I highly recommend using SSH Public Key Authentication and a customized SSH client configuration to ease your everyday SSH workflows. I have more than 10 servers that I manage on a daily basis and using a password for each one would be tedious. Using the same password for all of them is definitely not recommended and is a risky decision. This post will be updated as I incorporate new and relevant changes to my setup.
The first thing you need to incorporate SSH PKI is to create a key pair. There are several choices according to my current version of SSH:
-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
I use ed25519 as my primary and rsa as my secondary for older servers. Generating the keys using the following commands:
ssh-keygen -t ed25519 -o -a 100 ssh-keygen -t rsa -b 4096 -o -a 100
Below is the command line (CLI) output I use to generate my primary public key:
tankmek@pop-os:~/.ssh$ ssh-keygen -t ed25519 -o -a 100 -f cloud-ed25519 Generating public/private ed25519 key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in cloud-ed25519 Your public key has been saved in cloud-ed25519.pub The key fingerprint is: SHA256:TveNjDgKh0OS7NSS6goP9NSFpU7NhmS6/2S7v2qbF8A tankmek@pop-os The key's randomart image is: +--[ED25519 256]--+ | o . | | + B | | . =.= | | . += oE | | .Booo S . | |.+o+.. o + + o | |+ ..+..o+ o + . | |oo ++ooo | |o.. oB*o. | +----[SHA256]-----+
Move the public and private keys to your .ssh directory and copy the public key to the appropriate server(s).
ssh-copy-id -i ~/.ssh/cloud-ed25519.pub firstname.lastname@example.org
Now we need to edit our SSH client configuration file to use this file and save some typing:
Host *.fakelabs.io User smurf IdentityFile ~/.ssh/cloud-ed25519 Host bitcoin Hostname bitcoin.fakelabs.org User yagami Port 3312 IdentityFile ~/.ssh/honey_ed25519 ;----------------- Host sw0 Hostname 10.10.14.254 User michael KexAlgorithms diffie-hellman-group-exchange-sha1 Ciphers aes256-cbc MACs hmac-sha1 PreferredAuthentications=password Host github.com Hostname github.com User git IdentityFile ~/.ssh/github-ed25519 Host miner Hostname 10.10.16.87 User miner Port 2220 IdentityFile ~/.ssh/crytpo-ed25519 Host nas Hostname 10.10.16.12 User storage IdentityFile ~/.ssh/cloud-ed25519 PreferredAuthentications=password Host * ServerAliveInterval 120 ServerAliveCountMax 20 PreferredAuthentications=publickey AddressFamily inet Protocol 2 IdentitiesOnly=yes Compression yes Ciphers email@example.com,firstname.lastname@example.org,email@example.com,aes256-ctr,aes192-ctr,aes128-ctr MACs firstname.lastname@example.org,email@example.com,firstname.lastname@example.org,hmac-sha2-512,hmac-sha2-256,email@example.com KexAlgorithms firstname.lastname@example.org,diffie-hellman-group-exchange-sha256
The SSH man page covers the configuration file in detail, but notice I have several keys for different sites and I have added additional convenience options such as username and hostnames. All of the configuration options above allow me to connect a remote server using abbreviated ssh commands like the following:
ssh nas # This connects me to my NAS ssh sw0 # This connects me to a cisco switch
If you setup an\ ssh-agent you will only have to type the password once per sessions, but we will talk about that in another update.
Thanks for reading.