ssh key for lifetime

Hardware failures aren't uncommon. Your system will crash.
According to Murphy's law (If something can go wrong, it'll go wrong :P )

What's ssh?

ssh is a protocol allows us to launch a secure shell on a remote server. The popular/default way protocol does authentication is via RSA algorithm. To generate a key pair, you do ssh-keygen in your local machine. It results in two files called id_rsa and id_rsa.pub (you can change names, path of the files, etc.)

id_rsa.pub is a public key and you can share contents of it to anyone where you want to authenticate yourself for ssh. Typical examples are servers you manage, github, etc.

id_rsa is a private key supposed to be with you and not shared, unless you're changing your laptop or workstation.

So, whenever you generate a key pair, you end up adding your public key everywhere you've added it. If your key is on github, bitbucket, a couple of servers, it's okay. But imagine if your key is on 1000 servers, and you don't even know all the servers that it's on or going to be, since it might have been used in automation tools.

So, changing public key whenever you buy a new laptop isn't really a solution here.

Instead, save the file ~/.ssh/id_rsa somewhere on cloud (email yourself with appropriate subject, add them on google drive, dropbox sync, your master pen drive, etc.)

If you lost your public key but retained private key, you can retrieve it using ssh-keygen -f <private-key> -y

Preferably don't copy paste the content. Upload the files. As their spacing, etc are supposed to be exactly same.

When you need to add them on new system, download the files. Let's assume they're in ~/Downloads/ssh folder.

mkdir .ssh
cp ~/Downloads/ssh/id_rsa id_rsa
chmod 700 .ssh
chmod 600 .ssh/id_rsa

Now, ssh into any machines as you earlier used to. It should work out of the box.

Rotating an ssh private key

Let's assume the scenario where you might think private key is compromised. It's better to rotate pem file and create a new one.

To do so, run ssh-keygen. It asks for name input. Do not override id_rsa and give a new name like new_id_rsa here.

Enter file in which to save the key (/Users/sample/.ssh/id_rsa): new_id_rsa

You may keep empty passphrase.

It'll create two files: new_id_rsa and new_id_rsa.pub

ssh to instances with existing private key as you normally do, and edit the file ~/.ssh/authorized_keys and copy paste contents from new_id_rsa.pub in new line. Keep the terminal open, login to the machine by giving new private key ssh -i ~/.ssh/new_id_rsa [email protected] to validate.

Once validated, remove the older key from ~/.ssh/authorized_keys

Repeat this for all the places where that public key is used. And then delete pem key. :)

Other tip:
To avoid adding your username each time you login, use something like this.

cat ~/.ssh/config

HOST *  
     USER <username_here>

This will help you type ssh < ip_address > instead of ssh < username >@< ip_address >

Also, you can specify usernames for different sets of servers.
For more info on tip: Click here.

Srujan

You should go to about section on this site.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.