You are here: Home User Information Authentication SSH UNIX SSH Key Generation

UNIX SSH Key Generation

by throwe — last modified Oct 27, 2016 11:58 AM
Contributors: John De Stefano
Follow the steps indicated below to generate and use an SSH keypair under Linux, Unix, MacOS, or Cygwin.

Generate A New Key Pair

  1. Open a terminal window on the desktop machine or laptop that you will be using to login to the RCF/ACF.
  2. At the prompt, type:
    ssh-keygen -t rsa
    You will see output similar to the following:
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/<user>/.ssh/id_rsa):
    where <user> is replaced by your user name.
    This command will generate an RSA key of the default length (1024 bits).
  3. To accept the default file name and location ~/.ssh/id_rsa, press Return.
  4. At the Enter passphrase prompt, type in a pass phrase, which will not be echoed as you type, and then press Return.
    This pass phrase will be used to unlock your private key file (failing to enter a pass phrase for your key will, of course, defeat all security related to the key pair).
  5. You will be prompted to verify the pass phrase by entering it again. Retype your pass phrase, and then press Return.
    The key pair will be generated, and you will see output similar to the following:
    Your identification has been saved in /home/<user>/.ssh/id_rsa.
    Your public key has been saved in /home/<user>/.ssh/id_rsa.pub.
    The key fingerprint is:
    82:c5:30:66:74:e3:e3:cf:5b:12:69:ca:e7:92:d0:e4 <user>@<machine.name>
    ... where the actual fingerprint for your key will be displayed (not the one shown in the example above), and where the terms in brackets (<>) are replaced by the values appropriate for your machine.
    Two files will be created:
    • The first file is the private key, with the default name (or the name you entered above).
    • The second file is the public key, with .pub appended to the file name.
  6. Copy the key fingerprint value from the output above.
  7. To upload the key, browse to:
    https://web.racf.bnl.gov/Facility/SshKeys/UploadSshKey.php
    In order to view the form, you will be prompted for your Kerberos user name and password.
  8. Click the Browse button, and in the dialog box, navigate to your .ssh directory (or the directory in which your public key file is stored).
    If your browser does not display hidden directories (ones that begin with a period), then you will have to type in or cut and paste the name of the public key file into the dialog box. Enter the full name of the public key file (as displayed in output earlier), including the path and the .pub file extension (if you copy and paste the name or path, take care to leave off the period at the end of the line with the public key file name).
  9. Copy and paste the fingerprint of your public key (as displayed in output earlier) into the second box in the form, or type it into the dialog box. The key is comprised of 16 2-digit hexadecimal numbers separated by colons (:).
  10. To upload your key file, click the Send File button.
  11. You can now login to one of the gateway machines using SSH keys. You will be prompted for the passphrase for you private key during the login process. The passphrase will not leave your local machine.
  12. To obtain your Kerberos and AFS credentials, once you have logged into a gateway machine, enter the command:
    kinit -5 -4 -l 7d
    where the third argument is a lower case L, exactly as specified.

Use an Existing Key Pair

  1. To obtain the fingerprint of an existing public key in MD5 format, use the command:
    ssh-keygen -l -E md5 -f [public_key_file_name]
    where the first argument is a lower-case L, and <public key file name> is the full path to your public key file.
    This command will return the MD5 format fingerprint hash of your public key, in output similar to the following:
    1024 MD5:72:ee:b7:ac:0d:df:6c:42:8c:a1:47:23:01:a9:26:42 you@yourhost.com (RSA)
    where your MD5 fingerprint is prefixed by the text `MD5:`.
    Note: If you are using a version of OpenSSH older than v6.8, the `-E` option is not supported, and MD5 is still your default fingerprint format. Omit the `-E md5` option specified above.
  2. Proceed to upload your key as specified above.
Document Actions