Managing SSH Keys

Introduction

SSH (Secure Shell) keys are your gateway to secure and convenient server access. However, they can also be challenging to manage effectively. If you’re looking for a guide on managing SSH keys the right way, you’ve come to the right place.

I’ll walk you through generating SSH keys, storing them securely, and deploying them across your environment. What’s more, I’ll even get into some SSH key “life hacks,” including how to utilize the SSH Config file and nickname your keys for more effortless management.

Prerequisites

Before you start, make sure you have:

• Basic understanding of SSH and UNIX-like terminal commands
• Access to a server where you have permissions to modify SSH configurations
• A text editor of your choice installed

Step 1: Generating SSH Keys

Choosing the Right Type of Key

Before you generate a key, understand that you have a few different options to encrypt them, such as:

• RSA
• DSA (not recommended for security reasons)
• ECDSA
• Ed25519 (recommended for better security and performance)

To generate a new SSH key with Ed25519, you can run ssh-keygen with the -t flag:

ssh-keygen -t ed25519 -C "your_email@example.com"

The above command will create a new key using the Ed25519 algorithm, and the email address will serve as our helpful label for the key.

Step 2: Storing SSH Keys Securely

Designating a Secure Directory

For a higher level of organization, consider placing all your SSH keys in a dedicated directory within your ./ssh directory. You can create one like this:

mkdir ~/.ssh/keys

Then, when generating SSH keys, you can specify this folder:

ssh-keygen -t ed25519 -C "your_email@example.com" -f ~/.ssh/keys/my_new_key

Lock Down Permissions

Protect your private key by setting tight file permissions:

chmod 600 ~/.ssh/keys/my_key

Step 3: Utilizing ssh-agent and ssh-add

SSH agent is a program that holds your private keys, so you don’t have to keep entering them when needed.

Starting the SSH Agent

eval "$(ssh-agent -s)"

Adding Your SSH Key to the Agent

ssh-add ~/.ssh/keys/my_key

This stores your key in the agent, and you won’t need to input your passphrase every time you SSH into a server that uses this key.

Step 4: Using the SSH ‘config’ File to Manage Keys

The ~/.ssh/config file enables you to define settings for each server you connect to, making your life significantly easier.

Basic Syntax

Here is a simple example:

Host example
  HostName example.com
  User myuser
  Port 2222
  IdentityFile ~/.ssh/keys/my_key

For another example, let’s say have a blog we’re hosting on the cloud, with an IP of 180.20.33.40 – and we decide might want to nickname our connection ‘CloudBlog’ – we can put the following into our config file:

Host CloudBlog
  HostName 180.20.33.40
  User root
  Port 22
  IdentityFile ~/.ssh/keys/blog_key

Nicknaming Your Keys

You can also nickname your SSH keys for easier management:

# Inside ~/.ssh/config

Host my_server
  IdentityFile ~/.ssh/keys/my_nickname_key

This allows you to SSH into your server just by typing ssh my_server in your terminal, while the SSH client takes care of the rest.

Step 5: Applying Keys to Each Connection

The SSH Config file allows you to specify which key should be used for each connection:

# Inside ~/.ssh/config

Host server_one
  HostName server1.example.com
  IdentityFile ~/.ssh/keys/server_one_key

Host server_two
  HostName server2.example.com
  IdentityFile ~/.ssh/keys/server_two_key

Now you can use ssh server_one and ssh server_two, and the corresponding keys will be automatically used.

Step 6: Making ssh-agent and SSH Config Work Together

To bring your SSH key management to the next level, you can integrate ssh-agent and the SSH Config file. The SSH Config file allows you to define several options that work well with ssh-agent.

UseKeychain (macOS Specific)

On macOS, you can add the UseKeychain option to your SSH Config. This tells SSH to store the passphrase of your SSH key in macOS’s keychain. Once the passphrase is in the keychain, you won’t be prompted to enter it again, thereby streamlining the SSH experience. The keychain is a secure place to store sensitive information, making this option a win-win for both security and convenience.

AddKeysToAgent

With AddKeysToAgent – whenever you use an SSH key, its private key gets automatically added to ssh-agent. This eliminates the need to manually add keys to the agent and makes your SSH experience smoother. The agent will remember your keys, even after a system reboot, sparing you from having to re-enter your passphrase.

Here’s how to include these options in your SSH Config:

# Inside ~/.ssh/config

Host example
  UseKeychain yes  # macOS specific
  AddKeysToAgent yes
  IdentityFile ~/.ssh/keys/my_key

Host example
  IgnoreUnknown UseKeychain
  UseKeychain yes  # macOS specific
  AddKeysToAgent yes
  IdentityFile ~/.ssh/keys/my_key

Step 7: Rotating SSH Keys

Key rotation should be a part of your routine. Here’s how to do it:

1. Generate a new SSH key as previously shown.
2. Add the new key to the server.
3. Remove the old key from the server.
4. Delete or archive the old key from your machine.

Step 8: Auditing SSH Keys

Make sure to review the ~/.ssh/authorized_keys file on your servers periodically. Only the necessary public keys should be listed there.

Third-Party Solutions

There are also several third-party solutions for managing SSH keys, such as:

• AWS Key Management Service (KMS)
• HashiCorp Vault
• CyberArk

These solutions provide additional features such as centralized management, key rotation, and auditing capabilities.

Conclusion

Congrats! You should now have a better idea of how to manage SSH keys effectively. You’ve also learned some tricks to simplify your life using SSH config files, including specifying which keys to use for each connection and how to nickname your keys for easy recall.

Utilizing these practices will not only foritfy your infrastructure against attacks – they’ll streamline your workflow and keep you sane in the process :)

Cheers!