Eric at on 17 Nov 2011 11:19:04 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Setting up SSH public key on OSX

Hash: SHA1

I tend to have a single key pair on my workstation and just place that public key on each remote server that I need to connect to.   Occasionally I have the need to move something from server to server so I'll generate a key pair and copy the public key over.  That's rare and I remove the key when I'm done.  Typically this is for BIG files - smaller stuff I just pull to my workstation and then push out to the other server.

I also tend to keep the same key pair on my laptop that I have on my workstation.
Probably not good...


On 11/17/2011 12:52 PM, Paul Walker wrote:
> Finally revisited this and got it working. The problem is that I was generating the key on the remote side then copying it down. Once I flipped the script everything worked fine.
> Follow-up question:
> Is it necessary / important to use different keys for different hosts? (I guess if the host is compromised then the key is compromised.)
> On an osx box, where do I configure additional keys?
> Thanks for the help!
> Paul Walker
> <>
> On Sat, Oct 22, 2011 at 12:53 PM, sean finney < <>> wrote:
>     Hiya,
>     On Thu, Oct 20, 2011 at 12:37:25PM -0400, Paul Walker wrote:
>     > I'm trying to set up a public key to connect to SSH using public key
>     > authentication to improve my Git workflow....
>     >
>     > The remote server is Ubuntu 10.0.4.
>     > I generate the keys with the command:
>     >
>     > ssh-keygen -t rsa -C " <>"
>     >
>     >
>     > press return three times, then am pasting the contents of into a
>     > newly created authorized_keys file in ~/.ssh/ on my local machine running
>     > OSX...
>     I'm going to say a thing or two because I haven't seen anyone else do it,
>     and i think it's prudent...
>     first, put a passphrase on your private key. if you want passwordless
>     ssh, learn how to set up ssh-agent (or some mac keyring equivalent).
>     without a password, anyone who gets access to your machine instantly
>     has full acccess to that key and thus the remote account.
>     second, given the comment you put with the key, i'm going to make the
>     assumption that you're pushing stuff as root, which is also another
>     big NO-NO.  Instead you should use either a personal account or better, a
>     dedicated "git" account with no other special privileges, to own the gits.
>     Then for bonus points, there's a lot of other neat things you can do with
>     your remote authorized_keys file, to *really* lock it down.  for example,
>     forcing a specific command, only allowing certain host/network blocks,
>     block port forwarding, pty allocation, etc.  This might go a bit into
>     advanced territory, but it's possible to even set up keypairs that can
>     *only* be used for git push/pull commands.
>     You might consider this overkill, I guess that's subjective, but it's
>     definitely good practice to understand how the tools can be used safely.
>     The difference in damage-control is pretty significant, anyway...
>            sean
>     ___________________________________________________________________________
>     Philadelphia Linux Users Group         --
>     Announcements -
>     General Discussion  --
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --
> Announcements -
> General Discussion  --

- -- 
#  Eric Lucas
#                "Oh, I have slipped the surly bond of earth
#                 And danced the skies on laughter-silvered wings...
#                                        -- John Gillespie Magee Jr
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla -

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --