To generate a SSH key in Linux Mint, follow the following steps:
1: open the start menu and open the application "Passwords and Keys." Its actual name is seahorse
, which is GNOME's wallet manager.
2: Seahorse has a list-detail interface. Click on OpenSSH Keys on the list pane, the detail pane will show you your currently existing keys.
By default, there won't be any keys, so you'll see a button labelled "Add new items." After you add a key, this button disappears for some reason, and only a list is displayed. In this case, you need to click on the plus (+
) button on the headerbar, which means "add," and then choose "Secure Shell Key."
A dialog box will appear titled "New secure shell key."
3: fill the fields of the dialog box as necessary.
The description field is merely a way to describe what the key will be used for, e.g. "key to login in my site's host."
You must choose an encryption type. This depends on what you'll use this key for, since the chosen type must be supported by the other party. NearlyFreeSpeech.net recommends ED25519, so since I use them as a host, that's the encryption type I choose.
4: you'll be prompted to choose a password for the SSH key, or you can leave it in blank to create the key without a password.
If you leave it in blank, you'll be able to login through SSH without having to type a password, which is very convenient, but also very unsafe. That's because anyone with access to your computer, who knows where to login to, will be able to SSH in into your accounts without having to type any password.
I'm not sure if this is a real risk or not, but it's something to keep in mind.
If you choose to use a password, you'll have to type the key's password before using it. This means when you SSH into NearlyFreeSpeech.net, for example, instead of having to type your NearlyFreeSpeech.net's account password, you'll have to type the SSH key's password. Note that this is different from typing your sudoer password, which you would type to sudo
things.
The key password is never transmitted to the Internet. Basically, it's as if a SSH key without a password were a complete key, and one with a password was incomplete and the last piece needed to make it functional were the correct password. So the password completes the key, then the key is used to encrypt a message, and then the message is sent to the Internet. Neither the password nor the key are ever transmitted.
Since I'm not sure of how risky it is to not use a password, I recommend choosing a simple password just in case. Also it's a good idea to not use the same password as your sudoer password, because if you try to SSH into something without the key, you'll be asked to type your web host's account password, for example, and that's going to be sent through the Internet, so you could accidentally type your sudoer password in this case. I'm pretty sure that's not really unsafe unless you're running a SSH server in your computer, but it's something I'd rather avoid in principle.
If you forget your SSH key password, you can just create a new key to replace it.
Observation: pressing the cancel button creates the key without a password. This seems to be a bug, as I'd expect cancel to actually cancel the creation of the key.
Generating the Public Key
Following the above step above you'll have created a PRIVATE key. You'll need to generate a PUBLIC key from this private key. The public key is the key that you'll give others. The private key should never leave your computer.
For example, for me, since I use NearlyFreeSpeech.net, I would go to my profile page on the platform, click on "Add SSH Key," and there would be a single text field where I would need to paste the the public key, which is just text.
However, sometimes you need the public key as a file, which generally has the file extension .pub
. We'll see how to do these two things.
Exporting a Public Key File
To export a .pub
file:
1: right click an existing key to show its context menu and choose the option "Export...." A dialog box for your to save the file will appear.
Observation: a .pub
file is just a plain text file (i.e. a .txt
file). You can open it in xed
(the "Text Editor" in Linux Mint) if you want.
Copying the Public Key
To copy the public key in Seahorse:
1: right click an existing key to show its context menu and click on "Properties." This will open a properties dialog.
2: in the dialog, there's a field called "Public Key," and on it there's a button with an icon for "copy" (it's a rectangle that seems duplicated).
3: click on the copy button to copy the public key. You can also click on the field to reveal the public key.
Observation: the description you set when creating your private key is added automatically to the end of your public key. For example, if you chose "Virtual Curiosities' Key" as description, that's going to appear on the public key. If you don't want this for some reason, you can simply remove the description from the end of the public key. It will still work.
Observation: the dialog has an "Export" button. Pressing it exports the PRIVATE key. This is rather confusing since the "Export..." option in the context menu exports the PUBLIC key.
Sharing the Public Key
After doing these steps, you'll need to share this public key to your web host or whatever server you're trying to SSH into. How you do this depends on the platform, so you'll to consult their documentation to see how to give them the public key.
Safety Considerations
Removing Public Keys
If you ever remove or replace a private key, you should also remove the public key from the online service that is associated with it.
For example, let's say I forgot my key password so I'll generate a new private SSH key for NearlyFreeSpeech.net, and register with the platform a new public key. When I do this, I should also remove the old public key for the private key I lost the password for.
Every public key is a way to login as you, so if you have 10 SSH keys, that's like if you had 10 different extremely long passwords, and using any of them is enough to gain access to your account. Although the risk is insignificant, there is no reason to keep the public keys online if you don't or can't use them anymore yourself.
Leave a Reply