SSH Keys

[1] has a nice explanation of how SSH keys work. In brief:

The public key

This is stored in a .pub file, e.g. ~/.ssh/ if created using the DSA encryption method.

The key should be included in the ~/.ssh/authorized_keys file on remote machines to which you want to connect securely. This can be done simply with:

$ ssh-copy-id -i ~/.ssh/

Or, if your machine does not have ssh-copy-id:

$ cat ~/.ssh/ | ssh "mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys"

On the remote machine, ensure that the permissions of ~/.ssh are set to 700 and the permissions of ~/.ssh/authorized_keys to 644. 

The private key

This is stored in a second file, e.g. ~/.ssh/id_dsa. IT SHOULD NEVER BE SHARED WITH ANYONE.

It is generally recommended to use a passphrase when generating the keys. This will locally encrypt the private key; the passphrase must be supplied to decrypt it. Otherwise, anyone who can read the private key file on your system (a hacker, or at minimum, the root user) will be able to masquerade as you!
  • A passphrase can be added or changed for an existing key with the ssh-keygen -p command.
SSH agents 
An SSH agent is a program that can run persistently on your local machine to keep track of your decrypted private keys so you don't have to enter the passphrase each time you connect to the remote machine. (This is presumably more secure than not encrypting the keys in the first place in case another user manages to access your private key file.)
  • On Mac OS X, when using a key with a passphrase you will be prompted with a dialog with an option to remember it in the Keychain. If you select this option it will also be loaded into ssh-agent from the Keychain whenever you run ssh for the first time in a login session.

See [2] for further explanation of passphrases and SSH agents.


To specify short hostname aliases for use with ssh and scp, as well as the default username (which may be different than your local username) for each remote host, this can be done in ~/.ssh/config. For instance:

Host csc
        User aa1234