SSH
Table of contents
Understand the basic
# commonly used
ssh-keygen -t rsa -b 4096
ssh-keygen -t dsa
ssh-keygen -t ecdsa -b 521
ssh-keygen -t ed25519
# examples
ssh-keygen -t rsa -b 4096 -f /path/to/key-name -C "[email protected]"
# -f for filename
# -b for bits, 2048 bits is considered to be sufficient for RSA keys
# -C for comment
ssh-keygen -t ed25519 -f /path/to/key-name -C "[email protected]"
# ed25519 doesn't use a fixed key size in bits
# ed25519 uses fixed key size in bytes, do not specify `-b`
-
rsa - an old algorithm based on the difficulty of factoring large numbers. A key size of at least 2048 bits is recommended for RSA; 4096 bits is better. RSA is getting old and significant advances are being made in factoring. Choosing a different algorithm may be advisable. It is quite possible the RSA algorithm will become practically breakable in the foreseeable future. All SSH clients support this algorithm.
-
dsa - an old US government Digital Signature Algorithm. It is based on the difficulty of computing discrete logarithms. A key size of 1024 would normally be used with it. DSA in its original form is no longer recommended.
-
ecdsa - a new Digital Signature Algorithm standarised by the US government, using elliptic curves. This is probably a good algorithm for current applications. Only three key sizes are supported: 256, 384, and 521 (sic!) bits. We would recommend always using it with 521 bits, since the keys are still small and probably more secure than the smaller keys (even though they should be safe as well). Most SSH clients now support this algorithm.
-
ed25519 - Edwards-curve Digital Signature Algorithm, this is a new algorithm added in OpenSSH. Support for it in clients is not yet universal. Thus its use in general purpose applications may not yet be advisable.
Generate OpenSSH key in Mac
-
Run
ssh-keygen
, or usingrsa
then run:ssh-keygen -t rsa
- The SSH key file path is under
~/.ssh
directory. - You will be prompt enter passphrase, press enter for empty passphrase
- Upon creation, you will see
id_rsa
andid_rsa.pub
- The SSH key file path is under
-
Run
cd ~/.ssh
, thenls -a
- It outputs 2 files:
id_rsa
andid_rsa.pub
- It outputs 2 files:
-
Adding
id_rsa.pub
value to the VM you want to SSH-ing- Eg: Digital ocean » My profile » Security » Add SSH, paste the value in there.
Remove an old host keys in Mac
- Assume Digital Ocean remote IP is
192.25.25.0
, to remove, run below command.
ssh-keygen -R 192.25.25.0
# old key path: ~/.ssh/known_hosts.old
Define SSH with specific host.
- Under
~/.ssh
directory, openconfig
file
Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/key_name_1
IdentityFile ~/.ssh/key_name_2
SSH working logic for connecting 2 remote hosts
Host A
- Inside Host A
- Create key:
ssh-keygen -t rsa
- Above key will be a pair files:
.rsa
&&.pub
- Copy content from
.pub
Host B
- Inside Host B
- Go to folder
/.ssh
- Adding
authorized_keys
file - Paste the content from
.pub
ofHost A
- Done