Ask HN: How do you manage SSH keys?

10 points by l00sed ↗ HN
Seems like Github's move to SSH keys only is a good one. I suck at keeping my SSH keys organized and remembering what's what. How do you keep your SSH keys organized?

Do you make notes in the .ssh/config file? Do you use another tool to keep track of it? Is it a GUI tool or a TUI or CLI tool?

16 comments

[ 2.7 ms ] story [ 63.2 ms ] thread
I use SSH Config app on Mac (included with SetApp) for managing config.

I also use 'Secure Agent' which generates the private key in the hardware secure element with unlocking via biometric (with fallback to password). https://secure-agent.lapanthere.com/

Having trouble loading the secure agent link. But the SSH config provided with SetApp looks like it does a fair job of breaking everything down for you.
I actually use Ubuntu for my work laptop as a developer, and I use whatever default SSH executable comes with Ubuntu.

I know there's some standards to `id_rsa` and `known_hosts` or `authorized_hosts`; and I use ~/.ssh/config for establishing new keys, like `work_rsa` which I think is essentially the same structure as the set app SSH config.

> I also use 'Secure Agent' which generates the private key in the hardware secure element with unlocking via biometric (with fallback to password). https://secure-agent.lapanthere.com/

$6 for a command-line, ssh wrapper? Pass.

I just use a single ssh key everywhere. The private key never leaves my laptop. Once in a while, I might want to clone one of my repos on my raspberry pi, in which case I use ssh agent forwarding.
Is agent forwarding as simple as adding the -A flag? What additiomal info will agent-forwarding provide in the remote session? Dotfiles?
A couple of steps are needed before ssh -A. These can be automated in various ways depending on your preference.

1. make sure ssh-agent is running. Otherwise, here is one way to run it.

  exec ssh-agent bash
Make sure there is now an environment variable called SSH_AUTH_SOCK.

On my macOS system, it is always running, so I don't need to do this.

2. add your key(s) to the agent.

  ssh-add  # add all keys
  ssh-add -i ~/.ssh/id_ed25519  # add a specific key
  ssh-add -l  # list keys in agent
3. ssh -A host1

Additional information like dot files are not provided in the remote session.

Once you are logged on to host1, you can invoke ssh host2 without needing ~/.ssh/id_ed25519 on host1.

If instead you say ssh -A host2, then from host2 you may ssh back into host1. So if you have a group of trusted machines, they can all ssh each other while ~/.ssh/id_ed25519 remains on a single machine.

Just adding: don't make it a habit though.

If other people have root access to the box where you connect to, they can take over your agent and impersonate you.

ssh keys are tied to a user/machine tuple. When I create a new user account or (re)build a machine I always generate new keys and never copy private keys anywhere.

If the machine is owned by me it will have a git repo with per-hostname branches that holds an authorized_keys file. It also has a script that symlinks dotfiles and merges authorized keys with .ssh/id_rsa.pub and the local authorized keys file.

I'm using SSH more and more, and this is all stuff I want to be able to do. I'd love to pass a specific bashrc and vimrc.

I feel like it's hard to keep track of what's going on when I have 10 keypairs for git and remote servers.

Is it bad practice to use more than one SSH keypair? Do you have some kind of dashboard that can provide more verbosity about what each one's for or how it's configured with tags or something...

>Is it bad practice to use more than one SSH keypair?

Not that I'm aware of. You could actually argue that it's bad practice to not have different keypairs for eg signing commits, authenticating to github, and using shell accounts on different services. Most people like me are just too lazy to do that, but you could use a `host: *.domain` line in your ssh config to do it.

I guess RSA ends with user@host, but I don't have a nice view to see that all at once...
Are you gonna build something to solve this problem?

I’d be interested in collaborating if you are and would like a hand. I’ve had a domain name ready for this exact project for a couple years.

I keep everything with obvious names in ~/.ssh, and I moved .ssh to iCloud and symlinked it for seamless backup.
I use ssh key agent of keepassxc. This way only the public keys reside in the ~/.ssh and all the private keys can be made usable by unlocking my keepassxc db(and unusable on locking the same). Keepassxc stores the passphrases, additional notes if any for the keys.

With a properly configured gitconfig, .ssh/config I use different keys per domain(for different github accounts), different keys for different domains(ssh) and the like.

I run my own gitlab server and keep my keys in their own repo...understanding the ssh config file is a good investement of time.