What is SSH Key Management?

The blog post is intended towards someone new to SSH key management. Do you have just one SSH key pair? Do you have multiple key pairs? What are some pros and cons of having single or multiple key pairs? The post answers such questions about SSH key usage in practice.

The Premise

So, someone walked up to you or in a video call asked for your SSH public key?

It’s a common practice to allow access to Linux servers over SSH using cryptographic keys. There are various situations that lead to various techniques of handling them.

Pr-requisites And Assumptions

The blog post assumes that you already know how to access SSH servers using a private key. Perhaps you have already been using SSH with the private keys provided by your company.

Step 1: Generate An SSH Key Pair

If you do not already have an SSH key pair, generate one using the ssh-keygen command. There are a few algorithms and key size choices. Currently, I am recommending the Ed25519, EdDSA signature scheme.

ssh-keygen -t ed25519 -C "youremail@example.com"

The command will prompt you to type the passphrase. It is possible to have an empty passphrase, but it is highly discouraged. Use a strong passphrase. Every time you want to use your SSH key to logon to a remote server, you will need the passphrase. Utilities such as key rings make it easy to utilize the private key by storing your passphrase on your computer in a secure manner. For convenience, you might want to use the key ring service offered by your operating system.

The above command generates a key pair. The key pair has two files:

• public key
• private key

Pay attention to the command output, especially to the file paths.

It is possible to add a passphrase to an existing private key without a passphrase. If for some reason, you have a private key without a passphrase, add a passphrase to it. See man ssh-keygen.

Step 2: Backup

Try not to lose the key pair. You can distribute the public key publicly. For example, you can put it up on your website or Github profile. Ensure you back-up your private key to a secure vault. Losing private key can sometimes lock you out of critical server access.

The next time someone asks for your SSH public key, hand them out your public key file. Or simply point them to the URL where you have published your public key.

Never ever share your private key or passphrase with anyone. As the name suggests, it is the private key. Keep it private and keep it to yourself.

Mixing Personal And Company Keys Is Bad

Why? If you have two keys and if one of them is compromised the other can still be used. In other words, using the same key for both personal and company access is bad. Of course not for every situation. Therefore, treat this is a rule of thumb. Some identity management features of some applications and platforms require you to have a unique key per account. Such platforms will force you to use a unique per account on their platform. One such example is Github.

If you work with more than one company or many unrelated projects within a company, you might want to use a unique key pair per company. Repeat the same steps mentioned above to create and safeguard the keys for all your projects. Keeping company and personal keys separate leads to peace of mind. Thank me later.

Too Many Keys Problem

If you use a keyring service such as GNOME keyring, you will encounter this problem. Let’s say you have ten keys and add them all to the keyring. When you attempt to access an SSH server, SSH client will try the keys one by one in the keyring. There’s a good chance the SSH server will block your connection. To mitigate the problem you may have to stop using keyrings.

Resources

Edwards-curve Digital Signature Algorithm article on Wikipedia.

• Linux
• Ssh
• System Administration
• Linux 101