More SSH

Michael L. Collard, Ph.D.

Department of Computer Science, The University of Akron

Public & Private Keys

  • public key
    • In file: id_ed25519.pub
    • Feel free to share, can even publicly post
  • private key
    • In file: id_ed25519
    • Do not share
  • Extract public key from private key
    • ssh-keygen -y -f ~/.ssh/id_ed25519

Using SSH Keys Instead of Passwords

  • Allow multiple developers to log in as the same user on the same system without having to share a single password
  • Revoke access to a developer just by removing their SSH key
  • Make it easier for a single developer to log in to many accounts without needed to manage many different passwords

SSH Keys and GitHub

  • http URL
    • git clone https://github.com/mlcollard/DemoGitHubSSHKeys.git
  • git URL
    • git clone git@github.com:mlcollard/DemoGitHubSSHKeys.git
  • Must add public key to GitHub
  • Testing:
    • ssh git@github.com

Problem

  • Local public and private key, very useful for GitHub, local->GitHub
  • On a remote system, e.g., knuth
  • Want to use Git URLs
  • Path: local->knuth->GitHub
  • Does not work
  • Possible solution:
    • Generate a new key on the remote system, and set that up with GitHub, e.g., knuth->GitHub
    • However, a private key is now on a remote system which you don’t have control over

Solution

  • The SSH config option:
    • ForwardAgent yes
  • Allows you to use your local keys through a remote system
  • local->knuth->GitHub
  • Note: Make sure ControlMaster is off, and local connections are not saved (temporarily)
  • Note: Before changing anything on a remote system involving SSH, create a separate session and stay logged in, in case something goes wrong

Passphrase

  • What if someone stole your private key?
  • Passphrase is the SSH password equivalent
  • Only applies to the private key
  • Can change on a private key without affecting public key
    • ssh-keygen -p -f ~/.ssh/id_ed25519

Problem

  • Have to provide passphrase when logging in
  • Solution: ssh-agent
  • Startup:
    • eval $(ssh-agent)
  • List keys:
    • ssh-add -L
  • Delete all keys:
    • ssh-add -D
  • Add key:
    • ssh-add ~/.ssh/id_ed25519
  • Note: For forwarding, local machine has private key so local machine validates passphrase

Local Key Management

  • Often tie in to local key management
  • E.g., Keychain on macOS
    • UseKeyChain yes
    • AddKeysToAgent yes
  • Described on man page on macOS, but not in man page on knuth
  • Since other OSs have multiple key management tools, have to figure those out individually

Points to Remember

  • Key access is more flexible and safer than password access
  • Leave your private keys in as few places as possible
  • Use a passphrase
  • Setup keys for GitHub