Generating SSH Keys on macOS Sierra (10.12) and High Sierra (10.13)

Updated on October 23, 2017
Generating SSH Keys on macOS Sierra (10.12) and High Sierra (10.13) header image

This tutorial will show you how to generate and secure SSH keys on macOS Sierra (10.12) and macOS High Sierra (10.13). SSH keys allow you to log into your server without a password. They increase convenience as well as security by being significantly more resistant to brute-force attacks.

SSH (Secure Shell) is a protocol most often used for remote management and for file transfer often denoted as sFTP (Secure File Transfer Protocol). When accessing a remote server such as a Vultr VPS, it is recommended to use SSH with PKE (Public Key Exchange) which uses a key-pair where the public key is provided to the server and the private key in stored on your machine.

SSH Keys can be automatically added to servers during the installation process by adding your public keys in the Vultr control panel. You can manage your SSH keys on this page. It is important to remember that these are your public keys only (usually denoted with .pub), you should never expose your private keys.

Key types

There are several different key types that can be selected. Use the -t argument upon generation, such as ssh-keygen -t ed25519. The ED25519 key type, which uses an elliptic-curve signature, is more secure and more performant than DSA or ECDSA. Most modern SSH software (such as OpenSSH since version 6.5) supports the ED25519 key type, but you may still find software that is incompatible, thus the default key type is still RSA.

The default key type is 2048-bit RSA which offers good security and compatibility. For higher security, you can choose a larger key size using the -b argument on generation, such as ssh-keygen -b 4096 to create a 4096-bit RSA key pair.

Key generation

To generate an SSH key, you will need to open Terminal.app found in "Applications > Utilities > Terminal".

To create a 4096-bit RSA key pair, enter:

ssh-keygen -b 4096

Then you will see:

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/username/.ssh/id_rsa): 

Pressing Enter/Return will save your new key pair to this default location, which is recommended. You will then have the option to create a passphrase, which will encrypt the key so that it cannot be used without authorization. Using a passphrase is also recommended.

Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa.   
Your public key has been saved in id_rsa.pub.   
The key fingerprint is:
SHA256:0irBXp+xKwT5e0ZFklbEVkzxu0Bzv9PmvstFD5w6zlQ username@Your-Mac.local   
The key's randomart image is: 
+---[RSA 4096]----+
|         =o++.   |
|        + + ..   |
|     . . +  o o  |
|   .o  .  .. + + |
|    ooo S.  . E o|
|   . oo+.+   + ++|
|    o..o+   + .o=|
|     .o o. + ..oo|
|       +.   o  ==|
+----[SHA256]-----+

At this point, your keypair has been created and stored in ~/.ssh/id_rsa. To make the key available to the system and store the passphrase in the system keychain, we will need to complete several additional steps. Note that this is only needed if you would rather not be prompted for the key passphrase each time it is used.

Add new keypair to SSH agent

Enter ssh-add -K ~/.ssh/id_rsa. You will then be prompted for the passphrase and you will see the following:

Identity added: id_rsa (username@Your-Mac.local)

If you would like to use this SSH key to log into a server that has already been created, you can use the ssh-copy-id tool to store the public key on the server you would like to access.

Add new key to remote server

Using ssh-copy-id:

# Substitute your server IP
ssh-copy-id -i ~/.ssh/id_rsa root@192.0.2.1

The console will request your login password since the remote server is not yet aware of your key. You will see the following:

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"

Number of key(s) added:        1

Now try logging into the machine, with: "ssh 'root@192.0.2.1'"
and check to make sure that only the key(s) you wanted were added.

You can now attempt to log into the remote server with ssh root@192.0.2.1 and you should be connected without a password prompt.