Protect the Accounts
If you haven't done it yet, now would be a good time to disable all unneeded accounts and make sure that all accounts still in use have strong passwords. Attackers are trying constantly to guess passwords. See the earlier section for details.
Create the Keys
The user needs to generate SSH public/private key pairs. Use the following command sequence. Provide a strong passphrase, since security rests on this being extremely difficult to guess. Unless you really want to greatly confuse and inconvenience yourself, use the same passphrase for all key pairs! Accept the default locations for key storage:
$ cd ~/.ssh $ ssh-keygen -t rsa $ ssh-keygen -t dsa $ ssh-keygen -t ecdsa -b 521 $ ssh-keygen -t ed25519 $ sort -u authorized_keys *.pub -o authorized_keys $ chmod 644 authorized_keys
sort command will keep any other keys
already in your
Permission mode matters on that file, the SSH daemon
will refuse to pay attention to files with
inappropriate permission settings.
Distribute the Keys
Once those keys are generated, the entire directory
must be copied into place on all systems.
If you are using NFS and automounting, this is already done!
If you are not, then the administrator might need to get
At every login, if
keychain is installed
the user will be prompted for their password.
If not, the user simply runs this command:
Type your SSH key passphrase
(what you typed back when you generated the keys).
Now everything is automatic!
automatically authenticate with keys
without any password-typing by you!
Test it like this:
$ ssh-add -l 2048 SHA256:iPhC3AyXUos7/1aaO4qeoEJcb0bp4SAv0fmpjih9tC8 /home/cromwell/.ssh/id_rsa (RSA) 1024 SHA256:EsubOsP2kSMOoQJSHQ6+MKdwtD2SV54RJY/mlFeaouc /home/cromwell/.ssh/id_dsa (DSA) 521 SHA256:TGjRDHyS+OLaYWDct7G7NZN1k+vSS2R9PJcOBkfCmKE /home/cromwell/.ssh/id_ecdsa (ECDSA) 256 SHA256:+o3rP/Mz5bpp+Vwj3XuOsO6zeT1gnwrcutKiRuHD3jM email@example.com (ED25519)