A new key for every project
I use ssh keys everywhere where I can. It’s been years since the last time I used username and password to log in to a remote machine. If I can help it I will use ssh keys for authentication.
I shouldn’t be an earth-shattering statement. It is just common sense.
One thing which could be a bit unusual is that I have a separate key for every project or occasion. Every time I need a ssh key I will generate a new one. It’s so easy to do that there’s no reason not to do it. Just one command and you will be much more safe. If your key will get compromised you only give access to that one thing.
Generate the key
The command I use, which I really should write an alias and not rely on my shell’s history, is:
$ ssh-keygen -t rsa -b 2048 -f ~/.ssh/keyname
keyname needs to be replaced with the actual name of the key you are generating.
ssh-keygen creates two files. One named
keyname and other called
keyname.pub. The first one is your private key, something you need to make sure its safe. You never share it with anyone. This is the part which gives you access to the remote systems. The file with
.pub is the public part of the key, it can and often needs to be shared with other parties. There’s absolutely no harm in that.
I’m not an expert on security. The reasons for choosing
2048 come from my reading of things on the internet.
ssh & scp All the applications I use every day, all the commands, have a
way to point them to the non-default k ssh key. Of course starting with ssh itself:
$ ssh -i ~/.ssh/keyname username@host
The same is for scp:
$ scp -i ~/.ssh/keyname file username@host:
It’s bit more involved in rsync:
$ rsync -e 'ssh -i /home/username/.ssh/keyname' \ -avz directory username@host:
The only thing here is that rsync requires full path to the key. Otherwise, you will get greeted with:
Warning: Identity file ~/.ssh/keyname not accessible: No such file or directory.
My favorite ssh replacement, mosh also supports it out of the box:
$ mosh --ssh='ssh -i ~/.ssh/keyname' username@host
(Mosh is awesome if your connection is less than stellar or if you need to move to another network without losing your connection. It will keep your session running. It’s especially great combination with tmux.)
To use such ssh key with git requires a bit more work. All you need is to add a new entry in your ssh config (
~/.ssh/config) file with the right host and then the path to your identity key. For GitHub it would look like this:
Host github.com IdentityFile /home/username/.ssh/keyname
With that bit of information in place whenever git will use ssh to connect to the server it will use the ssh key from the information provided in the config file.
Amazon Web Services
If you use of Amazon Web Services your life is made easier by giving you ability to generate a new ssh key each time you deploy new EC2 instance. I usually chose to do it once per project. Don’t let the
.pem extension fool you, it’s regular private key, the same thing which