SSH keys:Linux, MacOS X, Cygwin, and other UNIX variants

From CELS IT Wiki
Jump to: navigation, search

< SSH keys

Generate keys.

The "ssh-keygen" command is used to create keys. There are many options for it. We recommend that you run it this way:

ssh-keygen -t rsa -b 2048

This will create and store keys in your ~/.ssh directory. It will overwrite any existing keys as well. The default keytype in MCS is RSA for SSH 2. To generate this key (id_rsa), simply type "ssh-keygen -t rsa -b 2048" and follow the prompts. Example:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/some/path/.ssh/id_rsa):

Just accept the default here unless you have a good reason not to. This will put your key in ~/.ssh/id_rsa and your public key in ~/.ssh/ The rest of these instructions assume that's what you've done.

Enter passphrase (empty for no passphrase): 

We require the use of a passphrase. There are a very limited number of circumstances where a key without a passphrase is acceptable. If you are in doubt, ask us.

Enter same passphrase again:

We require SSH2.

Some machines may put these files in a different spot. If this is the case, make a note of where it puts them and what it names them. The id_rsa (and, if they exist, id_dsa or identity) file is your private key. Keep it secret, keep it safe.

Add your key to MCS account profile

Login to and click the "Add New SSH Public Key" button for each key you want to add.

If you used the defaults, you can see your key from a command line which you can copy and paste into the accounts page:

cat ~/.ssh/

Using your ssh-key

  • if ssh-key files are in your ~/.ssh folder then type:
    • ssh
  • if ssh-key files are not in your ~/.ssh folder then type:
    • ssh -i path/to/private/ssh-key

(Optional): Agents

If you run an ssh-agent, it will remember the passphrase for your key while it's running.

If you login to an MCS linux workstation locally through X-Windows, an agent is launched automatically. If not, you can launch one by running:


To add your keys to the agent:


If your keys have a non-standard name or path, you'll need to specify the full path after the ssh-add command.

You will be asked for the passphrase for your .ssh/id_rsa (and .ssh/id_dsa, if applicable).

Now you can ssh to other machines that have your public key and never have a password.

Mac OS X Leopard (10.5) and newer has built-in SSH-agent and key management through the Keychain.

Earlier Mac OS users can use GUI tools such as the following to manage keys and agents: