login about faq

Can you give out best practices or instructions how to generate key pairs with ssh-keygen2?

asked Dec 20 '10 at 19:39

SSH%20KB's gravatar image


edited Sep 21 '11 at 17:38

User keys are used in public-key authentication to authenticate a user.

Generate a user key pair with the following command:

$ ssh-keygen2

Provide the passphrase twice. Please choose a passphrase that is difficult to guess - spaces are OK.

This will create a public key (.pub) and a private key (no extension) to the $HOME/.ssh2 directory.

The default file names are id_dsa_2048_a.pub and id_dsa_2048_a (both assuming you don't change the file names or key size). The default key size is 2048 for SSH Secure Shell 3.2 and above.

Host keys

Hostkeys are used to identify and authenticate server hosts when establishing connections using Secure Shell. Hostkeys must not be assigned a passphrase.

The hostkeys are created during installation. You only need regenerate them if there was a problem during installation or you wish to change your hostkeys.

  • Login as root.
  • Kill the sshd2 daemon listening the port 22:

    # kill 'cat /var/run/sshd2_22.pid'

  • Generate the hostkey with the following command:

    # ssh-keygen2 -P /etc/ssh2/hostkey

  • Restart sshd2:

    # /usr/local/sbin/sshd2

    Note that as an administrator, if you have users other than yourself connecting to your sshd2 daemon, and you are changing the hostkey, you will probably want to notify your users of the change. If you do not do this, your users will receive a warning message "host identification has changed" when next connecting. This is because the hostkey they have saved on their disk for your server does not match the hostkey now being provided by your sshd2 daemon. Your users may not know how to respond to this error. You can run the following to generate a fingerprint for your new public hostkey which you can provide to your users via some un-alterable method (such as digitally signed email):

    $ ssh-keygen2 -F /etc/ssh2/hostkey.pub

    When the user connects and receives the error message about the hostkey having changed, they can compare the fingerprint of the new key with the fingerprint you have provided in your email and ensure that they are connecting to the correct sshd2 daemon. Inform your users to notify you if the fingerprints do not match, or if they receive a message that the hostkeys have changed and do not receive a corresponding message from you notifying them of the change.

    Always adhering to these procedures can help ensure that you do not become the victim of a man-in-the-middle attack, as your users will notify you if the hostkey fingerprints ever do not match up. You will also be aware if the user says the key has changed when you have not regenerated your hostkey pair.

  • link

    answered Dec 20 '10 at 19:41

    Dave%20Rivard's gravatar image

    Dave Rivard

    edited Dec 21 '10 at 19:14

    SSH%20KB's gravatar image

    SSH KB ♦

    Your answer
    toggle preview

    Follow this question

    By Email:

    Once you sign in you will be able to subscribe for any updates here

    By RSS:


    Answers and Comments

    Markdown Basics

    • *italic* or __italic__
    • **bold** or __bold__
    • link:[text](http://url.com/ "title")
    • image?![alt text](/path/img.jpg "title")
    • numbered list: 1. Foo 2. Bar
    • to add a line break simply add two spaces to where you would like the new line to be.
    • basic HTML tags are also supported



    Asked: Dec 20 '10 at 19:39

    Seen: 5,240 times

    Last updated: Sep 21 '11 at 17:38

    All user contributed content licensed under the cc-by-sa license.
    Powered by OSQA.