Securely managing a gaggle of SSH Keys
Awhile back, I shared some bash code on how to mange ssh keys.
Let's take it a step further and apply some security best practices.
Are you like most engineers that use the same private ssh key for all your ssh logins, including all servers and projects? Have you thought about what would happen if that private ssh key were compromised? OUCH!
Let's not even think about that too long because it's just too painful. Rather than thinking about security after the project is complete, start with a secure method of handling your ssh keys.
It really comes down to the motto "reduce the attack surface". We should be generating a different ssh key pair per project. Using something like ssh-keygen it's not problem; it's not like ssh keys are expensive (they are free btw :)
Instead of using your id_rsa default key (mac) for every server, you now have to specify it on the command line with the identity switch as in:
ssh -i project_falcon_id_rsa nick@server1
Now you would do this for each project, but yes, that is tedious no?
Let's take it to the next level and use ssh aliases! These are provided with the ~/.ssh/config file. It looks like the following:
# Server in project_falcon
host server1
HostName 103.234.153.153
StrictHostKeyChecking no
Port 22 User nick
IdentityFile /data/project_falcon_id_rsa
following
The added benefit is that this makes your life even easier! no need to include the user name because it's defined in this ssh config file:
ssh server1
oh wow, isn't life SOOO much easier AND secure now?!
But what if you had thousands of servers, is this really something you'd like to do all day or even write an automation script with maybe chef to handle for you?
There is a very cool feature to ssh that handles this as well! THIS IS GETTING EXCITING!
Back to our ssh config file. Instead of explicitly adding the IdentityFile, to each server, we can globally add the keys by adding them to the top of the ssh config file.
IdentityFile /data/project_falcon_id_rsa
IdentityFile /data/project_pheonix_id_rsa
IdentityFile /data/project_scorpion_id_rsa
Now you can ssh nick@server1 and ssh will iterate through all your private keys until it finds the right one! Is this efficient? Yes, it's blazing fast.
Just one more suggestion though, if you are not using passphrases on your ssh keys, you really should. It's a form of 2 factor authentication and if your using mac, it now supports ssh keys in the OS keychain, so once you type the password once per session the key is cached.
Hope this helped! Nick Skitch