Generate an SSH public-private key pair

February 18, 2024

SSH key pairs provide a secure way to authenticate with remote servers without using passwords. The ED25519 key type is recommended for its superior security and performance compared to RSA keys.

Before generating SSH keys, ensure you have the OpenSSH client installed on your system. Most Linux distributions include this by default.

This setup was tested on Debian 12 (Bookworm), but it should work on other Debian-based systems, like Ubuntu.
The setup also works on Windows using the Git Bash terminal.

Single-line Command to Generate SSH Keys

ssh-keygen -t ed25519 -C "<your_hostname>"

This command generates an ED25519 key pair.

Step-by-Step Guide to Generate and Deploy SSH Keys

1. Generate the ED25519 key pair

ssh-keygen -t ed25519 -C "<your_hostname>"

When prompted:

Press Enter to accept the default file location (~/.ssh/id_ed25519)
Enter a secure passphrase (recommended)

2. Copy the public key to the remote server

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remote-host

Replace user@remote-host with your actual username and server address.

3. Verify the connection

ssh user@remote-host

To debug any issues, use the -v flag:

ssh -v user@remote-host

You can add multiple v flags for increased verbosity (e.g., -vvv).

Alternative Key Types

If you need to generate RSA keys instead:

ssh-keygen -t rsa -b 4096 -C "<your_hostname>"

The -b 4096 parameter specifies the key size in bits. A minimum of 2048 bits is recommended for RSA keys.

Security Recommendations

Always use a strong passphrase to protect your private key
Store your private key securely and never share it
Back up your SSH keys
Use different keys for different purposes or servers
Consider using ssh-agent to avoid typing your passphrase repeatedly

Common Issues and Solutions

1. First option

If ssh-copy-id fails, you can manually copy the public key:

cat ~/.ssh/id_ed25519.pub

Then, log in to the remote server and add the key to the authorized_keys file:

ssh user@remote-host
mkdir -p ~/.ssh
chmod 0700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 0600 ~/.ssh/authorized_keys
nano ~/.ssh/authorized_keys

and paste the public key into the file.

2. Second option

Or as a one-liner:

cat ~/.ssh/id_ed25519.pub | ssh user@remote-host "mkdir -p ~/.ssh && \
  chmod 0700 ~/.ssh && \
  touch ~/.ssh/authorized_keys && \
  chmod 0600 ~/.ssh/authorized_keys && \
  cat >> ~/.ssh/authorized_keys\
"

Resources

SSH Documentation: Official OpenSSH Documentation
- https://www.openssh.com/manual.html
GitHub: Generating a new SSH key and adding it to the ssh-agent
- https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent
LinuxSide: Copying SSH keys to a remote machine
- https://linuxside.com/page/copy-ssh-public-key-to-remote-server
Ed25519: high-speed high-security signatures
- https://ed25519.cr.yp.to/
GitLab: ED25519 keys are more secure and performant than RSA keys
- https://docs.gitlab.com/ee/user/ssh.html#ed25519-ssh-keys
GitLab: RSA key size should be at least 2048 bits
- https://docs.gitlab.com/ee/user/ssh.html#rsa-ssh-keys
ssh-keygen manual
- https://www.man7.org/linux/man-pages/man1/ssh-keygen.1.html
Recommendation for Key Management - Part 3 - by Elaine Barker and Quynh Dang
- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf