SSH keys

by Roman Zolotarev

Run this command to generate your new SSH key pair.

ssh-keygen \
  -t ed25519 \
  -o \
  -a 100 \
  -f ~/.ssh/key \
  -C 'key'

Then enter passphrase twice. As result your public key will be placed into ~/.ssh/key.pub.

ssh-keygen options

For better security, we use Ed25519 keys with -t ed25519. To increase resistance to brute-force password checking we use new OpenSSH format (-o) and a hundred rounds of key derivation function (-a 100). We specify a path to the new file with -f ~/.ssh/key and add a comment to your public key with -C 'key'.

When Ed25519 does not work, you can use long RSA keys as a fallback.

ssh-keygen -t rsa -b 4096 -o -a 100 -f ~/.ssh/key -C 'key'

Best practices

Use strong passphrase

To protect your private key use a strong passphrase. Few random common words should work.

Do not share private keys

Don’t copy or share your private key. Generate a new key pair for every user and every device. You can use the same key pair for multiple destinations though. Add this function to your ~/.bashrc.

function generate_ssh_key() {
  local id
  id=$(date +%s)
  ssh-keygen -t ed25519 -o -a 100 -f ~/.ssh/"$id" -C "$id"
}

So next time you need a new key, run generate_ssh_key.

Use ~/.ssh/config

Add every of your frequently used hosts to ~/.ssh/config. E.g.:

Host store store.plentiful.me
  User roman
  Hostname store.plentiful.me
  IdentityFile /Users/romanzolotarev/.ssh/key

After adding this to your SSH configuration you can run ssh store instead of ssh -i ~/.ssh/key [email protected]. Neat.

It also helps to manage your keys; revoke your keys and generate new ones from time to time.

Illustration: SSH keys