Virtual Curiosities

How to Generate a SSH Key on Linux Mint

Share
In this tutorial, we'll learn how to generate a SSH key on Linux Mint, so that you can login in a server using SSH (Secure Shell) using the key instead of using a password.

To generate a SSH key in Linux Mint, follow the following steps:

1: open the start menu and open the application "Passwords and Keys." Its actual name is seahorse, which is GNOME's wallet manager.

2: Seahorse has a list-detail interface. Click on OpenSSH Keys on the list pane, the detail pane will show you your currently existing keys.

By default, there won't be any keys, so you'll see a button labelled "Add new items." After you add a key, this button disappears for some reason, and only a list is displayed. In this case, you need to click on the plus (+) button on the headerbar, which means "add," and then choose "Secure Shell Key."

A plus button on a headerbar being pressed, a dropdown menu under it with the items: Secure Shell Key (used to access other computers), GPG key (used to encrypt emails and files), Password keyring (used to store application and network passwords), Password (Safely store a password or secret), Private key (used to request a certificate), Import from file...
The dropdown menu shown when the plus (+) button is clicked on Seahorse.

A dialog box will appear titled "New secure shell key."

3: fill the fields of the dialog box as necessary.

A dialog box titled "New Secure Shell Key." On its headerbar two buttons: Generate and Cancel. The box reads: A Secure Shell (SSH) key lets you connect securely to other computers. Field "Description," value: "Virtual Curiosities' Key." "Your email address, or a reminder of what this key is for." Encryption Type: RSA. Key Strength (bits): 2048. If there is a computer you want to use this key with, you can set up that computer to recognize your new key.
The New Secure Shell Key dialog box in Seahorse.

The description field is merely a way to describe what the key will be used for, e.g. "key to login in my site's host."

You must choose an encryption type. This depends on what you'll use this key for, since the chosen type must be supported by the other party. NearlyFreeSpeech.net recommends ED25519, so since I use them as a host, that's the encryption type I choose.

4: you'll be prompted to choose a password for the SSH key, or you can leave it in blank to create the key without a password.

If you leave it in blank, you'll be able to login through SSH without having to type a password, which is very convenient, but also very unsafe. That's because anyone with access to your computer, who knows where to login to, will be able to SSH in into your accounts without having to type any password.

I'm not sure if this is a real risk or not, but it's something to keep in mind.

If you choose to use a password, you'll have to type the key's password before using it. This means when you SSH into NearlyFreeSpeech.net, for example, instead of having to type your NearlyFreeSpeech.net's account password, you'll have to type the SSH key's password. Note that this is different from typing your sudoer password, which you would type to sudo things.

The key password is never transmitted to the Internet. Basically, it's as if a SSH key without a password were a complete key, and one with a password was incomplete and the last piece needed to make it functional were the correct password. So the password completes the key, then the key is used to encrypt a message, and then the message is sent to the Internet. Neither the password nor the key are ever transmitted.

Since I'm not sure of how risky it is to not use a password, I recommend choosing a simple password just in case. Also it's a good idea to not use the same password as your sudoer password, because if you try to SSH into something without the key, you'll be asked to type your web host's account password, for example, and that's going to be sent through the Internet, so you could accidentally type your sudoer password in this case. I'm pretty sure that's not really unsafe unless you're running a SSH server in your computer, but it's something I'd rather avoid in principle.

If you forget your SSH key password, you can just create a new key to replace it.

Observation: pressing the cancel button creates the key without a password. This seems to be a bug, as I'd expect cancel to actually cancel the creation of the key.

Generating the Public Key

Following the above step above you'll have created a PRIVATE key. You'll need to generate a PUBLIC key from this private key. The public key is the key that you'll give others. The private key should never leave your computer.

For example, for me, since I use NearlyFreeSpeech.net, I would go to my profile page on the platform, click on "Add SSH Key," and there would be a single text field where I would need to paste the the public key, which is just text.

However, sometimes you need the public key as a file, which generally has the file extension .pub. We'll see how to do these two things.

Exporting a Public Key File

To export a .pub file:

1: right click an existing key to show its context menu and choose the option "Export...." A dialog box for your to save the file will appear.

A context menu shown under the OpenSSH key "Virtual Curiosities' Key" (Personal SSH Key). Its items read: Export..., Delete, Properties, and Configure Key for Secure Shell...
The context menu shown when you right click an OpenSSH key in Seahorse.

Observation: a .pub file is just a plain text file (i.e. a .txt file). You can open it in xed (the "Text Editor" in Linux Mint) if you want.

Copying the Public Key

To copy the public key in Seahorse:

1: right click an existing key to show its context menu and click on "Properties." This will open a properties dialog.

A context menu shown under the OpenSSH key "Virtual Curiosities' Key" (Personal SSH Key). Its items read: Export..., Delete, Properties, and Configure Key for Secure Shell...
The context menu shown when you right click an OpenSSH key in Seahorse.

2: in the dialog, there's a field called "Public Key," and on it there's a button with an icon for "copy" (it's a rectangle that seems duplicated).

3: click on the copy button to copy the public key. You can also click on the field to reveal the public key.

A dialog titled "SSH Key Properties" showing various fields: Name: "Virtual Curiosities' Key", Algorithm: RSA, Key Length: 2048, Location: /home/en/.ssh/id_rsa, a Fingerprint with several hexadecimal numbers, a public key that is a long text starting with ssh-rsa, following by random text characters, and ending in "Virtual Curiosities' Key," a switch "Remote Access (Allow accessing this computer remotely)", and three buttons: Export, Change Passphrase, and Delete SSH Key.
The SSH Key Properties dialog on Seahorse, with the Public Key field expanded.

Observation: the description you set when creating your private key is added automatically to the end of your public key. For example, if you chose "Virtual Curiosities' Key" as description, that's going to appear on the public key. If you don't want this for some reason, you can simply remove the description from the end of the public key. It will still work.

Observation: the dialog has an "Export" button. Pressing it exports the PRIVATE key. This is rather confusing since the "Export..." option in the context menu exports the PUBLIC key.

Sharing the Public Key

After doing these steps, you'll need to share this public key to your web host or whatever server you're trying to SSH into. How you do this depends on the platform, so you'll to consult their documentation to see how to give them the public key.

Safety Considerations

Removing Public Keys

If you ever remove or replace a private key, you should also remove the public key from the online service that is associated with it.

For example, let's say I forgot my key password so I'll generate a new private SSH key for NearlyFreeSpeech.net, and register with the platform a new public key. When I do this, I should also remove the old public key for the private key I lost the password for.

Every public key is a way to login as you, so if you have 10 SSH keys, that's like if you had 10 different extremely long passwords, and using any of them is enough to gain access to your account. Although the risk is insignificant, there is no reason to keep the public keys online if you don't or can't use them anymore yourself.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *