Coding w/ Cody

Generate SSH Keys Non-Interactively

Written on March 8th, 2022 by Cody Snider

Background

When working with SSH, sometimes you need to generate a key pair without being prompted for input. This is useful in automated scripts, CI/CD pipelines, or when provisioning new servers. The typical ssh-keygen command asks for a file name, passphrase, and confirmation, which is inconvenient in non-interactive environments.

This guide provides a simple, non-interactive method to generate SSH keys efficiently.

Choosing the Right Key Type

SSH keys come in different types. The most common options are:

  • RSA (Rivest-Shamir-Adleman) – The traditional choice, widely supported, but requires a larger key size (2048-bit minimum, 4096-bit recommended).
  • Ed25519 – A more modern, secure, and efficient algorithm that generates shorter yet stronger keys. Recommended unless you need RSA for compatibility.

Generate Key

This script creates an SSH key without any prompts, ensuring a smooth setup process.

#!/bin/bash

# Ensure the .ssh directory exists
mkdir -p ~/.ssh/

# Set desired key name
KEY_NAME="my_new_key"

# Check if the key already exists to prevent overwriting
if [[ -f ~/.ssh/$KEY_NAME ]]; then
    echo "SSH key already exists at ~/.ssh/$KEY_NAME"
    exit 1
fi

# Generate an SSH key non-interactively
# -t ed25519 (preferred for security and performance)
# -f ~/.ssh/$KEY_NAME (output file)
# -q (silent, no console output)
# -N "" (no passphrase, but you can set one inside the quotes)
ssh-keygen -t ed25519 -f ~/.ssh/$KEY_NAME -q -N "" -C "my-key@example.com"

# Set secure file permissions
chmod 600 ~/.ssh/$KEY_NAME

echo "SSH key successfully generated at ~/.ssh/$KEY_NAME"
echo "Public key: ~/.ssh/$KEY_NAME.pub"

Explanation of Parameters

  • -t ed25519: Generates a secure Ed25519 key (use -t rsa -b 4096 if RSA is required).
  • -f ~/.ssh/my_new_key: Specifies the output file for the key.
  • -q: Suppresses output to keep the script silent.
  • -N “”: Sets an empty passphrase (you can add one inside the quotes if needed).
  • -C “my-key@example.com”: Adds a comment to help identify the key.
  • chmod 600 ~/.ssh/my_new_key: Ensures that only the owner can read or write the private key, preventing SSH from rejecting it due to security concerns.

Alternative: Generating an RSA Key

If you require an RSA key for compatibility reasons, modify the script:

ssh-keygen -b 4096 -t rsa -f ~/.ssh/my_new_key -q -N "" -C "my-key@example.com"

This generates a 4096-bit RSA key, which is stronger than the default 2048-bit version.