SSH keys

Here is a quick guide to get you started using SSH keys. In this guide I will assume that you use OpenSSH.

Generating keys

The first step is to generate a private key and a public key. Generate a pair of DSA keys using OpenSSH's ssh-keygen as follows:

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa): [hit enter]
Enter passphrase (empty for no passphrase): [enter a good passphrase]
Enter same passphrase again: [enter the passphrase again]
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/
The key fingerprint is:
cc:cb:6e:b5:95:60:ed:13:8a:04:e8:b6:b2:37:94:0e user@machine

When ssh-keygen asks for a default location for the key, simply accept the default of /home/user/.ssh/id_dsa. ssh-keygen will store the private key at the above path, and the public key will be stored right next to it, in a file called

When prompted for a passphrase enter a good passphrase. A good passphrase consists of 10 or more hard-to-predict characters, and shouldn't be simple sentences, quotes or otherwise easily guessable. Moreover a good passphrase should contain a mix of upper and lowercase letters, numbers and non-alphanumeric characters.

DSA public key install

The next step is to configure remote systems running sshd to use our public DSA key for authentication. Typically, this is done by copying the public key to the remote system.

If you already have a ~/.ssh directory on the remote machine, simply copy your public key to the remote machine as follows:

$ chmod 600 ~/.ssh/
$ scp ~/.ssh/ user@remotemachine:.ssh/authorized_keys

Do the following instead if you haven't already got a ~/.ssh directory on the remote machine:

$ chmod 600 ~/.ssh/
$ scp ~/.ssh/ user@remotemachine:authorized_keys
$ ssh remotemachine

$ mkdir .ssh
$ chmod 700 .ssh
$ mv authorized_keys .ssh/
$ exit

Now, with DSA authentication configured, we should be prompted to enter our DSA private key passphrase (rather than our password) when we try to connect to remotemachine using ssh.

$ ssh remotemachine
Enter passphrase for key '/home/user/.ssh/id_dsa':

Avoid entering your passphrase every time

Entering the passphrase every time you want to do a remote copy or make a remote connection can be tiring. OpenSSH include ssh-agent, which is a long-running daemon designed for the sole purpose of caching your decrypted private keys.

There are many ways to set up ssh-agent, from using it on a per-shell basis, starting your window manager with it, etc. To use ssh-agent on a per-shell basis do the following:

$ eval `ssh-agent`

One way to get ssh-agent started with your window manager is to modify your ~/.xsession to look like this:

== ~/.xsession ==
exec [your window manager]
== ~/.xsession ==

If you use startx, you must modify your ~/.xinitrc instead.

Adding keys to ssh-agent's cache

Before we really can use ssh-agent, we first need to add add our private key(s) to ssh-agent's cache using the ssh-add command. Add your private DSA key (~/.ssh/id_dsa) to ssh-agent's cache as follows:

$ ssh-add ~/.ssh/id_dsa
Enter passphrase for /home/user/.ssh/id_dsa:

Now, we are able to connect to remotemachine using ssh without entering a password or passphrase.

$ ssh remotemachine


It is that simple.

Removing keys when you're not around

It's a good idea to either lock your machine, or remove your private key(s) from ssh-agent's cache, when you leave your machine. Removing your privates key(s) from ssh-agent's cache can be done as follows:

$ ssh-add -d