Creating an SSH Key Pair for User Authentication

ssh-keygen generates, manages and converts authentication keys for ssh. ssh-keygen can create RSA keys for use by SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2. The type of key to be generated is specified with the -t option. If invoked without any arguments, ssh-keygen will generate an RSA key for use in SSH protocol 2 connections.

Normally each user wishing to use SSH with RSA or DSA authentication runs this once to create the authentication key in ~/.ssh/identity, ~/.ssh/id_dsa or ~/.ssh/id_rsa. Additionally, the system administrator may use this to generate host keys, as seen in /etc/rc.

Normally this program generates the key and asks for a file in which to store the private key. The public key is stored in a file with the same name but ''.pub'' appended. The program also asks for a passphrase. The passphrase may be empty to indicate no passphrase (host keys must have an empty passphrase), or it may be a string of arbitrary length. A passphrase is similar to a password, except it can be a phrase with a series of words, punctuation, numbers, whitespace, or any string of characters you want. Good passphrases are 10-30 characters long, are not simple sentences or otherwise easily guessable (English prose has only 1-2 bits of entropy per character, and provides very bad passphrases), and contain a mix of upper and lowercase letters, numbers, and non-alphanumeric characters. The passphrase can be changed later by using the -p option.

There is no way to recover a lost passphrase. If the passphrase is lost or forgotten, a new key must be generated and copied to the corresponding public key to other machines.

Works on both Linux and Windows

Example

ssh-keygen -b 4096

Choosing an Algorithm and Key Size

SSH supports several public key algorithms for authentication keys. These include:

rsa - an old algorithm based on the difficulty of factoring large numbers. A key size of at least 2048 bits is recommended for RSA; 4096 bits is better. RSA is getting old and significant advances are being made in factoring. Choosing a different algorithm may be advisable. It is quite possible the RSA algorithm will become practically breakable in the foreseeable future. All SSH clients support this algorithm.
dsa - an old US government Digital Signature Algorithm. It is based on the difficulty of computing discrete logarithms. A key size of 1024 would normally be used with it. DSA in its original form is no longer recommended.
ecdsa - a new Digital Signature Algorithm standarized by the US government, using elliptic curves. This is probably a good algorithm for current applications. Only three key sizes are supported: 256, 384, and 521 (sic!) bits. We would recommend always using it with 521 bits, since the keys are still small and probably more secure than the smaller keys (even though they should be safe as well). Most SSH clients now support this algorithm.
ed25519 - this is a new algorithm added in OpenSSH. Support for it in clients is not yet universal. Thus its use in general purpose applications may not yet be advisable.

The algorithm is selected using the -t option and key size using the -b option. The following commands illustrate:

ssh-keygen -t rsa -b 4096
ssh-keygen -t dsa 
ssh-keygen -t ecdsa -b 521
ssh-keygen -t ed25519

Specifying the File Name

Normally, the tool prompts for the file in which to store the key. However, it can also be specified on the command line using the -f option.

ssh-keygen -f ~/tatu-key-ecdsa -t ecdsa -b 521

Linux Users Commands

How to Set or Change the Time Zone in Linux

How to Download Files with cURL

Cheat Sheet - bash conditionals

How To Use Cron to Automate Tasks

Reset a Lost Administrative Password (root)?

How to Extract or Unzip .tar.gz Files in Linux

tar Command in Linux With Examples

How to Find Files in Linux With the Find Command

How to Copy Files and Directories in Linux

Gnome Tracker - Frequently Asked Questions

Linux Troubleshooting Commands

The Linux file system structure explained

How to Use ethtool Command

How do I verify the speed of my NIC

Change Terminal Shell to the Bash Shell

Keep getting message '404:: command not found' every time opening terminal

How to reload .bashrc settings without logging out and back in again

How to Add User to Sudoers

Pinging from a base user - ping: socket: Operation not permitted

Change IP and Gateway from Shell

Filesystem permissions

Creating an SSH Key Pair for User Authentication

Copy SSH RSA key to a server

Adding Notification to SSH Logon

Disable SSH Password Login

The following packages have been kept back: Why and how do I solve it?

Why use apt-get upgrade instead of apt-get dist-upgrade?

Check if a reboot is required after installing Linux updates

Reset Your Forgotten Ubuntu Password in 2 Minutes or Less (root)

How to Disable IPTables on Ubuntu

Ubuntu: How To Free Up Port 53, Used By systemd-resolved

Guacamole and SSH Ubuntu 22.04 connection errors

How to install Qemu guest agent for Debian / Ubuntu

Creating an SSH Key Pair for User Authentication

Example

Choosing an Algorithm and Key Size

Specifying the File Name

SSH-Keygen Options