Ssh – what does it mean by email address as label generating pubic/private rsa key pair

The SSH agent handles signing of authentication data for you. When authenticating to a server, you are required to sign some data using your private key, to prove that you are, well, you.

As a security measure, most people sensibly protect their private keys with a passphrase, so any authentication attempt would require you to enter this passphrase. This can be undesirable, so the ssh-agent caches the key for you and you only need to enter the password once, when the agent wants to decrypt it (and often not even that, as the ssh-agent can be integrated with pam, which many distros do).

The SSH agent never hands these keys to client programs, but merely presents a socket over which clients can send it data and over which it responds with signed data. A side benefit of this is that you can use your private key even with programs you don't fully trust.

Another benefit of the SSH agent is that it can be forwarded over SSH. So when you ssh to host A, while forwarding your agent, you can then ssh from A to another host B without needing your key present (not even in encrypted form) on host A.

Keyword there is host key. The first time you connect to a host, you are presented with a fingerprint of that host's public key. The server itself has a keypair just like users do.

The idea is that you can verify the fingerprint with what you know that server's fingerprint to be, to ensure you are not being MITMed.

Once you accept the host key, it gets saved in your known_hosts file, which your client uses to verify all subsequent connections.

If the host key changes unexpectedly, your client will notice and will display a nasty error message, suggesting that something may be awry and that you should check things out.