SSH (part 4): Creation and configuration of OpenSSH keys

4 April 2023 9 minutes Author: Endpool

SSH login without a password (using key files)

SSH keys are a pair of encryption-protected keys (private and public) that are used for authorization when connecting to a server using the SSH protocol. We recommend using SSH keys instead of passwords to increase connection reliability and security. The ssh-keygen program is used to generate a key pair, it is included in the ssh package, and if you have SSH already configured, you do not need to install anything additionally. Standard SSH keys are stored in the ~/ directory. ssh. If you don’t have a ~/. ssh, generate it with the correct permissions using the ssh-keygen command. Accessing SSH using a public key (without a password) is very convenient and secure. The process of setting up public key authentication is very simple: The team creates a public key – private key pair. The public key is copied to the computer with the SSH server, that is, to the computer to which the connection will be made and on which the commands will be executed.

And then the connection is made in the usual way, but entering a password is not required. The public key that is copied to the remote server is not secret. The same key can be used on different servers. The main thing is to keep the private key secret. You can generate keys and copy them to a remote host with literally three commands. To speed up the login process and optimize the behavior of the SSH client, you can create and configure an SSH configuration file ~/.ssh/config. The ssh-keygen program has many functions and capabilities, let’s start by considering the key generation procedure, which is performed elementary. If you have time to log in to the remote system, go ahead.

After that type:

We are asked for a file name, there is no need to enter anything, the standard name will be used. A password is also requested. This password allows you to set additional protection – when connecting using keys, the password of the user will not be requested, but the password of the key itself will be requested. No need to set a password.

Example of login

As a result, two files will be created:

  • ~/.ssh/id_rsa

  • ~/.ssh/

The first file must be kept secret. The second file must be copied to the remote computer where the SSH server is running. Now on the remote machine we need to create a .ssh directory.

Run the view command:


Now we need to copy the contents of the file to the remote machine in the ~/.ssh/authorized_keys file. It’s very simple (you need to change the data to your own):


Now we connect using the SSH client, but we will no longer be asked for the password.

Types of keys

The ssh-keygen program can generate four types of keys:

  • dsa

  • ecdsa

  • ed25519

  • rsa

To select any of these types, use the -t option. In the previous example, we chose rsa – it is not necessary to explicitly specify the RSA type, since it is implied by default (that is, key generation can be started without the -t option).

Залежно від вибраного типу, назви створених файлів ключів можуть відрізнятися:

  • ~/.ssh/id_dsa

  • ~/.ssh/id_ecdsa

  • ~/.ssh/id_ed25519

  • ~/.ssh/id_rsa

These files must be kept private and only accessible to the owner.

The corresponding public keys will have the same name, but with an additional .pub extension:

  • ~/.ssh/

  • ~/.ssh/

  • ~/.ssh/

  • ~/.ssh/

These files are not secret, their contents should be copied to the file ~/.ssh/authorized_keys on the computer running the SSH server.

The ssh-keygen utility

We used ssh-keygen to generate the keys. In addition, it is designed to manage and convert authentication keys for ssh. Only some of the functions of this program are discussed below, the full list of options can be found in the team:

How to change the number of bits in ssh-keygen keys?

For this, the option is used: -b It determines the number of bits in the generated key. For RSA keys, the minimum size is 1024 bits and the default is 2048 bits. As a general rule, 2048 bits is considered sufficient. DSA keys must be 1024 bits long as specified in FIPS 186-2. For ECDSA keys, the -b flag specifies the length of the key, choosing one of three elliptic curve sizes: 256, 384, or 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will fail. Ed25519 keys have a fixed length and the -b flag will be ignored.

Adding comments to ssh-keygen keys

There are two options for working with comments:

1. -C comment – Enter a comment after this option.

2. -c – This option includes the process of commenting changes in the private and public key files. The program will ask for a file containing private keys, a password (if installed), and then prompt you to enter a new comment.

