below. Please note that when you run in debug mode, it will run in the foreground mode.
4. Set Bind Socket Name
By default, the ssh-agent binds to a socket under /tmp directory (for example: SSH_AUTH_SOCK=/tmp/ssh-UMmVe11244/agent.11244). If you are concerned about this for security reasons, you can specify your own socket file name under your home directory (or anywhere else), instead of the /tmp directory.
The following example will use the my-ssh-socket file for the SSH_AUTH_SOCK.
After starting the ssh-agent, you can verify that the bind socket is created in the location you’ve specified.
When this ssh-agent is killed properly, this bind socket file will be deleted automatically by the ssh-agent as shown below.
5. Set Expiry Time for Keys
By default, the keys added to the ssh-agent doesn’t expire. They stay there as long as ssh-agent is running. However you can set an expire time using the -t option as shown below.
In the following example, the keys will expire after 3600 second, which is 1 hour.
You can also use one of the following time qualifiers
Ssh Private Key Example
- m | M minutes (for example: 5M for 5 minutes)
- h | H hours (for example: 5h for 5 hours)
- d | D days (for example: 5D for 5 days)
- w | W weeks (for example 5w for 5 weeks)
In the following example, the keys will expire after 3 days. Planner 5d software.