# ssh key generation, cannot seems to get it right

## DaggyStyle

might be the lack of sleeping hours but I cannot seems to get it right.

I have a server, I want to generate a key that I can pass to others and that will enable them to connect to the server without the need for password

what is the right way to do that?

----------

## John R. Graham

You've got it mostly backwards. You do need to generate a key on the server, but you've got to create a key on each of the clients that you want to be able to log in without a password. On each of them—server and client—the command is ssh-keygen. For instance:

```
ssh-keygen -t rsa -b 2048
```

From this command, you will get two files in the ~/.ssh directory:id_rsa, andid_rsa.pubThe .pub file is copied to the server's ~/.ssh directory (under a unique name; don't overwrite the server's id_rsa.pub) and appended to the ~/.ssh/authorized_keys file. This is what allows the server to recognize a particular client without a password.

Any questions, just ask.  :Wink: 

- John

----------

## DaggyStyle

crap, isn't any other way to generate one public key on the server and distribute it to all clients?

----------

## krinn

That's the over way of what you are asking.

You must generate public key on clients so you pass those public key to the server to allow clients to connect to your server.

So any clients must have a public key that you can register with the server.

And it's pretty easy to pass them to the server :

on each client, generate a key and 

scp /home/username/~.ssh/id_rsa.pub server:/tmp/newkey && ssh server cat /tmp/newkey >> /home/username/.ssh/authorized_keys

----------

## John R. Graham

 *DaggyStyle wrote:*   

> crap, isn't any other way to generate one public key on the server and distribute it to all clients?

 So, if one client is compromised, you want that compromise to affect (and require update of) all clients? It's the way it is for a reason.

- John

----------

## mv

There is ssh-copy-id (which essentially just automates what krinn has suggested).

----------

## DaggyStyle

 *John R. Graham wrote:*   

>  *DaggyStyle wrote:*   crap, isn't any other way to generate one public key on the server and distribute it to all clients? So, if one client is compromised, you want that compromise to affect (and require update of) all clients? It's the way it is for a reason.
> 
> - John

 

there is only one client and the key if for handshake authentication

----------

## John R. Graham

I guess I don't understand the hassle if "all the clients" is just one machine. Use ssh-keygen on the client machine, copy the public key over to the server and add to ~/.ssh/authorized_keys file as I, krinn, and mv have all described.

The key that allows you to log in without a password is the private key. However, it never leaves the client machine. The client's cryptographically related public key needs to be placed on the server machine by someone authorized to do so (you, I presume). The public key allows the server to authenticate messages signed by the client's private key, thus proving the client is trustworthy.

"Compromise", in this case, means that someone who's not authorized to have it gets hold of the client's private key. If they do, then they can log into your server without a password. The server can't compromise the private key because it doesn't have it.

- John

----------

