sean finney on 18 Nov 2011 03:52:18 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Setting up SSH public key on OSX


On Thu, Nov 17, 2011 at 12:52:43PM -0500, Paul Walker wrote:
> Finally revisited this and got it working. The problem is that I was
> generating the key on the remote side then copying it down. Once I flipped
> the script everything worked fine.

Make sure you delete the copies of the private key on all remote hosts!

> Follow-up question:
> 
> Is it necessary / important to use different keys for different hosts? (I
> guess if the host is compromised then the key is compromised.)

Only the private key.  The private key is equivalent to your password in
a plaintext file, for all machines with the public key installed.  So you
have to guard that VERY carefully.  As I mentioned before, you really,
really, want to put a passphrase on the key, as it gives you an extra
level of protection on what is likely the master key to lots of stuff.

The public key is only a mathematical proof used to verify the private
key, so it's not entirely critical if it ends up in the wrong hands
(unless they manage to MITM you, which ssh would warn you about but you
might miss/ignore).

Personally, I don't think it's worthwhile to have a large number of keys,
and only generate new keys when it doesn't feel appropriate, i.e. I don't
use my personal ssh key on a client's server network.

You can manage having multiple keys two ways.  You can specify which key
is used on a host-by-host basis in your .ssh/config file like:

Host host1.yourdomain.com host1
	IdentityFile=~/.ssh/id_rsa_host1

But better would be to use ssh-agent to load the key in question into
your session.
	
> On an osx box, where do I configure additional keys?

There's some easily googlable info about tieing in ssh keys into the
OSX keyring, but I'm not an OS X user so can't vouch for it myself.
But otherwise, there's a very small and simple utility called "keychain"[1],
where all you need to do is add a couple lines to your .bashrc file and
it will then take care of a session-wide ssh-agent process for you.


	sean


[1] http://www.gentoo.org/doc/en/keychain-guide.xml or apt-get install keychain
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug