/Users/yourname/.ssh/
. There will be two files:id_rsa
This is your private key, you must keep it secret and never allow anybodyelse to gain control of it. Treat this key like a password, keep it safe and makea backup copy. You can add it to keychain using ssh-add -K ~/.ssh/id_rsa
.id_rsa.pub
This is your public key, you can share it freely. This part of the keyis used during authentication to encode a message which can only be decoded with theprivate key. It cannot be used to derive the private key so there is no risk insharing it.id_rsa.pub
file. They'll be able to add it to your user account's list of authorizedkeys and that will enable you to log in without typing a password.ssh-keygen
using OpenSSL gives us access to optionsthat are not avaiable in the standard Mac OS X version of SSH but doesn't require us to buildthe SSH client from scratch.genpkey
command which is the new recommended way to generate keys. Assuming you have Homebrewinstalled (see: https://brew.sh) you can install an up-to-date version of OpenSSL with:~/.ssh
and that path must be restrictedso that only the user can access it. It also requires that any identify files beaccessible only by the user too. Permssions for ~/.ssh/config
can be more relaxedbut it is good practice to keep those private so as not to leak inforamtion aboutuser names or servers you connect to.ssh-keygen
:genpkey
is the new command for generating keys, it supercedes the oldgenrsa
method. Mac OS X's default OpenSSL does not have this command sobuilding your own version is required.-algorith rsa
uses the RSA algorithm for the key and is recommended formaximum compatibility. Other options include ECDSA
, which is lesscomputationally intensive on very low-end hardware (e.g. 50 MHz ARM) andDH
which has characteristics similar to RSA but is rarely used.-aes-256-cbc
is the cypher used to encrypt the bundle and causes the userto be prompted for a password. There are a number of available ciphers butAES-256-cbc is among the stronger options available and widely used too.-outform PEM
there are several output formats that you can use but PEM iswidely used by open source software and tends to be the best supported. Theformat is also nicely encoded so that you can debug with any text editor andhas the advantage of bundling the public and private key into a single filewhich makes them easier to move around. You can always output the public orprivate key from a PEM bundle that contains both.-pkey_opt …
can be specified multiple times and supplies options to thegeneration function. This can be specified multiple times to suplly severaloptionsrsa_keygen_bits:4096
sets the length of the keys produced. 1024 bits isgenerally considered the absolute minimum for secure communication todaythough there is some concern that they will be broken for well-fundedattackers in the near future so 2048 bits is recommended where possible.Longer keys provide greater security however there is diminishing returnsas key length increases. Also, increasing the key length also increasescomputational costs exponentially (by the cube of the change, so 2048 is8x more demanding than 1024-bit). You may want to use smaller keys forslower hardware or if you find yourself frequently reconnecting due to badconnections during a session for better performance.-out yourname.pem
defines the output file for your bundle. You should storea copy of this certificate in ~/.ssh
so that it can be used to authenticatessh sessions. The file must not be accessible to other users on the system soset the permissions accordingly. You should also store the file and thepassword somewhere safe (like in your password vault or on a USB drive in asafe deposit box).openssl rand -base64 48
.~/.ssh
folder and change itspermissions accordingly:chmod 0600 ~/.ssh/yourname.pem
would also work if you don't mindit being editable by your user.~/.ssh
as a secret.~/.ssh/config
to specify this bundle as the defaultidentify file by adding the line:ssh -i ~/.ssh/yourname.pem example.com -l someuser
. When you areprompted for a password, remember that you should enter the one used when creatingthe bundle, not the log-in password for your computer or the remote system you areconnecting to.ssh -i ~/.ssh/yourname.pem foo.example.com
will also add your key to Keychain.~/.ssh/config
and local .gitconfig
files ot manage those relationships.~/.ssh/config
and adding entries like the following for each account:.gitconfig
insidethe checked out repository:git config
andgit remote add foo [email protected]:somegithubuser/somerepo.git
. A fullrun through of those options is well outside the scope of this gist.