/ Security

SSH Key Generation and Security on macOS 10.12 and 10.13

This tutorial will show you how to generate and secure SSH keys on macOS Sierra(10.12) and High Sierra(10.13). SSH Keys allows you to log into your server without requiring a password. They increase convenience as well a security by being significantly more resistant to brute-force attacks.

SSH (Secure Shell) is a protocol most often used for remote management and for file transfer often denoted as sFTP(Secure File Transfer Protocol). When accessing remote server such as a Remote VPS it is recommended to use SSH with PKE(Public Key Exchange) which uses a key-pair where the public key is provided to the server and the private key in stored on your machine.

SSH Keys can be automatically added to servers during the installation process by adding your public keys to the Digital Ocean or Vultr control panel. It is important to remember that these are your public keys only(usually denoted with '.pub'), you should never expose private keys.

Key Types

There are several different key types that can be selected. Using -t argument upon generation such as ssh-keygen -t ed25519. The ED25519 key type using elliptic-curve signature which offers is more secure and more performant than DSA or ECDSA. Most modern SSH software (such as OpenSSH since version 6.5) supports the ED25519 key type, but you may still find some software is incompatible, thus the default key type is still RSA.

The default key type is 2048-bit RSA which offers good security and compatibility. For higher security, you can choose a larger key size using the -b argument on generation such as ssh-keygen -b 4096 to create a 4096-bit RSA key pair.

Key Generation

To generate an SSH key, you will need to open Terminal.app found in Applications > Utilities > Terminal.

To create a 4096-bit RSA key pair you will enter:
$ ssh-keygen -b 4096
You should then see,

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/username/.ssh/id_rsa): 

Pressing Enter/Return will save your new key pair to this default location, which is recommended. You will then have the option to create a passphrase, which will encrypt the key so that it cannot be used without authorization. Using a passphrase is recommended.

Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
SHA256:0irBXp+xKwT5e0ZFklbEVkzxu0Bzv9PmvstFD5w6zlQ username@Your-Mac.local
The key's randomart image is:
+---[RSA 4096]----+
|         =o++.   |
|        + + ..   |
|     . . +  o o  |
|   .o  .  .. + + |
|    ooo S.  . E o|
|   . oo+.+   + ++|
|    o..o+   + .o=|
|     .o o. + ..oo|
|       +.   o  ==|

At this point, your keypair has been created and stored in ~/.ssh/id_rsa if you chose to store in the default location. To make the key available to the system and store the passphrase in the system keychain we will need to complete several more steps. Note: This is only needed if you would rather not be prompted for the key passphrase each time it is used.

Add new keypair to SSH agent
Enter ssh-add -K ~/.ssh/id_rsa. You will then be prompted for the passphrase if you created one and should see the following:

Identity added: id_rsa (username@Your-Mac.local)

If you would like to use this SSH key for login on a server that has already been created you can use the ssh-copy-id tool to store the public key on the server you would like to access.

Add new key to remote server
Using ssh-copy-id:
ssh-copy-id -i ~/.ssh/id_rsa root@
Substitute your server IP.

It will request your login password since the remote server is not yet aware of your key. You should see the following:

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"

Number of key(s) added:        1

Now try logging into the machine, with: "ssh 'root@'"
and check to make sure that only the key(s) you wanted were added.

You can now attempt to login to the remote server with ssh root@ and you should be connected without requiring a password.