SSH Keys
Categories:
4 minute read
Generate public and private keys on Windows 11
To generate an SSH key on Windows 11, you can use a command-line tool called “ssh-keygen” that comes bundled with the OpenSSH client. Here are the arguments to generate an SSH key on Windows 11 in a PowerShell session.
| Argument | Description |
|---|---|
| -t | Specifies the type of key to generate. The supported types are rsa, dsa, ecdsa, and ed25519. For example, to generate an RSA key, you can use -t rsa. |
| -b | Specifies the number of bits in the key. The default is 2048, but you can specify a larger or smaller number depending on your needs. For example, to generate a 4096-bit key, you can use -b 4096 |
| -C | Comment to include in the key. This can be helpful for identifying the key later on. For example, to include the comment “My personal key” in the key, you can use -C "My personal key" |
| -f | Filename of the key file. By default, the key files are named id_rsa and id_rsa.pub, but you can specify a different filename if you prefer. For example, to name the key file “mykey”, you can use -f server00. |
| -N | Passphrase to use with the key. This adds an extra layer of security, since anyone who wants to use the key will need to know the passphrase. For example, to use the passphrase “mypassword”, you can use -N mypassword. |
| -q | Quiet mode, which suppresses all warnings and messages. This can be helpful if you’re running ssh-keygen in a script or automated process. |
| -P | New passphrase for an existing key. This can be helpful if you want to change the passphrase for a key that you’ve already generated. |
This example sets the keys as rsa with a bit length of 4096 and saves the keys to the .ssh folder in the current users home directory with a file name of server00 so we know which key pair is for which target system. The command after the creation shows changing directory into the .ssh folder and listing the contents showing the newly created server00 private key and the server00.pub public key.
PS ~> ssh-keygen -t rsa -b 4096 -f .ssh\server00 -C "Key pair for server00"
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in .ssh\server00.
Your public key has been saved in .ssh\server00.pub.
The key fingerprint is:
SHA256:Fa+DqrE9ZQnltbFpcYdEptIUL4QIwQ5m4kk Key pair for server00
The key's randomart image is:
+---[RSA 4096]----+
| E.B+*oo .=++. |
|+.*.* o o++*o . |
|.+o o o..=Bo. |
| . . .+=o |
| .Soo |
| .+ . |
| . .o |
| =. |
| o .. |
+----[SHA256]-----+
PS ~> cd .\.ssh\
PS ~\.ssh> ls
Directory: C:\Users\username\.ssh
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 02/04/2023 12.04 1675 id_rsa
-a--- 26/04/2023 11.15 3159 known_hosts
-a--- 26/04/2023 12.08 3389 server00
-a--- 26/04/2023 12.08 748 server00.pub
PS ~\.ssh>
Put the public key on a Linux server
Now you have a public key on the Windows 11 workstation it can be put onto targets systems so you can use it to logon without a password. This example puts the public key onto a Linux server.
The Linux server may not have the authorized_keys file on the system yet. This file holds the public keys. So logon to the target Linux server and run the following commands to create the file.
mkdir .ssh
cd .ssh
touch authorized_keys
chmod 700 ~/.ssh/
chmod 600 ~/.ssh/authorized_keys
From the Windows 11 workstation you can run a single command to essentially paste the public key data into the authoried_keys file on the target server.
type $env:USERPROFILE\.ssh\server00.pub | ssh webadmin@192.168.1.10 "cat >> .ssh/authorized_keys"
Logon to the Linux server
To logon using the key pair run the following command.
Keep in mind that as this example uses bespoke public and private key file names of
server00you need to specify that in the SSH command. If you were using the defaultìd_rsakeys then you could just runssh webadmin@192.168.1.10.
ssh -i .ssh/server00 webadmin@192.168.1.10