Skip to content

Generate SSH Key Pairs

Overview

SSH key pairs are generated using the ssh-keygen command, which is available on Linux, macOS, and Windows 10/11.

RSA keys required

SCDF gateways only accept RSA keys. Do not generate ECDSA, Ed25519, or other key types — they will be rejected. Use a minimum key size of 4096 bits.

Generate a New Key Pair

The steps below apply to Linux, macOS, and Windows 10/11. On Windows, open PowerShell or Command Prompt — no third-party software is required.

1. Run ssh-keygen:

ssh-keygen -t rsa -b 4096

You will see output similar to:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/<user>/.ssh/id_rsa):

2. Accept the default location by pressing Enter, or enter a custom path.

3. Enter a passphrase when prompted. A passphrase protects your private key — omitting it means anyone with access to the file can use it.

Enter passphrase (empty for no passphrase):
Enter same passphrase again:

4. Key generation completes with output like:

Your identification has been saved in /home/<user>/.ssh/id_rsa
Your public key has been saved in /home/<user>/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:PFCKP1tBWnyxxXX+GM4g+ldsJ9/upHPNzloiQLX467c <user>@<machine>
The key's randomart image is:
+---[RSA 4096]----+
|        . oo+    |
|       . o =.o   |
|      . o + +.   |
...
+----[SHA256]-----+

Two files are created:

  • Private key~/.ssh/id_rsa (keep this secret, never share it)
  • Public key~/.ssh/id_rsa.pub (this is what you upload to SCDF)

5. Upload your public key by browsing to:

https://useraccount.sdcc.bnl.gov/ssh-key

You will be need to log in to upload your key using your SCDF account information. Click Browse, select your .pub file, paste the key fingerprint (starting with SHA256:) into the fingerprint field, then click Send File.

Use an Existing Key Pair

If you already have an RSA key pair, you can retrieve its fingerprint with:

ssh-keygen -l -f ~/.ssh/id_rsa.pub

Output will look like:

4096 SHA256:PFCKP1tBWnyxxXX+GM4g+IdsJ9/upHPNzloiQLX467c you@yourhost.com (RSA)

Confirm the key type shown is (RSA) and the size is at least 2048 (4096 recommended). Then proceed to upload the key using the link above.

Windows Notes

Windows 10 (version 1809 and later) and Windows 11 include OpenSSH as a built-in optional feature. If ssh-keygen is not found in PowerShell, install it via:

Settings → Apps → Optional Features → Add a feature → OpenSSH Client

Once installed, the commands above work identically in PowerShell or Command Prompt. Your keys are saved to C:\Users\<username>\.ssh\ by default.