Research and Development
ssh-keygen -f ~/.ssh/server_rsa -t rsa -b 4096
ssh-copy-id -i ~/.ssh/server_rsa.pub user@server_ip
Edit server /etc/ssh/sshd_config file and set Port to 8022 and PasswordAuthentication to no.
Use ssh-keygen tool to create new authentication key pairs for SSH. Such key pairs are used for automating logins, single sign-on, and for authenticating hosts.
The simplest way to generate a key pair is to run ssh-keygen without arguments. In this case, it will prompt for the file in which to store keys. Here's an example:
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:bDQtv6SEck5wSiRHVM3bqZbNEY++j73ITVPFBxoPF9s user@host
The key's randomart image is:
+---[RSA 3072]----+
| .o=..o o +. |
| + o.. * = |
| o . +o.=. o E|
| . + +.+= . ..|
| o + S*o. . |
| = o+o+. . |
| ... ..o |
| ..* . |
| +.=. |
+----[SHA256]-----+
SSH supports several public key algorithms for authentication keys. These include:
rsa - an old algorithm based on the difficulty of factoring large numbers. A key size of at least 2048 bits is recommended for RSA; 4096 bits is better. RSA is getting old and significant advances are being made in factoring. Choosing a different algorithm may be advisable. It is quite possible the RSA algorithm will become practically breakable in the foreseeable future. All SSH clients support this algorithm.
dsa - an old US government Digital Signature Algorithm. It is based on the difficulty of computing discrete logarithms. A key size of 1024 would normally be used with it. DSA in its original form is no longer recommended.
ecdsa - a new Digital Signature Algorithm standarized by the US government, using elliptic curves. This is probably a good algorithm for current applications. Only three key sizes are supported: 256, 384, and 521 bits. We would recommend always using it with 521 bits, since the keys are still small and probably more secure than the smaller keys (even though they should be safe as well). Most SSH clients now support this algorithm.
ed25519 - this is a new algorithm added in OpenSSH. Support for it in clients is not yet universal. Thus its use in general purpose applications may not yet be advisable.
The algorithm is selected using the -t option and key size using the -b option. The following commands illustrate:
ssh-keygen -t rsa -b 4096
ssh-keygen -t dsa
ssh-keygen -t ecdsa -b 521
ssh-keygen -t ed25519
File name can be specified on the command line using the -f <filename> option:
ssh-keygen -f ~/test-key-ecdsa -t ecdsa -b 521
To use public key authentication, the public key must be copied to a server and installed in an authorized_keys file. This can be conveniently done using the ssh-copy-id tool:
ssh-copy-id -i ~/.ssh/test-key-ecdsa user@host
Once the public key has been configured on the server, the server will allow any connecting user that has the private key to log in. During the login process, the client proves possession of the private key by digitally signing the key exchange.