> eval `ssh-agent` (yes, these are backticks)
> ssh-add ~/.ssh/id_rsa
================================================================================
In quite a few situations its preferred to have ssh keys dedicated for a service or a specific role. Eg. a key to use for home / fun stuff and another one to use for Work things, and another one for Version Control access etc. Creating the keys is simple, just use
ssh-keygen -t rsa -f ~/.ssh/id_rsa.work -C "Key for Word stuff"
Use different file names for each key. Lets assume that there are 2 keys, ~/.ssh/id_rsa.work and ~/.ssh/id_rsa.misc . The simple way of making sure each of the keys works all the time is to now create config file for ssh:
touch ~/.ssh/config
chmod 600 ~/.ssh/config
echo "IdentityFile ~/.ssh/id_rsa.work" >> ~/.ssh/config
echo "IdentityFile ~/.ssh/id_rsa.misc" >> ~/.ssh/config
This would make sure that both the keys are always used whenever ssh makes a connection. However, ssh config lets you get down to a much finer level of control on keys and other per-connection setups. And I recommend, if you are able to, to use a key selection based on the Hostname. My ~/.ssh/config looks like this :
Host *.home.lan IdentityFile ~/.ssh/id_dsa.home User kbsingh Host *.vpn IdentityFile ~/.ssh/id_rsa.work User karanbir Port 44787 Host *.d0.karan.org IdentityFile ~/.ssh/id_rsa.d0 User admin Port 21871
Ofcourse, if I am connecting to a remote host that does not match any of these selections, ssh will default back to checking for and using the 'usual' key, ~/.ssh/id_dsa or ~/.ssh/id_rsa
===================================================================================
SSH has a per-user configuration file called ‘~/.ssh/config’ that it can use to select your private keys based on the remote user name and remote host by using wildcards. Let’s check out my ‘config’ file:
IdentityFile ~/.ssh/ids/%h/%r/id_rsa IdentityFile ~/.ssh/ids/%h/%r/id_dsa IdentityFile ~/.ssh/ids/%h/id_rsa IdentityFile ~/.ssh/ids/%h/id_dsa IdentityFile ~/.ssh/id_rsa IdentityFile ~/.ssh/id_dsa
The percent-h and percent-r take the host and the remote user from your SSH user and hostname arguments. Consider this example command:
$ ssh remote_user@remote_hostname.example.com
From the example command, the SSH client would use the wildcards to seek the correct key to use:
~/.ssh/ids/remote_hostname.example.com/remote_user/
This means that if you had two private keys that you used to access two different servers, you would arrange them as follows. The first one is arranged as follows:
$ ls -l ~/.ssh/ids/remote.example.com/remote_user/ total 16 -rw------- 1 kelvin staff 668 Mar 24 20:09 id_dsa -rw-r--r-- 1 kelvin staff 610 Mar 24 20:09 id_dsa.pub $ ssh [email protected] [remote_user@remote ~]$ |
Our second example uses a simple hostname. If a remote user is not required, you can just use the hostname:
$ ls -l ~/.ssh/ids/webby.example.org/ total 16 -rw------- 1 kelvin staff 668 Mar 24 20:09 id_rsa -rw-r--r-- 1 kelvin staff 610 Mar 24 20:09 id_rsa.pub $ ssh webby.example.org [webby ~]$ |
For sure, these are totally contrived examples, but you can watch the cascade yourself by adding the verbosity flag(s) to your SSH client session (this one is my client’s WebFaction account):