How to setup SSH keys and why?

September 16, 2005
This guide explains the concept of SSH keys and their use.

This is a continuation of the previous guide - SSH Secure Shell that explains the basics of SSH. Please read the guide if you haven't already, before continuing further.

What is an SSH key ?

SSH keys serve as a means of identifying yourself to an SSH server using public-key cryptography and challenge-response authentication.

An SSH key comprises of two separate keys -

  1. A public key - which you can share freely with any SSH server, and
  2. A private key - which should be known only to you, and kept secret.

Advantages of using SSH keys

The following are some of the advantages of using SSH keys over traditional password authentication.

  • Your password is never sent over the network.
  • Eliminates the risk posed by brute-force password attacks.
  • More convenience - You can connect to a server, or multiple servers, without having to remember or enter your password for each system.

How to generate an SSH key

To generate an SSH key pair in Linux, you use the ssh-keygen tool.

ssh-keygen generates, manages and converts authentication keys for ssh.

Syntax -

$ ssh-keygen -t <type>

-t option specifies the type of encryption to use while creating the key pair. The possible values are "rsa1" for protocol version 1, and "dsa", "ecdsa", or "rsa" for protocol version 2.

DSA - 1024 bit algorithm
RSA - 2048-4096 bit algorithm
ECDSA - stands for Elliptic Curve Digital Signature Algorithm that provides smaller key sizes and faster operations when compared to other algorithms.

For example, to create an SSH key that uses DSA, do the following -

$ ssh-keygen -t dsa

The program will ask you to (optionally) enter a password phrase. You can just press the ENTER key if you do not want to set the password phrase. However, if you decide otherwise, your private key will be encrypted using the string you entered as your password phrase.

Next the tool will generate two keys - id_dsa and which will be saved beneath your HOME directory at the location ~/.ssh.

id_dsa is the private key, and is the public key.

There are lots of other options for the ssh-keygen tool. For the full list of options, see its man page.

If you have set a password phrase, it must be entered every time you attempt to connect to an SSH server using public-key authentication.

SSH Agent

You can use an SSH Agent to remember your password phrase.

An SSH Agent is a program used to hold private keys used for public key authentication (RSA, DSA, ECDSA).

ssh-agent tool is the default SSH Agent in OpenSSH.

Using an SSH Agent to remember the password phrase is a 2 step process.

Step 1 : Start running SSH Agent in the background.

The idea is that ssh-agent is started in the beginning of an X-session or a login session, and all other windows or programs are started as clients to the ssh-agent program.

For now, lets start ssh-agent explicitly from the command line.

$ ssh-agent

Step 2 : Add your private key to its cache.

This is done using another tool called ssh-add.

$ ssh-add ~/.ssh/id_dsa
Enter passphrase for /home/ravi/.ssh/id_dsa: 
Identity added: /home/ravi/.ssh/id_dsa (/home/ravi/.ssh/id_dsa)

ssh-add prompts you to enter the passphrase for your private key. Once you enter the correct passphrase, it adds the key to the cache of the SSH Agent running in the background.

From now on, you won't have to enter the passphrase for your private SSH key when you decide to login to a remote computer.

An SSH Key Example

How to use SSH without a password

Each time you use ssh or any related tools such as scp, you are prompted for a password to the remote machine.

If you use SSH often enough, typing the password can be tedious. However, if you are using SSH keys, you can do away with entering or remembering the passwords.

Here is one way of doing it.

Step 1: Create a private-public SSH key pair

$ ssh-keygen -t dsa

and following is output of the command on my machine -

Generating public/private dsa key pair.
Enter file in which to save the key (/home/ravi/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/ravi/.ssh/id_dsa.
Your public key has been saved in /home/ravi/.ssh/
The key fingerprint is:
2c:fc:84:60:87:2b:98:ab:f1:c0:ee:9c:55:b6:b2:b7 ravi@ubuntu-desktop
The key's randomart image is:
+--[ DSA 1024]----+
|                 |
|     .           |
|    + .          |
| o . = o         |
|o . .++ S        |
|.. .o .+         |
|+. + .  .        |
|++o o.           |
|o=...E.          |

What it does

ssh-keygen will prompt you to enter a passphrase which should be left blank.

Next, it will generate two files named - id_dsa and

The files will be saved (by default) in the .ssh directory in your home folder.

$ ls ~/.ssh
id_dsa  known_hosts

Step 2: Copy the SSH public key to the remote machine

Copy the '' file to the .ssh/ directory in your remote machine.

Remote machine hostname -
Remote machine username - ravi

$ scp ~/.ssh/ [email protected]:~/.ssh/.

Step 3: Authorize the SSH server to use the public keys

SSH to your remote machine and copy the contents of the '' file to 'authorized_keys' file in the same folder.

If there is no such file in your remote machine, you will have to create it.

$ ssh [email protected]
[email protected] [~]$ cd .ssh
[email protected] [~/.ssh]$ cat >> authorized_keys

From here on, you won't need any passwords to login to the remote machine from your local machine.

References for further reading

SSH Keys @
OpenSSH key management @ IBM Developerworks - Part 1, Part 2, and Part 3.


  • Your article got me thinking... you could extend this to synch up home directories on various machines, or remote backups automatically (and securely) Great article.

  • BP{k}

    Very good and clear written article. Have added a link from my blog: /udev/random/source to yours

  • Hiro, look up rsync, its a took designed for syncing directorys across several machines - and can use ssh/sftp as the method for doing this.

    Agreed very useful article.

  • Mahmoud Lababidi


    save frequently visited SSH sites in SSH Shortcuts like so:

    In "~/.ssh/config" I added following lines
    Host shortcut
    User my_username
    HostName real_host_name
    And then I can simply log in via
    ssh shortcut

  • One minor issue. This command is really not quit what you want:

    $ scp ~/.ssh/ remote_mc:.ssh/authorized_keys

    because it will replace the authorized_keys on the remote machine with your new machines public key. Using that command, you can only have one machine at a time from which you could log in without a password. The authorized_keys file can have multiple keys in it. What probably should be done if the file exists, is the file should be appended to the end of the file. So maybe:

    $ scp ~/.ssh/
    $ ssh remote_mc "cat >> .ssh/authorized_keys; rm"

    That will allow you to have any number of authorized machines you can log in from.

  • The best way to do this:

    $ scp ~/.ssh/
    $ ssh remote_mc "cat >> .ssh/authorized_keys; rm"


    $ ssh-copy-id - i ~/.ssh/ remote_mc