Spike

Spike

Seasoned Software Engineer and Problem Solver

Managing SSH Keys

1 minute read

To securely access your servers you use SSH keys. Passwords can be guessed, just look in your logs to see all the people trying. But, you know that. You’ve got one key to rule them all added to .ssh/authorized_keys on the servers you manage. You may have even disabled passwords altogether by setting:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

in /etc/ssh/sshd_config

But, how many keys to you have? Personally, I have many. Often, I’m managing servers for clients in AWS and I’m using the ec2-user with a client provided key pair. I could, of course, add my key to authorized_keys, but a prefer to keep personal changes to clients servers to a minimum.

And what to do with your collection of keys? Typically, you add keys to the ssh-agent with ssh-add, unlocking them and making them available to the ssh command. However, keep adding keys and pretty soon you’ll start seeing the dreaded Too many authentication failures for username. The SSH server only allows some number of login attempts per connection (six by default for OpenSSH). Trying a key counts as an a attempt. If the key you need isn’t in the first six, buh-bye.

Fortunately, it’s easy to specify which server gets which key in your .ssh/config file, and only load them as needed.

Host some-aws-box.com
 User ec2-user
 IdentityFile ~/.ssh/aws_rsa

You can also take advantage of the fact that Host line allows multiple hostnames and has limited wildcard support:

Host some-aws-box.com *.aws-domain.com
 User ec2-user
 IdentityFile ~/.ssh/aws_rsa

When a key is needed it is then loaded in to ssh-agent, making it possible to still end with too many keys. If this happens, you can remove specific ones with ssh-add -d or start over by removing all of them with ssh-add -D.

Technically, you can set IdentitiesOnly yes in your config file and only use keys specified by IdentityFile bypassing ssh-agent altogether. I think that’s overkill.

I like this setup. You limit the key(s) you add with ssh-add to your general purpose one(s) and only use the lesser keys when and where needed.

Tags: ,

Updated:

Comments

You May Also Enjoy

Building Emacs 27.1 on macOS Big Sur

1 minute read

It’s been a while since I posted a Emacs build walk-through, one version of macOS has come and gone and a new major version of Emacs has arrived, let’s get t...

Not Stupid SSH Tricks: Automatic ssh-add

less than 1 minute read

If you password protect your SSH keys (and you should) and you don’t store those passwords in your macOS keychain or Linux equivalent (slightly paranoid, but...