SSH Key Management
By Sudheer S
What is SSH Key Management?
The blog post is intended towards someone new to SSH key management. Do you have just one SSH key pair? Do you have multiple key pairs? What are some pros and cons of having single or multiple key pairs? The post answers such questions about SSH key usage in practice.
The Premise
So, someone walked up to you or in a video call asked for your SSH public key?
It’s a common practice to allow access to Linux servers over SSH using cryptographic keys. There are various situations that lead to various techniques of handling them.
Pr-requisites And Assumptions
The blog post assumes that you already know how to access SSH servers using a private key. Perhaps you have already been using SSH with the private keys provided by your company.
Step 1: Generate An SSH Key Pair
If you do not already have an SSH key pair, generate one using the ssh-keygen
command. There are a few algorithms
and key size choices. Currently, I am recommending the Ed25519
, EdDSA
signature scheme.
ssh-keygen -t ed25519 -C "youremail@example.com"
The command will prompt you to type the passphrase. It is possible to have an empty passphrase, but it is highly discouraged. Use a strong passphrase. Every time you want to use your SSH key to logon to a remote server, you will need the passphrase. Utilities such as key rings make it easy to utilize the private key by storing your passphrase on your computer in a secure manner. For convenience, you might want to use the key ring service offered by your operating system.
The above command generates a key pair. The key pair has two files:
- public key
- private key
Pay attention to the command output, especially to the file paths.
It is possible to add a passphrase to an existing private key without a passphrase. If for some reason, you have a
private key without a passphrase, add a passphrase to it. See man ssh-keygen
.
Step 2: Backup
Try not to lose the key pair. You can distribute the public key publicly. For example, you can put it up on your website or Github profile. Ensure you back-up your private key to a secure vault. Losing private key can sometimes lock you out of critical server access.
The next time someone asks for your SSH public key, hand them out your public key file. Or simply point them to the URL where you have published your public key.
Never ever share your private key or passphrase with anyone. As the name suggests, it is the private key. Keep it private and keep it to yourself.
Mixing Personal And Company Keys Is Bad
Why? If you have two keys and if one of them is compromised the other can still be used. In other words, using the same key for both personal and company access is bad. Of course not for every situation. Therefore, treat this is a rule of thumb. Some identity management features of some applications and platforms require you to have a unique key per account. Such platforms will force you to use a unique per account on their platform. One such example is Github.
If you work with more than one company or many unrelated projects within a company, you might want to use a unique key pair per company. Repeat the same steps mentioned above to create and safeguard the keys for all your projects. Keeping company and personal keys separate leads to peace of mind. Thank me later.
Too Many Keys Problem
If you use a keyring service such as GNOME keyring, you will encounter this problem. Let’s say you have ten keys and add them all to the keyring. When you attempt to access an SSH server, SSH client will try the keys one by one in the keyring. There’s a good chance the SSH server will block your connection. To mitigate the problem you may have to stop using keyrings.
Resources
Edwards-curve Digital Signature Algorithm article on Wikipedia.