Paul Walker on 17 Nov 2011 09:52:48 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Setting up SSH public key on OSX


Finally revisited this and got it working. The problem is that I was generating the key on the remote side then copying it down. Once I flipped the script everything worked fine.

Follow-up question:

Is it necessary / important to use different keys for different hosts? (I guess if the host is compromised then the key is compromised.)

On an osx box, where do I configure additional keys?

Thanks for the help!

Paul Walker
toomodernmedia.com

On Sat, Oct 22, 2011 at 12:53 PM, sean finney <seanius@seanius.net> wrote:
Hiya,

On Thu, Oct 20, 2011 at 12:37:25PM -0400, Paul Walker wrote:
> I'm trying to set up a public key to connect to SSH using public key
> authentication to improve my Git workflow....
>
> The remote server is Ubuntu 10.0.4.
> I generate the keys with the command:
>
> ssh-keygen -t rsa -C "root@mydomain.com"
>
>
> press return three times, then am pasting the contents of  id_rsa.pub into a
> newly created authorized_keys file in ~/.ssh/ on my local machine running
> OSX...

I'm going to say a thing or two because I haven't seen anyone else do it,
and i think it's prudent...

first, put a passphrase on your private key. if you want passwordless
ssh, learn how to set up ssh-agent (or some mac keyring equivalent).
without a password, anyone who gets access to your machine instantly
has full acccess to that key and thus the remote account.

second, given the comment you put with the key, i'm going to make the
assumption that you're pushing stuff as root, which is also another
big NO-NO.  Instead you should use either a personal account or better, a
dedicated "git" account with no other special privileges, to own the gits.

Then for bonus points, there's a lot of other neat things you can do with
your remote authorized_keys file, to *really* lock it down.  for example,
forcing a specific command, only allowing certain host/network blocks,
block port forwarding, pty allocation, etc.  This might go a bit into
advanced territory, but it's possible to even set up keypairs that can
*only* be used for git push/pull commands.

You might consider this overkill, I guess that's subjective, but it's
definitely good practice to understand how the tools can be used safely.
The difference in damage-control is pretty significant, anyway...

       sean
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug