Newly-created SSH keys landed in the home folder rather than `.ssh` folder after creating with `ssh-keygen`

encryptionhigh sierrasshterminal

I used the ssh-keygen utility bundled with High Sierra to create keys, as directed by this page title How to Create SSH Keys with OpenSSH on Linux or macOS at DigitalOcean.com.

Oddly, the prompt to save the new file for keys indicated the .ssh/id_rsa folder. Yet, the new keys were found in my home folder.

Here is my session, replacing a couple things with blah_blah_blah.

I entered a file name of acme. The pair of files named acme & acme.pub were saved to my home folder of /Users/basilbourque, not .ssh.

MacBook-Pro:~ basilbourque$ which ssh-keygen
/usr/bin/ssh-keygen
MacBook-Pro:~ basilbourque$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/basilbourque/.ssh/id_rsa): acme
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in acme.
Your public key has been saved in acme.pub.
The key fingerprint is:
SHA256:blah_blah_blah basilbourque@MacBook-Pro.local
The key's randomart image is:
blah_blah_blah

➥ Any idea why the destination path indicated in the prompt was ignored?

One possible issue: There is no id_rsa folder nested in my .ssh folder, only a known_hosts file is found there.

I ask for two reasons:

Mere curiosity.
- Why would the ssh-keygen utility display a path in the prompt if it is going to ignore that path?
- Why would the ssh-keygen utility display a path to a non-existent folder?
Wondering if this will result in the ssh connection tool failing to find and utilize the keys for logging into a new ssh connection session.

Is there some place I should move these keys so that will be found by the ssh connection tool? (I am new to using ssh.)

Best Answer

You are prompted for a file name, not a folder name (Enter **file** in which to save the key). So if you just reply with a file name the keys will be stored (with that name) in the current directory. You can just move them to .ssh/ manually if necessary. You probably also need to tell ssh to use your keys instead of the default ones (or you rename your keys to the default name).

Related Solutions

Password dialog appears for password-less SSH private key

I had this same problem. However, when a generated a new password-less private key, using the following command:

ssh-keygen -b 1024 -t rsa -f id_rsa -P ""

I no longer saw the password prompt.

Additionally, ssh-add failed to add the old key, but added the new one as expected.

I generated the old key on Leopard in 2009, using what ever version of OpenSSL I had grabbed, built and installed back then (that Mac died, so I can't log in and check what I was running). Something about that key was incompatible with Lion's native SSL libraries.

I backed up my old key, so if anyone wants to suggest some checks, to identify the key's specific properties, let me what to check and I'll report back.

Another clue - I noticed that my old id_rsa.pub file had extended attributes. i.e. it's permissions flags looked like this r--------@ instead of r--------

xattr -l id_rsa.pub.old

returned:

com.macromates.caret: {
    column = 0;
    line = 1;
}

cruft left over from TextMate. I don't know if removing it would have fixed the issue without my having to replace the key. I think it's unlikely.

In case you (future reader) are seeing the same thing, you can remove the extended attribute as follows:

 xattr -d com.macromates.caret id_rsa.pub.old

You can stop TextMate from adding them by first exiting TextMate and then issuing this command:

defaults write com.macromates.textmate OakDocumentDisableFSMetaData 1

macOS Terminal Password – Fix Terminal Not Asking for Passphrase and Keychain Storage Issues

Your passphrase isn't being stored anywhere, but your decrypted private key is stored (in memory) by a process called ssh-agent (man page). This process, which OS X starts when it boots up, stores and manages private keys so they never have to be exposed to other processes that use SSH connections.

When you enter in your password, your computer decrypts your private key and ssh-agent gets a copy to hold on to until it is killed (e.g. on shutdown) or the key is manually removed using ssh-add (man page):

ssh-add -l lists all currently held keys
ssh-add -D forces ssh-agent to forget all currently held keys
ssh-add ~/.ssh/newkey_rsa adds the private key ~/.ssh/newkey_rsa to ssh-agent.
ssh-add -t 3600 ~/.ssh/newkey_rsa adds a new private key with an expiry time, so ssh-agent will only remember newkey_rsa for (say) 3600 seconds.

It may satisfy your concerns to know that your passphrase isn't stored anywhere. But if you really want your computer to prompt you for your passphrase every time, you could use ssh-add to make ssh-agent forget your key and then re-add it with a short expiry time.

Keep in mind that other solutions — like requiring a password to unlock your workstation when you're away from your desk — may also address your underlying security needs.

Best Answer

Related Solutions

Password dialog appears for password-less SSH private key

macOS Terminal Password – Fix Terminal Not Asking for Passphrase and Keychain Storage Issues

Related Question