Skip to main content

Generating a new SSH key and adding it to the ssh-agent

After you've checked for existing SSH keys, you can generate a new SSH key to use for authentication, then add it to the ssh-agent.

About SSH key passphrases

可以使用 SSH(安全外壳协议)访问和写入 GitHub.com 上的存储库中的数据。 通过 SSH 进行连接时,使用本地计算机上的私钥文件进行身份验证。 For more information, see "About SSH."

When you generate an SSH key, you can add a passphrase to further secure the key. Whenever you use the key, you must enter the passphrase. If your key has a passphrase and you don't want to enter the passphrase every time you use the key, you can add your key to the SSH agent. The SSH agent manages your SSH keys and remembers your passphrase.

If you don't already have an SSH key, you must generate a new SSH key to use for authentication. If you're unsure whether you already have an SSH key, you can check for existing keys. For more information, see "Checking for existing SSH keys."

If you want to use a hardware security key to authenticate to GitHub Enterprise Cloud, you must generate a new SSH key for your hardware security key. You must connect your hardware security key to your computer when you authenticate with the key pair. For more information, see the OpenSSH 8.2 release notes.

Generating a new SSH key

You can generate a new SSH key on your local machine. After you generate the key, you can add the key to your account on GitHub.com to enable authentication for Git operations over SSH.

注意:GitHub 通过在 2022 年 3 月 15 日删除旧的、不安全的密钥类型来提高安全性。

自该日期起,不再支持 DSA 密钥 (ssh-dss)。 无法在 GitHub.com 上向个人帐户添加新的 DSA 密钥。

2021 年 11 月 2 日之前带有 valid_after 的 RSA 密钥 (ssh-rsa) 可以继续使用任何签名算法。 在该日期之后生成的 RSA 密钥必须使用 SHA-2 签名算法。 一些较旧的客户端可能需要升级才能使用 SHA-2 签名。

  1. 打开终端终端Git Bash

  2. Paste the text below, substituting in your GitHub Enterprise Cloud email address.

    $ ssh-keygen -t ed25519 -C "your_email@example.com"

    Note: If you are using a legacy system that doesn't support the Ed25519 algorithm, use:

    $ ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

    This creates a new SSH key, using the provided email as a label.

    > Generating public/private algorithm key pair.
  3. When you're prompted to "Enter a file in which to save the key," press Enter. This accepts the default file location.

    > Enter a file in which to save the key (/Users/you/.ssh/id_algorithm): [Press enter]
    > Enter a file in which to save the key (/c/Users/you/.ssh/id_algorithm):[Press enter]
    > Enter a file in which to save the key (/home/you/.ssh/algorithm): [Press enter]
  4. At the prompt, type a secure passphrase. For more information, see "Working with SSH key passphrases."

    > Enter passphrase (empty for no passphrase): [Type a passphrase]
    > Enter same passphrase again: [Type passphrase again]

Adding your SSH key to the ssh-agent

Before adding a new SSH key to the ssh-agent to manage your keys, you should have checked for existing SSH keys and generated a new SSH key. When adding your SSH key to the agent, use the default macOS ssh-add command, and not an application installed by macports, homebrew, or some other external source.

  1. 在后台启动 ssh 代理。

    $ eval "$(ssh-agent -s)"
    > Agent pid 59566

    根据您的环境,您可能需要使用不同的命令。 例如,在启动 ssh-agent 之前,你可能需要通过运行 sudo -s -H 根访问,或者可能需要使用 exec ssh-agent bashexec ssh-agent zsh 运行 ssh-agent。

  2. If you're using macOS Sierra 10.12.2 or later, you will need to modify your ~/.ssh/config file to automatically load keys into the ssh-agent and store passphrases in your keychain.

    • First, check to see if your ~/.ssh/config file exists in the default location.

      $ open ~/.ssh/config
      > The file /Users/you/.ssh/config does not exist.
    • If the file doesn't exist, create the file.

      $ touch ~/.ssh/config
    • Open your ~/.ssh/config file, then modify the file to contain the following lines. If your SSH key file has a different name or path than the example code, modify the filename or path to match your current setup.

