Link Search Menu Expand Document


Table of contents

Understand the basic

# commonly used 
ssh-keygen -t rsa -b 4096
ssh-keygen -t dsa 
ssh-keygen -t ecdsa -b 521
ssh-keygen -t ed25519

# examples
ssh-keygen -t rsa -b 4096 -f /path/to/key-name -C "[email protected]"
    # -f for filename
    # -b for bits, 2048 bits is considered to be sufficient for RSA keys
    # -C for comment 
ssh-keygen -t ed25519 -f /path/to/key-name -C "[email protected]"
    # ed25519 doesn't use a fixed key size in bits
    # ed25519 uses fixed key size in bytes, do not specify `-b`
  • rsa - an old algorithm based on the difficulty of factoring large numbers. A key size of at least 2048 bits is recommended for RSA; 4096 bits is better. RSA is getting old and significant advances are being made in factoring. Choosing a different algorithm may be advisable. It is quite possible the RSA algorithm will become practically breakable in the foreseeable future. All SSH clients support this algorithm.

  • dsa - an old US government Digital Signature Algorithm. It is based on the difficulty of computing discrete logarithms. A key size of 1024 would normally be used with it. DSA in its original form is no longer recommended.

  • ecdsa - a new Digital Signature Algorithm standarised by the US government, using elliptic curves. This is probably a good algorithm for current applications. Only three key sizes are supported: 256, 384, and 521 (sic!) bits. We would recommend always using it with 521 bits, since the keys are still small and probably more secure than the smaller keys (even though they should be safe as well). Most SSH clients now support this algorithm.

  • ed25519 - Edwards-curve Digital Signature Algorithm, this is a new algorithm added in OpenSSH. Support for it in clients is not yet universal. Thus its use in general purpose applications may not yet be advisable.

Generate OpenSSH key in Mac

  1. Run ssh-keygen, or using rsa then run: ssh-keygen -t rsa

    • The SSH key file path is under ~/.ssh directory.
    • You will be prompt enter passphrase, press enter for empty passphrase
    • Upon creation, you will see id_rsa and
  2. Run cd ~/.ssh, then ls -a

    • It outputs 2 files: id_rsa and
  3. Adding value to the VM you want to SSH-ing

    • Eg: Digital ocean » My profile » Security » Add SSH, paste the value in there.

Remove an old host keys in Mac

  • Assume Digital Ocean remote IP is, to remove, run below command.
ssh-keygen -R
   # old key path: ~/.ssh/known_hosts.old

Define SSH with specific host.

  • Under ~/.ssh directory, open config file
Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/key_name_1
  IdentityFile ~/.ssh/key_name_2

SSH working logic for connecting 2 remote hosts

Host A

  1. Inside Host A
  2. Create key: ssh-keygen -t rsa
  3. Above key will be a pair files: .rsa && .pub
  4. Copy content from .pub

Host B

  1. Inside Host B
  2. Go to folder /.ssh
  3. Adding authorized_keys file
  4. Paste the content from .pub of Host A
  5. Done