ssh key for lifetime
Hardware failures aren't uncommon. Your system will crash.
According to Murphy's law (If something can go wrong, it'll go wrong :P )
ssh is a protocol allows us to launch a secure shell on a remote server. The popular/default way protocol does authentication is via RSA algorithm. To generate a key pair, you do
ssh-keygen in your local machine. It results in two files called
id_rsa.pub (you can change names, path of the files, etc.)
id_rsa.pub is a public key and you can share contents of it to anyone where you want to authenticate yourself for ssh. Typical examples are servers you manage, github, etc.
id_rsa is a private key supposed to be with you and not shared, unless you're changing your laptop or workstation.
So, whenever you generate a key pair, you end up adding your public key everywhere you've added it. If your key is on github, bitbucket, a couple of servers, it's okay. But imagine if your key is on 1000 servers, and you don't even know all the servers that it's on or going to be, since it might have been used in automation tools.
So, changing public key whenever you buy a new laptop isn't really a solution here.
Instead, save the file
~/.ssh/id_rsa somewhere on cloud (email yourself with appropriate subject, add them on google drive, dropbox sync, your master pen drive, etc.)
If you lost your public key but retained private key, you can retrieve it using
ssh-keygen -f <private-key> -y
Preferably don't copy paste the content. Upload the files. As their spacing, etc are supposed to be exactly same.
When you need to add them on new system, download the files. Let's assume they're in ~/Downloads/ssh folder.
mkdir .ssh cp ~/Downloads/ssh/id_rsa id_rsa chmod 700 .ssh chmod 600 .ssh/id_rsa
Now, ssh into any machines as you earlier used to. It should work out of the box.
Rotating an ssh private key
Let's assume the scenario where you might think private key is compromised. It's better to rotate pem file and create a new one.
To do so, run
ssh-keygen. It asks for name input. Do not override id_rsa and give a new name like
Enter file in which to save the key (/Users/sample/.ssh/id_rsa): new_id_rsa
You may keep empty passphrase.
It'll create two files: new_id_rsa and new_id_rsa.pub
ssh to instances with existing private key as you normally do, and edit the file
~/.ssh/authorized_keys and copy paste contents from
new_id_rsa.pub in new line. Keep the terminal open, login to the machine by giving new private key
ssh -i ~/.ssh/new_id_rsa [email protected] to validate.
Once validated, remove the older key from
Repeat this for all the places where that public key is used. And then delete pem key. :)
To avoid adding your username each time you login, use something like this.
cat ~/.ssh/config HOST * USER <username_here>
This will help you type ssh < ip_address > instead of ssh < username >@< ip_address >
Also, you can specify usernames for different sets of servers.
For more info on tip: Click here.