Generate SSH keys on Linux or Mac

Joanna

Medium

Front-end Developer Tools Linux

What is SSH?

SSH (Secure Shell) is a network protocol that allows you to securely connect to a remote server and execute commands on it.

Authentication can be done in several ways: using a username and password, SSH keys, or an additional token (for example, when using two-factor authentication).

SSH Keys

SSH keys are one of the authentication methods used to gain access to an encrypted connection between systems. They are large numbers processed using cryptographic algorithms, which makes them much harder to break than a regular password. As a result, using SSH keys to connect to a server is significantly more secure than using a username and a manually entered password.

SSH keys are generated in pairs: a private key and a public key. The private key remains stored on the device from which you initiate the connection, while the public key is placed on the server you want to connect to. Data encrypted with one of the keys can only be decrypted using the other.

The private key must be kept secure and protected from unauthorized access. If someone else were to gain access to it, they could authenticate to the server and make changes to it. For this reason, it is a good practice to protect the private key with a passphrase, so that using the key first requires authentication with a password.

SSH Key Location

Before generating a new key pair, check whether you already have any SSH keys on your system. You may want to use them (although it is recommended to generate a separate key pair for each service. This way, if one private key is ever compromised, your other services will not be affected).

SSH keys are usually stored in a (hidden) .ssh subdirectory located at:

Linux / macOS: %HOMEDRIVE%%HOMEPATH%/.ssh/ (for example: /home/myusername/.ssh)

Windows: %USERPROFILE%/.ssh/ (for example: C:\Users\myusername.ssh)

The exact path may vary depending on your system configuration.

How to check existing SSH keys on Linux / macOS:

Open a terminal, navigate to the .ssh directory, and list all files stored in it:

cd ~/.ssh
ls -lah

Example SSH key filenames you may see after running the commands above:

  • id_rsa
  • id_rsa.pub
  • id_ed25519
  • id_ed25519.pub

If you do not see any files, it means that you do not have any SSH keys added yet.

It may also happen that the .ssh directory does not exist yet. In that case, create it:

cd ~
mkdir .ssh

SSH Key Encryption Algorithms

The most popular encryption algorithms used for SSH authentication are:

  • RSA – based on prime numbers. A key size of at least 2048 bits is recommended, although today this is considered relatively weak. For better security, it is safer to use a larger key size, such as 4096 bits.
  • ECDSA – based on elliptic curves. It is newer, slightly more efficient, and more secure than RSA. It supports three key sizes: 256, 384, and 521 bits. Naturally, using the largest key size provides the highest level of security.
  • Ed25519 – the newest and most secure of all these algorithms. It is supported only in newer versions of software.

Generate an SSH Key Pair

SSH keys can be generated using the built-in ssh-keygen tool by running the following command in the terminal:

ssh-keygen

Using this command without any additional arguments will generate a key pair based on the default algorithm.

After running the command, you will see information about the key pair being generated, along with prompts asking for the file location and a passphrase for the private key. If you enter a passphrase, it will not be displayed in the terminal. This is standard behavior on Linux, so there’s no need to worry, everything is working as expected.

The ssh-keygen command can also be executed with additional arguments, allowing you to set options such as the file path and name, the encryption algorithm, or a comment.

ssh-keygen -f ~/.ssh/myName-key-ecdsa -t ecdsa -b 521 -C "[email protected]"

ssh-keygen -f ~/.ssh/myName-key-ed25519 -t ed25519 -C "[email protected]"

Explanation of the used arguments:

  • -f ~/.ssh/myName-key-ecdsa / -f ~/.ssh/myName-key-ed25519 – specifies the path and filename of the key
  • -t ecdsa / -t ed25519 – specifies the encryption algorithm
  • -b 521 – specifies the number of bits for the selected encryption algorithm
  • -C "[email protected]" – a comment stored inside the public key

A private key generated using the rsa algorithm will be significantly longer than one generated using ecdsa or ed25519.

Copy private key to server

Method I: ssh-copy-id

On older versions of macOS, this command may not be available by default. However, ssh-copy-id can be installed in several ways. Instructions are available here:
https://www.ssh.com/academy/ssh/copy-id#ssh-copy-id-on-mac (scroll down to the ‘ssh-copy-id on Mac’ section)

To copy the public key to a server using ssh-copy-id, run the following command:

ssh-copy-id login@host

Replace login with the username and host with the server’s domain name or IP address, for example:

ssh-copy-id [email protected]

During the first connection attempt, you will see a message saying that the authenticity of the host cannot be established, along with a prompt asking whether you want to continue connecting. Type yes to proceed.

The system will then ask for the user’s password. After successful authentication, the public key will be copied and saved on the server in the ~/.ssh/authorized_keys file.

When used without any additional arguments, the command above copies the first SSH key found in the default .ssh directory.

If you want to copy a different key from the .ssh directory or a key located elsewhere, you must provide its path as an argument. If the server you are connecting to uses a port other than the default 22, you must also specify that port.

ssh-copy-id -i ~/.ssh/myKeyName-ed25519.pub -p 234 login@host

Method II – copying the key using the cat command

Another, possibly even simpler, way to copy the public key to a server is by using the cat command:

cat ~/.ssh/id_rsa.pub | ssh -p 234 [email protected] "cat >> ~/.ssh/authorized_keys"

The command above first displays the contents of the public key file (cat ~/.ssh/id_rsa.pub), then establishes a connection to the server (ssh -p 234 [email protected]) and appends the displayed content to the authorized_keys file located at the specified path (cat >> ~/.ssh/authorized_keys).

The authorized_keys file is a list of trusted public keys that are allowed to log in to the server via SSH without providing a password. However, if you set a passphrase for your SSH key, that passphrase will still be required during login.

After running the command, the system will prompt you for the server password. Once you enter it, you will not see any confirmation message indicating success. To verify that the operation was successful, you can log in to the server and display the contents of the authorized_keys file – your public key should be listed there.

Remember! Secure your private key properly by setting restricted file permissions:

chmod 600 ~/.ssh/id_ed25519