Public & Private Keys
- public key
- In file: id_ed25519.pub
- Feel free to share; you can even publicly post
- private key
- In file: id_ed25519
- Do not share
- Extract public key from private key
ssh-keygen -y -f ~/.ssh/id_ed25519
Using SSH Keys Instead of Passwords
- Allow multiple developers to log in as the same user on the same system without having to share a single password
- Revoke access to a developer just by removing their SSH key
- Make it easier for a single developer to log in to many accounts without needing to manage many different passwords
SSH
- ssh - secure shell
- scp - secure copy
- sftp - secure ftp
SSH Usage
- login
ssh <username>@66.228.46.28
- run a command remotely
ssh <username>@66.228.46.28 <command>
man Pages
- Installed on Unix systems with the command
- Best source as to what is available on that server
- Usage:
man ssh
man -k ssh
man ssh_config
- Uses
more
or less
to view
- Arrow keys to move,
q
to quit
SSH Configuration
.ssh
directory
.ssh/config
- Essential keywords:
- Host
- HostName
- User
- Share session keywords:
- ControlMaster
- ControlPath
- ControlPersist
SSH Keys and GitHub
- http URL
git clone https://github.com/mlcollard/DemoGitHubSSHKeys.git
- git URL
git clone git@github.com:mlcollard/DemoGitHubSSHKeys.git
- Must add a public key to GitHub
- Testing:
ssh git@github.com
Problem
- Local public and private key, very useful for GitHub, local->GitHub
- On a remote system, e.g., the devops server
- Want to use Git URLs
- Path: local->devops->GitHub
- Does not work
- Possible solution:
- Generate a new key on the remote system and set that up with GitHub, e.g., devops->GitHub
- However, a private key is now on a remote system, which you don't have control over
Solution
- The SSH config option:
ForwardAgent yes
- Allows you to use your local keys through a remote system
- local->devops->GitHub
- Note: Make sure ControlMaster is off and local connections are not saved (temporarily)
- Note: Before changing anything on a remote system involving SSH, create a separate session and stay logged in in case something goes wrong
Passphrase
- What if someone stole your private key?
- Passphrase is the SSH password equivalent
- Only applies to the private key
- Can change on a private key without affecting public key
ssh-keygen -p -f ~/.ssh/id_ed25519
Problem
- Have to provide a passphrase when logging in
- Solution: ssh-agent
- Startup:
eval $(ssh-agent)
- List keys:
ssh-add -L
- Delete all keys:
ssh-add -D
- Add key:
ssh-add ~/.ssh/id_ed25519
- Note: For forwarding, the local machine has a private key, so the local machine validates the passphrase
Local Key Management
- Often tie into local key management
- E.g., Keychain on macOS
UseKeyChain yes
AddKeysToAgent yes
- Described in the man page on macOS, but not in the man page on the devops server
- Since other OSs have multiple key management tools, we have to figure those out individually
Points to Remember
- Key access is more flexible and safer than password access
- Leave your private keys in as few places as possible
- Use a passphrase
- Setup keys for GitHub