SSH keys: how do they work?

What is SSH?
What does SSH do?
How do I use OpenSSH?

What is SSH?

Several related things are named SSH:

Secure Shell is a networking protocol.
The ssh command is an OpenSSH utility for using Secure Shell.
SSH Communications Security is a company founded by the author of Secure Shell.

The Secure Shell protocol uses public-key encryption. Keys are generated in pairs:

A public key is a recipe for encrypting messages. Public keys can be published anywhere.
A private key is a hint for decrypting those messages. Private keys should never be shown to anyone.

Public-key encryption is often used to send a temporary shared secret which can only be read by a specific person. A faster scheme like AES/Rijndael can then be used to encrypt messages.

Diane wants to send an important message to Dale. Bob, who is evil, wants to trick Dale.
DIANE: Hello, Dale. It's me, Diane.

BOB: Hello, Dale. It's me, Diane.

Dale generates a random AES password. He uses Diane's public SSH key to encrypt it.

DALE: Hello, Dianes. Let's use AES. I will send you a password.

Dale sends the encrypted password to Bob and Diane. Diane uses her private SSH key to decrypt it. Bob cannot.

DIANE: (AES-encrypted) The owls are not what they seem.

DALE: *mistrusts owls*

BOB: Dammit.

For mathematical details, here's an RSA tutorial and a toy program.

What does SSH do?

Secure Shell is commonly used to control a computer from another computer's terminal.

astral projection textbook — Daniel P. Dern. 1993. The Internet Guide for New Users. McGraw-Hill, Inc., New York, NY, USA.

OpenSSH includes utilities for remote login and other SSH tasks:

hearts, stars, and stick figures — ssh tips from Julia Evans

How do I use OpenSSH?

OpenSSH is freely available at openssh.com. See if it has already been installed:

which ssh

SSH keys and settings are (usually) stored in an .ssh folder in each user's home folder.

name	type	chmod	contents
.ssh	folder	700	OpenSSH keys and settings
.ssh/authorized_keys	text file	600	public keys allowed to login as this user
.ssh/config	text file	600	settings for ssh-agent
.ssh/environment	text file	600	extra environment variables for OpenSSH commands
.ssh/id_rsa	text file	600	a private RSA key
.ssh/id_rsa.pub	text file	644	a public RSA key
.ssh/known_hosts	text file	644	IP addresses with known public keys
.ssh/rc	script	700	run these commands when user logs in

Each .ssh folder can store multiple keys with different names like:

github_rsa
github_rsa.pub
kompromat_dsa
kompromat_dsa.pub
paintedeagle_ecdsa
paintedeagle_ecdsa.pub

File naming conventions:

A public key has suffix .pub
A private key has the same name, but with no suffix.
RSA key names end with _rsa, ECDSA keys end with _ecdsa, etc.

Run ssh-keygen to generate keys interactively. It will ask a few questions:

Where to save the private key?
Require a password to use the private key?

Generate a keypair and save to testkey_rsa and testkey_rsa.pub in the current folder:

ssh-keygen -f testkey_rsa

Change the password of an existing key:

ssh-keygen -p -f testkey_rsa

Generate a 521-bit ECDSA keypair:

ssh-keygen -t ecdsa -b 521

Generate a 2048-bit RSA keypair for Amazon EC2:

ssh-keygen -t rsa -b 2048

Generate a 4096-bit RSA keypair (with a comment) for GitHub:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Show the instruction manual:

man ssh