_____________________________________________________________________
724-746-5500 | b lackb o x.co m
Page 211
Generated keys may be one of two types—RSA or DSA (and it is beyond the scope of this document to
recommend one over the other). RSA keys will go into the files
id_rsa
and
id_rsa.pub
. DSA keys will be
stored in the files
id_dsa
and
id_dsa.pub
.
For simplicity going forward, the term
private key
will be used to refer to either
id_rsa
or
id_dsa
and
public key
to refer to either
id_rsa.pub
or
id_dsa.pub.
To generate the keys using OpenBSD's OpenSSH suite, we use the
ssh-keygen
program:
$ ssh-keygen -t [rsa|dsa]
Generating public/private [rsa|dsa] key pair.
Enter file in which to save the key
(/home/user/.ssh/id_[rsa|dsa]):
Enter
passphrase
(empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in
/home/user/.ssh/id_[rsa|dsa].
Your public key has been saved in
/home/user/.ssh/id_[rsa|dsa].pub.
The key fingerprint is:
28:aa:29:38:ba:40:f4:11:5e:3f:d4:fa:e5:36:14:d6 user@server
$
It is advisable to create a new directory to store your generated keys. It is also possible to name the files
after the device they will be used for. For example:
$ mkdir keys
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
/home/user/keys/control_room
Enter
passphrase
(empty for no passphrase):
Enter same
passphrase
again:
Your identification has been saved in
/home/user/keys/control_room
Your public key has been saved in
/home/user/keys/control_room.pub
.
The key fingerprint is:
28:aa:29:38:ba:40:f4:11:5e:3f:d4:fa:e5:36:14:d6 user@server
$
You should ensure there is no password associated with the keys. If there is a password, then the
console servers
will have no way to supply it as runtime.
Client #1
Server
Client #2
id_dsa id_dsa.pub
Client #1 Keys
id_rsa.pub id_rsa
Client #2 Keys
Authorized keys
