[1] has a nice explanation of how SSH keys work. In brief:
- SSH keys are a secure means of authenticating your identity when
connecting to a remote machine. They are an alternative to typing in the
password of your remote machine account.
- On your local machine, you use the ssh-keygen command to generate (typically in the ~/.ssh/ directory) two keys, RSA-style.
The public key
This is stored in a .pub file, e.g. ~/.ssh/id_dsa.pub if created using the DSA encryption method.
The key should be included in the ~/.ssh/authorized_keys file on remote machines to which you want to connect securely. This can be done simply with:
$ ssh-copy-id -i ~/.ssh/id_dsa.pub username@remote-server.org
Or, if your machine does not have ssh-copy-id:
$ cat ~/.ssh/id_dsa.pub | ssh username@remote-server.org "mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys"
On the remote machine, ensure that the permissions of ~/.ssh are set to 700 and the permissions of ~/.ssh/authorized_keys to 644.
The private key
This is stored in a second file, e.g. ~/.ssh/id_dsa. IT SHOULD NEVER BE SHARED WITH ANYONE.
- Passphrases
- It is generally recommended to use a passphrase when
generating the keys. This will locally encrypt the private key; the
passphrase must be supplied to decrypt it. Otherwise, anyone who can
read the private key file on your system (a hacker, or at minimum, the
root user) will be able to masquerade as you!
- A passphrase can be added or changed for an existing key with the ssh-keygen -p command.
- SSH agents
- An SSH agent is a program that can run persistently on your local
machine to keep track of your decrypted private keys so you don't have
to enter the passphrase each time you connect to the remote machine.
(This is presumably more secure than not encrypting the keys in the
first place in case another user manages to access your private key
file.)
- On Mac OS X, when using a key with a passphrase you will be
prompted with a dialog with an option to remember it in the Keychain. If
you select this option it will also be loaded into ssh-agent from the Keychain whenever you run ssh for the first time in a login session.
See [2] for further explanation of passphrases and SSH agents.
Aliases
To specify short hostname aliases for use with ssh and scp, as well as the default username (which may be different than your local username) for each remote host, this can be done in ~/.ssh/config. For instance:
Host csc
HostName cs-class.uis.georgetown.edu
User aa1234