SSH keys

I use ssh keys everywhere where I can. It’s been years since the last time I used username and password to log in to a remote machine. If I can help it I will use ssh keys for authentication.

I shouldn’t be an earth-shattering statement. It is just common sense.

One thing which could be a bit unusual is that I have a separate key for every project or occasion. Every time I need a ssh key I will generate a new one. It’s so easy to do that there’s no reason not to do it. Just one command and you will be much more safe. If your key will get compromised you only give access to that one thing.

Generate the key

The command I use, which I really should write an alias and not rely on my shell’s history, is:

$ ssh-keygen -t rsa -b 2048 -f ~/.ssh/keyname

Obviously key keyname needs to be replaced with the actual name of the key you are generating.

ssh-keygen creates two files. One named keyname and other called keyname.pub. The first one is your private key, something you need to make sure its safe. You never share it with anyone. This is the part which gives you access to the remote systems. The file with .pub is the public part of the key, it can and often needs to be shared with other parties. There’s absolutely no harm in that.

I’m not an expert on security. The reasons for choosing rsa and 2048 come from my reading of things on the internet.

ssh & scp All the applications I use every day, all the commands, have a

way to point them to the non-default k ssh key. Of course starting with ssh itself:

$ ssh -i ~/.ssh/keyname username@host

The same is for scp:

$ scp -i ~/.ssh/keyname file username@host:

rsync

It’s bit more involved in rsync:

$ rsync -e 'ssh -i /home/username/.ssh/keyname' \
    -avz directory username@host:

The only thing here is that rsync requires full path to the key. Otherwise, you will get greeted with:

Warning: Identity file ~/.ssh/keyname not accessible: No such file or directory.

mosh

My favorite ssh replacement, mosh also supports it out of the box:

$ mosh --ssh='ssh -i ~/.ssh/keyname' username@host

(Mosh is awesome if your connection is less than stellar or if you need to move to another network without losing your connection. It will keep your session running. It’s especially great combination with tmux.)

git

To use such ssh key with git requires a bit more work. All you need is to add a new entry in your ssh config (~/.ssh/config) file with the right host and then the path to your identity key. For GitHub it would look like this:

Host github.com
    IdentityFile /home/username/.ssh/keyname

With that bit of information in place whenever git will use ssh to connect to the server it will use the ssh key from the information provided in the config file.

Amazon Web Services

If you use of Amazon Web Services your life is made easier by giving you ability to generate a new ssh key each time you deploy new EC2 instance. I usually chose to do it once per project. Don’t let the .pem extension fool you, it’s regular private key, the same thing which ssh-keygen creates.