Granular SSH Management

Something I’ve always thought was important, but never found many great resources on was managing IdentityFiles with ssh. The Manpage explains most of it, but in usual Linux Documentation fashion it’s about as fun to read as a phone-book, thus this crappy blogpost. It’s not difficult, just annoyingly lackluster in terms of management documentation online. For the Longest time I had no idea that there was even a ~/.ssh/config file, let alone that you could specify separate Identities. In fact for an embarrassingly long time my config looked like this:

IdentityFile ~/.ssh/keys/id_rsa_GitHub
IdentityFile ~/.ssh/keys/id_rsa_GitLab
IdentityFile ~/.ssh/keys/id_roving
[...]

Which, if you don’t know, will attempt to connect with id_rsa_Github, then Gitlab, then roving… on and on until one worked or it ran out. This actually worked too, until I started using services that limited login attempts. Who knew.

The importance (to me) was pretty clear, using a dedicated ssh key for a service, or group of services, allows for better control over what has access to what, and if for “some reason” you manage to leak only one of them, other services aren’t compromised. Not that I’ve ever accidentally posted my private key when someone asks for a pubkey for allowing me server access. I’d never do something like that.

A basic configuration section in ~/.ssh/config might look something like this:

Host GitHub
   HostName github.com
   Port 12345
   User git #Defaults to your username on the current machine
   IdentityFile ~/.ssh/id_GitHub

Technically speaking the only separators between Sections is Host <something> The tabbing and spacing doesn’t matter. Personally I put the tabs for the sake of visual separation.

Using it

As an example of where this would be useful, I deploy and update the server using rsync, (which is pretty nifty on it’s own and I should do a post talking about it) and when I want to update all that’s needed to utilize the config, is use something:/var/www instead of hugo@pedanticmonkey.space, despite using a different user to log in/administrate the entire VPS the Hugo config works great, without the need for a password and using a separate key, if the hugo user’s private key were to be leaked accidentally I would still be secure on my other platforms, indeed my “admin” account would also remain secure (though obviously the VPS wouldn’t)

StripedMonkey
About StripedMonkey: Nobody special