SSH

2020/04/26 by jean tran

SSH is the secure shell protocol. It allows you to attach your terminal window to a remote server and execute commands in it.

Generating new SSH key

ED25519 SSH keys

ED25519 (SSH introduced in 2014 OpenSSH 6.5)

ssh-keygen -t ed25519 -C "[email protected]"

It generate public/private ed25519 key pair in: ~/.ssh/id_ed25519)

RSA SSH keys

By default ssh-keygen command create an 1024-bit RSA key. (Minimum recommended key size of 2048).

ssh-keygen -o -t rsa -b 4096 -C "[email protected]"

It generate public/private RSA key pair in: ~/.ssh/id_rsa

Update SSH key Passphrase

Specify the SSH key you would like to change the passphrase.

ssh-keygen -p -f "~/.ssh/<path/to/ssh_key>"

SSH Gitlab

Public SSH Key

For OSX, buffer public key to clipboard by specify your specific key with .pub extension.

pbcopy < ~/.ssh/<your_generated_key>.pub

Testing your key

Quick test by running the following command:

ssh -T <your_gitlab_domain>

Verbose version:

ssh -Tvvv <your_gitlab_domain>

Specifying none default path

To change non-default file path for SSH Key pair you can run this following command:

eval $(ssh-agent -s)
ssh-add <path to private SSH key>

Configuration file

The case of multiple ssh key for different usage could be config in the file ~/.ssh/config.

The followin case illustrate an usage of 3 keys for 3 differents domain of Git:

# office domain
Host <user_office_git_domain>
  Hostname <domain>
  Preferredauthentications publickey
  IdentityFile ~/.ssh/office_id_rsa

# some client
Host <user_client_git_domain>
  Hostname <domain>
  Preferredauthentications publickey
  IdentityFile ~/.ssh/client_id_rsa

# personal
Host <user_personal_git_domain>
  Hostname <domain>
  Preferredauthentications publickey
  IdentityFile ~/.ssh/own_id_rsa

FI: It can be multiple domains using the same key ( id_rsa | id_ed25519 )

Useful link

Going further with Gitlab official documentation

SSH-AGENT

Now that you setup your ssh with a passphrase to add some level of security.

But you don't want the inconvenience to type your passphrase every single time you use your key.

When using git/ssh, you may have come across the following prompt:

Enter passphrase for key '/home/user/.ssh/id_rsa':

Pitfalls

Make sure your keys/agent are unload when you log off your machine.
Do not copy your private keys on somebody else computer which has root on.
Do not run ssh-agent on somebody else computer which has root on.

Trade-off (Security vs Convenience)

If you are tempted to add the following script on your dotfile profile. You have to be aware that every instance of your Terminal will start a ssh-agent process

if [ -z "$SSH_AUTH_SOCK" ] ; then
    eval `ssh-agent`
    ssh-add
fi

To remove current agent provide by SSH_AGENT_PID run:

eval `ssh-agent -k`

To list running ssh-agent process (OSX):

ps x | grep ssh-agent

Last tips for security would be to set a time to live using: -s bourne shell stdout, -t 86400 for 24 hours. It could be less according to your security policy definition.

eval `ssh-agent -s -t 86400`

PreviousApp Package Manager NextGPG

Last updated 5 years ago

hashtagGenerating new SSH key

hashtagED25519 SSH keys

hashtagRSA SSH keys

hashtagUpdate SSH key Passphrase

hashtagSSH Gitlab

hashtagPublic SSH Key

hashtagTesting your key

hashtagSpecifying none default path

hashtagConfiguration file

hashtagUseful link

hashtagSSH-AGENT

hashtagPitfalls

hashtagTrade-off (Security vs Convenience)