Ask HN: How do you manage SSH keys?
Seems like Github's move to SSH keys only is a good one. I suck at keeping my SSH keys organized and remembering what's what. How do you keep your SSH keys organized?
Do you make notes in the .ssh/config file? Do you use another tool to keep track of it? Is it a GUI tool or a TUI or CLI tool?
16 comments
[ 2.7 ms ] story [ 63.2 ms ] threadI also use 'Secure Agent' which generates the private key in the hardware secure element with unlocking via biometric (with fallback to password). https://secure-agent.lapanthere.com/
I know there's some standards to `id_rsa` and `known_hosts` or `authorized_hosts`; and I use ~/.ssh/config for establishing new keys, like `work_rsa` which I think is essentially the same structure as the set app SSH config.
$6 for a command-line, ssh wrapper? Pass.
1. make sure ssh-agent is running. Otherwise, here is one way to run it.
Make sure there is now an environment variable called SSH_AUTH_SOCK.On my macOS system, it is always running, so I don't need to do this.
2. add your key(s) to the agent.
3. ssh -A host1Additional information like dot files are not provided in the remote session.
Once you are logged on to host1, you can invoke ssh host2 without needing ~/.ssh/id_ed25519 on host1.
If instead you say ssh -A host2, then from host2 you may ssh back into host1. So if you have a group of trusted machines, they can all ssh each other while ~/.ssh/id_ed25519 remains on a single machine.
If other people have root access to the box where you connect to, they can take over your agent and impersonate you.
If the machine is owned by me it will have a git repo with per-hostname branches that holds an authorized_keys file. It also has a script that symlinks dotfiles and merges authorized keys with .ssh/id_rsa.pub and the local authorized keys file.
I feel like it's hard to keep track of what's going on when I have 10 keypairs for git and remote servers.
Is it bad practice to use more than one SSH keypair? Do you have some kind of dashboard that can provide more verbosity about what each one's for or how it's configured with tags or something...
Not that I'm aware of. You could actually argue that it's bad practice to not have different keypairs for eg signing commits, authenticating to github, and using shell accounts on different services. Most people like me are just too lazy to do that, but you could use a `host: *.domain` line in your ssh config to do it.
I’d be interested in collaborating if you are and would like a hand. I’ve had a domain name ready for this exact project for a couple years.
With a properly configured gitconfig, .ssh/config I use different keys per domain(for different github accounts), different keys for different domains(ssh) and the like.