The following steps will setup your ssh keypairs on your local machine, copy the public key to your server, and configure your ssh client to use a specific private key with a server alias.
First, generate your keypair, I generally name the keys with my username-service, username-hostname, or username-device, sometimes even a combination of the three.
To generate keys for a new server at securedomain.com
ssh-keygen -t rsa -b 4096 -C '[email protected]'
Things to keep in mind:
- The email does not have to be the same domain as the service/server you are connecting to
-t rsa -b 4096options are safe and will work on most servers, you can also use
-t ed25519if you wish.
Once you're in the ssh-keygen prompt it will ask you to provide a name for your keys
NOTE: You can also do this in the command itself using the
Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa):<new_key_name>
The ssh-keygen application will then, prompt you for a passphrase to secure your key. (You don't have to, but it is recommended). If you don't wish to use a passphrase just press enter twice.
Now, we need to copy our keys to the server, we do so by entering the following
ssh-copy-id -i .ssh/yourkeyfile username@hostname
This will effectively copy your keyfile over to the new server in a secure fashion. More reading on this here.
Next, you will want to add the key to your ~/.ssh/config to be used automatically with the specified host it was created for; this saves the leg work of having to remember which key goes with which host, and also from having to type
-i /path/to/key options with your ssh command.
To do this, first we need to edit our config, so open up ~/.ssh/config in your preferred editor and enter the following:
# EXAMPLE # This will setup the use of example as an alias for the FQDN of the server you want to connect to Host example Hostname example.securedomain.com AddKeysToAgent yes UseKeychain yes IdentityFile ~/.ssh/securedomain_username
In this config the following are true:
Hostis an alias to the server we wish to connect to, it does not have to match the domain name.
Hostnameis the actual FQDN of the server we wish to connect to
AddKeysToAgenttells ssh to add the specified keyfiles to our existing ssh-agent
UseKeychaintells ssh to utilize the keychain, which either starts the ssh-agent, or connects to an already running instance saving the trouble of typing the passphrase for a given key if you're logging in and out of a server frequently.
IdentityFileis your keyfile you wish to use for the host you are configuring; probably the key you just generated.
Using this config and example; we can now use the following command
Which using this config, in the background is expanded out to the following command
ssh -i ~/.ssh/securedomain_username [email protected]