SSH Configuration: tips and ideas.
There are a bunch of scenarios when you don't want to use the same SSH key pair for all your applications. Here's a simple way to achieve that.
We use ssh-keygen to create the keys. If you already have the keys, skip this step.
mkdir -p ~/Documents/.secrets/crypto_keys/hostname.example.com
cd ~/Documents/.secrets/crypto_keys/hostname.example.com
ssh-keygen -t ed25519 -C "identifier-for-your-laptop"
- When asked to choose filename, type
id_ed25519
- Press return to accept the defaults
Note that two files are created - id_ed25519
and id_ed25519.pub
. The former
should be kept super secret while the later is shared with machines which use it
to recognize you.
The file to edit is ~/.ssh/config
. If this file does not exist, make sure you
run chmod 600 ~/.ssh/config
against this file else you may encounter a weird
permissions error.
Add the following lines to it:
# Passwordless SSH into hostname.example.com
# Note that this can also be an IP address or something defined in /etc/hosts
Host hostname.example.com
HostName hostname.example.com
PreferredAuthentications publickey
IdentityFile ~/Documents/.secrets/crypto_keys/hostname.example.com/id_ed25519
If you'd like to access specific ports on the remote machines like they were running on localhost, you could add the following lines instead (notice how the last line is extra):
# Passwordless SSH into hostname.example.com
# Note that this can also be an IP address or something defined in /etc/hosts
Host shorthostname
HostName hostname.example.com # You may also use an IP Address
PreferredAuthentications publickey
IdentityFile ~/Documents/.secrets/crypto_keys/hostname.example.com/id_ed25519
LocalForward localhost:18080 localhost:8080
Port 8022 # assuming the default port 22 is not being used
You could read up more about ssh configuration by running man ssh_config
- Host could be an abbrevated name instead of the full name - you may use
my_example_host
instead ofhostname.example.com
for example. - HostName is the actual address of the host you connect to. This could be
an IP address like
192.168.1.5
, a public domain name likesomehost.example.com
, or a/etc/hosts
domain hack likeofficebox-ubuntu
. - PreferredAuthentications sets the order in which you attempt to use
various authentication methods. Since we are using a public key to log into
the server, the only entry needed here is
publickey
- IdentityFile points to the private key you just created.
This is an extra that I'm including because I couldn't find a better place to put it.
LocalForward can be used to specify ports of the remote machine that you want forwarded to from ports of the local machine. In the example, I use local port 18080 to access remote port 8080.
I have found this field to be extremely useful when working with a remote dev workstation or a VirtualBox VM which I use for development (so that I don't pollute my primary host).
Remember to copy the public key whose name ends in .pub. If you accidentally share the private key, stop using it immediately - delete it from the servers you access with that key and create a new set of keys.
- Run this command:
ssh-copy-id -i ~/Documents/.secrets/crypto_keys/hostname.example.com/id_ed25519.pub username@hostname.example.com
Copy ~/Documents/.secrets/crypto_keys/hostname.example.com/id_ed25519.pub
manually into the machine behind hostname.example.com by whatever means and run
these commands (assuming the file id_ed25519.pub
exists in the machine) from
the directory in which you hve the file id_ed25519.pub
.
mkdir ~/.ssh
chmod 700 ~/.ssh
cat id_ed25519.pub >> ~/.ssh/authorized_keys
rm id_ed25519.pub
Note that you can manually edit ~/.ssh/authorized_keys
to remove public keys
you wish to revoke.
- Use the UI provided by the service to upload or paste your public key