You can see the comment using the -l option. This option shows the fingerprint of the specified public key file. For RSA and DSA keys, ssh-keygen tries to find a matching public key file and prints it.

When combined with -v, an ASCII visual representation will be shown after the printout:

The key file can be specified with the -f option:

Changing passwords in ssh-keygen

There are several options for working with passwords:

  • -P passphrase – With this option, you can pass a password so that the program does not ask. When changing the password, this option transfers the old password.
  • -p – This option triggers a private key file passphrase change instead of generating a new key. The program will ask you where the private key file is located, then ask for the old password and ask you to enter the new passphrase twice.
  • -N new_password – With this option, you can transfer a new password so that the program does not ask for it. When generating keys, you can use this option to specify passwords so that the program does not ask for them interactively.

The key file must be specified with an option -f:

Showing the public key from the private one

The -y option will read an OpenSSH format file with a private key and print the OpenSSH public key to stdout.

Also, using the -f option, you need to specify the path to the private key from which the corresponding public key will be extracted:

For example, the private key is placed in the id_rsa file, then the command to extract the public key from it is as follows:

You may encounter an error:

It means that the private key is readable by anyone and the ssh-keygen program refuses to work with it for this reason. To fix this error, simply install the file with the private key of access right 600:

Management of private keys on the SSH client

The same key pair can be used to access multiple SSH servers. Therefore, each of them (on the client and on the servers) can have one key. However, if you have multiple keys or if you want to use a different, non-standard key file location, the following shows how to specify the location on the command line and in the SSH client configuration files. The SSH configuration file uses the IdentityFile directive to specify the path to the private keys.

Its default value is:

As you can see, you can use a tilde to indicate the user’s home folder. It is possible to have multiple IdentityFile directives in configuration files; all these IDs will be tested in turn. Numerous IdentityFile directives will add candidates to the queue for attempts (this behavior differs from other configuration directives). It is also possible to configure the use of specific identity files for specific hosts:

The -i option is used for the command line, followed by the path to the private key (identity file). The default values are the same as in the directive discussed above. The i option can be used multiple times.

Management of public keys on the SSH server

Public keys of all types are placed in one file, default values:

By default, the following files are checked:

  • ~/.ssh/authorized_keys

  • ~/.ssh/authorized_keys2

Each line of the file contains one key (empty lines and lines starting with ‘#’ are ignored as comments). Public keys consist of the following fields separated by spaces: options, key type, key in base64 encoding, comment. The options field is optional. The key type is “ecdsa-sha2-nistp256”, “ecdsa-sha2-nistp384”, “ecdsa-sha2-nistp521”, “ssh-ed25519”, “ssh-dss” or “ssh-rsa”. The comment field is not used for anything (but may be convenient for the user to identify the key).

How to convert a .ppk key into an OpenSSH key?

Convert keys from .ppk file to OpenSSH format on Linux

To convert the .ppk format to OpenSSH, you can use the puttygen utility, which is included in the Putty package. So we need to install PuTTY Linux: with your package manager, install PuTTY (or the minimal PuTTY-tools package):

Debian, Kali Linux, Linux Mint, Ubuntu and their derivatives:

Arch Linux, BlackArch and their derivatives:


Distributions based on RPM:

OS X: Install Homebrew, then run

Place your keys in some directory, for example your home folder. Now we convert the PPK keys into an SSH pair.

To get a private key:

To get a public key:

Move these keys to ~/.ssh and ensure that the private key has limited write access:

Conversion of keys from the .ppk file to the OpenSSH format in Windows

Open PuTTYgen, click the Load button and select the .ppk file with the keys. You’ll immediately see your SSH public key, which you can copy and paste into a file. Now go to “Conversions” → “Export OpenSSH key” in the menu and save the private key. Copy your private key to ~/.ssh/id_dsa (or id_rsa).

PuTTY interface
Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.