Better Secure Shell (SSH)

I highly recommend using SSH Public Key Authentication and a customized SSH client configuration to ease your everyday SSH workflows. I have more than 10 servers that I manage on a daily basis and using a password for each one would be tedious. Using the same password for all of them is definitely not recommended and is a risky decision. This post will be updated as I incorporate new and relevant changes to my setup.

The first thing you need to incorporate SSH PKI is to create a key pair. There are several choices according to my current version of SSH:

-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa

I use ed25519 as my primary and rsa as my secondary for older servers. Generating the keys using the following commands:

ssh-keygen -t ed25519 -o -a 100
ssh-keygen -t rsa -b 4096 -o -a 100

Below is the command line (CLI) output I use to generate my primary public key:

tankmek@pop-os:~/.ssh$ ssh-keygen -t ed25519 -o -a 100 -f cloud-ed25519
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in cloud-ed25519
Your public key has been saved in
The key fingerprint is:
SHA256:TveNjDgKh0OS7NSS6goP9NSFpU7NhmS6/2S7v2qbF8A tankmek@pop-os
The key's randomart image is:
+--[ED25519 256]--+
|     o .         |
|    + B          |
|   . =.=         |
| . += oE         |
| .Booo  S .      |
|.+o+.. o + + o   |
|+ ..+..o+ o + .  |
|oo   ++ooo       |
|o..   oB*o.      |

Move the public and private keys to your .ssh directory and copy the public key to the appropriate server(s).

ssh-copy-id -i ~/.ssh/

Now we need to edit our SSH client configuration file to use this file and save some typing:

 Host *
   User smurf
   IdentityFile ~/.ssh/cloud-ed25519

 Host bitcoin
   User yagami
   Port 3312
   IdentityFile ~/.ssh/honey_ed25519

 Host sw0
   User michael
   KexAlgorithms diffie-hellman-group-exchange-sha1
   Ciphers aes256-cbc
   MACs hmac-sha1

   User git
   IdentityFile ~/.ssh/github-ed25519

 Host miner
   User miner
   Port 2220
   IdentityFile ~/.ssh/crytpo-ed25519

 Host nas
   User storage
   IdentityFile ~/.ssh/cloud-ed25519

 Host *
   ServerAliveInterval 120
   ServerAliveCountMax 20
   AddressFamily inet
   Protocol 2
   Compression yes


The SSH man page covers the configuration file in detail, but notice I have several keys for different sites and I have added additional convenience options such as username and hostnames. All of the configuration options above allow me to connect a remote server using abbreviated ssh commands like the following:

ssh nas  # This connects me to my NAS
ssh sw0  # This connects me to a cisco switch

If you setup an\ ssh-agent you will only have to type the password once per sessions, but we will talk about that in another update.

Thanks for reading.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: