I like to use multiple ssh keys so if I need to revoke a key I only have to replace that one key pair on my laptop and the server I authenticate to using that key pair.
Before doing any of the steps I highly recommend backing up all of the files in your .ssh directory. If you do not you can/will lock yourself out of accounts/systems! You have been warned!
My Github keys
github_key.pub
github_key
My Digital Ocean keys (hosting site)
digital_key.pub
digital_key
github_key.pub
digital_key.pub
You can name the keys when you generate them, which I highly recommend so you don't get them confused since the default behavior of ssh-keygen is to name them all the same...not to mention if you don't it will over write existing keys you may have already. You did back up your .ssh directory, right? Warned twice.
Here is where you can put your own name in:
At the prompt enter a name that makes sense to you. If you do not put in a custom name you will over write any existing id_rsa key you have. Warned a third and final time. I use the pattern 'servername_crypto' that way the name of the key tells me which server and the crypto tells me the encryption protocol I used. So something like github_rsa for a Github key using RSA.
This will work for most servers but some, like Github, have a different protocol for adding ssh keys. For Github you can find the directions here
For normal servers once you have generated your keys copy the public key (the one with the .pub) to the remote system/server. Do NOT copy the private key (the one with no extension).
cd ~/.ssh
$ scp server1_key.pub username@server1:
This will added your public key to the home directory of username. Now ssh into the remote system.
Now we will add the rsa key to your authorized keys file and remove it from your home directory.
cat ~/server1_key.pub >> ~/.ssh/authorized_keys
rm ~/server1_key.pub
Once you have completed the above for Github you can follow their testing instructions found here. We will test connecting to other servers in a minute.
Now that you have the keys added, you need to setup a config file on your laptop to match the key to the remote server.
In the .ssh directory of your laptop create a config file if one does NOT already exist. If one already exists skip creating a new file and use the existing.
$ cd .ssh/
$ touch config
$ chmod 700 .ssh/config
This will set the permissions to read only for the user of that home directory.
Now we need to tell ssh how to use all the keys in our .ssh directory. The basic outline of the config file is:
Host server1
HostName p1.server1.com
IdentityFile server1_rsa
User usernameLet's break down what each of the four lines does.
- Host server1: this is a short name that you will use to ssh into the server. This name does not need to be in DNS
- HostName p1.server1.com: this is the DNS resolvable name of the server
- IdentityFile: This is the private key
- User username: This is the username you want to use on the remote server. Most of the time this is your normal user id but not always.
Here is a short version of my config file.
Host github.com
HostName github.com
IdentityFile ~/.ssh/git_rsa
User sfavorite
Host digital
HostName p1.scotfavorite.net
IdentityFile ~/.ssh/digitalocean_rsa
User root
Please note in the above configuration the first line 'Host github.com' is the resolvable name. It needs to be github.com since you will be using commands such as 'git remote add origin [email protected]/sfavorite/coolstuff' and your system will try to match what is after the @ with your config file. The second server configuration starts with 'Host digital'. I have set my /etc/hosts file so the word digital resolves to my droplet. If you don't want to change your host file you should have Host p1.yourdomain.com.
Attempt ssh login without a user specified and hope for no password prompt.
Success! We can now login to our configured servers using ssh-keys.
Hope this helps you manage your ssh keys in a secure manner.