SSH Client 101

1. On the client host

1.1 Connect to a (remote) host

To connect to a SSH server use

If no identity file is specified, the client will try to look for one in

. That is for RSA keys. For other key types there are corresponding default locations:

. If no identity is found the user might be asked to provide a password.

To automate the selection of identities, the

file can be used to provide an idenity for each host:

1.2 Managing SSH Keys

1.2.1 ssh-keygen

There are a few methods to create keys, depending on OS. Some OpenSSL examples are available here: But you can also you ssh-keygen which comes bundled with the ssh client. To generate keys with ssh-keyge, use:

Both a private key (id_rsa) and the corresponding public key ( will be created.

Best practice is to generate one key pair on each host you use to connect and to add the public key to the hosts you want to connect to. You shouldn’t copy the private key on different hosts.

1.2.2 ssh-agent and ssh-add

ssh-agent is a program that holds private keys. It usually starts at the beginning of a user session and starts with no keys.

You can add keys to the ssh-agent using ssh-add

You can check the list of existing keys with

One additional feature of the agent is that it can forward keys when you ssh on to other hosts. This is useful in that you don’t have to copy your private keys anywhere else or you don’t have to generate new sets of keys on other hosts. Using the SSH connection the agent can provide key information to the agent running on the remote host.

To do this you either specify this at the moment of connection with

add it in the ssh client config file:

2. On the server host

Presuming the server allows Public Key Authentication, the user can add its own public keys in

. Once there, key based authentication can take place.

You can also use ssh-copy-id to securely copy the public key from one host to another.

Leave a Reply to PKI 101 - Cancel reply

Your email address will not be published. Required fields are marked *