      Host *
        AddKeysToAgent yes
        UseKeychain yes
        IdentityFile ~/.ssh/id_ed25519
      

      Notes:

      • If you chose not to add a passphrase to your key, you should omit the UseKeychain line.

      • If you see a Bad configuration option: usekeychain error, add an additional line to the configuration's' Host * section.

        Host *
          IgnoreUnknown UseKeychain
        
  3. Add your SSH private key to the ssh-agent and store your passphrase in the keychain. 如果使用其他名称创建了密钥或要添加具有其他名称的现有密钥,请将命令中的 id_ed25519 替换为私钥文件的名称。

    $ ssh-add -K ~/.ssh/id_ed25519

    Note: The -K option is Apple's standard version of ssh-add, which stores the passphrase in your keychain for you when you add an SSH key to the ssh-agent. If you chose not to add a passphrase to your key, run the command without the -K option.

    If you don't have Apple's standard version installed, you may receive an error. For more information on resolving this error, see "Error: ssh-add: illegal option -- K."

    In MacOS Monterey (12.0), the -K and -A flags are deprecated and have been replaced by the --apple-use-keychain and --apple-load-keychain flags, respectively.

  4. Add the SSH key to your account on GitHub Enterprise Cloud. For more information, see "Adding a new SSH key to your GitHub account."

如果已安装 GitHub Desktop,可使用它克隆存储库,而无需处理 SSH 密钥。

  1. Ensure the ssh-agent is running. You can use the "Auto-launching the ssh-agent" instructions in "Working with SSH key passphrases", or start it manually:

    # start the ssh-agent in the background
    $ eval "$(ssh-agent -s)"
    > Agent pid 59566
  2. Add your SSH private key to the ssh-agent. 如果使用其他名称创建了密钥或要添加具有其他名称的现有密钥,请将命令中的 id_ed25519 替换为私钥文件的名称。

    $ ssh-add ~/.ssh/id_ed25519
  3. Add the SSH key to your account on GitHub Enterprise Cloud. For more information, see "Adding a new SSH key to your GitHub account."

  1. 在后台启动 ssh 代理。

    $ eval "$(ssh-agent -s)"
    > Agent pid 59566

    根据您的环境,您可能需要使用不同的命令。 例如,在启动 ssh-agent 之前,你可能需要通过运行 sudo -s -H 根访问,或者可能需要使用 exec ssh-agent bashexec ssh-agent zsh 运行 ssh-agent。

  2. Add your SSH private key to the ssh-agent. 如果使用其他名称创建了密钥或要添加具有其他名称的现有密钥,请将命令中的 id_ed25519 替换为私钥文件的名称。

    $ ssh-add ~/.ssh/id_ed25519
  3. Add the SSH key to your account on GitHub Enterprise Cloud. For more information, see "Adding a new SSH key to your GitHub account."

Generating a new SSH key for a hardware security key

If you are using macOS or Linux, you may need to update your SSH client or install a new SSH client prior to generating a new SSH key. For more information, see "Error: Unknown key type."

  1. Insert your hardware security key into your computer.

  2. 打开终端终端Git Bash

  3. Paste the text below, substituting in the email address for your account on GitHub Enterprise Cloud.

    $ ssh-keygen -t ed25519-sk -C "your_email@example.com"

    Note: If the command fails and you receive the error invalid format or feature not supported, you may be using a hardware security key that does not support the Ed25519 algorithm. Enter the following command instead.

    $ ssh-keygen -t ecdsa-sk -C "your_email@example.com"
  4. When you are prompted, touch the button on your hardware security key.

  5. When you are prompted to "Enter a file in which to save the key," press Enter to accept the default file location.

    > Enter a file in which to save the key (/Users/you/.ssh/id_ed25519_sk): [Press enter]
    > Enter a file in which to save the key (/c/Users/you/.ssh/id_ed25519_sk):[Press enter]
    > Enter a file in which to save the key (/home/you/.ssh/id_ed25519_sk): [Press enter]
  6. When you are prompted to type a passphrase, press Enter.

    > Enter passphrase (empty for no passphrase): [Type a passphrase]
    > Enter same passphrase again: [Type passphrase again]
  7. Add the SSH key to your account on GitHub. For more information, see "Adding a new SSH key to your GitHub account."