Home

SSH Keys

Key Location

SSH keys are typically located in the /etc/ssh/ directory:

ssh_host_rsa_key.pub (for RSA keys)
ssh_host_ecdsa_key.pub (for ECDSA keys)
ssh_host_ed25519_key.pub (for Ed25519 keys)

What key or algorithm to use

When choosing an SSH key type for logging into a server, the most recommended options are ED25519 and RSA. Here’s a comparison of the different key types:

  1. ED25519 *** Security:** Very strong security properties; resistant to common attacks.
    • Performance: Fast signing and verification, efficient in terms of CPU and memory usage.
    • Key Size: Fixed size of 256 bits (32 bytes), producing 64-byte signatures.
    • Recommendation: Generally considered the best option for new implementations due to its balance of security and performance.
  2. RSA
    • Security: Depends on key size; a minimum of 2048 bits is recommended for security. 4096 bits is better for long-term security.
    • Performance: Slower than ED25519, especially for larger keys.
    • Key Size: Key sizes can vary (2048, 3072, 4096 bits).
    • Recommendation: A good choice if compatibility with older systems is a concern, but ED25519 is preferred for new setups.
  3. DSA (Digital Signature Algorithm)
    • Security: Older and less commonly used; has limitations and is not recommended for new applications.
    • Performance: Generally slower compared to the others.
    • Recommendation: Not recommended for new implementations due to security vulnerabilities and limitations.

Check the SSH Key Fingerprint

Command:

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub
ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub

The output will show the key type, its fingerprint, and the key size. For example:

2048 SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx root@raspberrypi (RSA)

How to Use Multiple Keys

It's advisable to use separate keys, especially for services with different access levels or for work environments.

Configure your SSH client to manage them using the ~/.ssh/config file. Here’s an example:

# GitHub
Host github.com
    HostName github.com
    User git
    IdentityFile ~/.ssh/id_rsa_github

# Bitbucket
Host bitbucket.org
    HostName bitbucket.org
    User git
    IdentityFile ~/.ssh/id_rsa_bitbucket

# Raspberry Pi
Host raspberrypi
    HostName <your_pi_ip>
    User pi
    IdentityFile ~/.ssh/id_rsa_raspberrypi

If you don't have a ~/.ssh/config file, you can easily create one to manage your SSH keys. And then add your SSH configuration.

Set Proper Permissions: Ensure that the config file has the correct permissions to keep your SSH configurations secure:

chmod 600 ~/.ssh/config

Load the SSH keys into the SSH agent

Edit your shell configuration file (e.g., ~/.bashrc, ~/.bash_profile, or ~/.zshrc, etc) and add the following lines:

# Start SSH agent and add key
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/github_y >/dev/null 2>&1

Or this:

# Start the SSH Agent automatically
if ! pgrep -u "$USER" ssh-agent > /dev/null; then
    ssh-agent -t 1h > "$XDG_RUNTIME_DIR/ssh-agent.env"
fi
if [[ ! -f "$SSH_AUTH_SOCK" ]]; then
    source "$XDG_RUNTIME_DIR/ssh-agent.env" >/dev/null
fi

Explanation:

if ! pgrep -u "$USER" ssh-agent > /dev/null; then
  • pgrep -u "$USER" ssh-agent: This command checks if there is a running instance of ssh-agent for the current user ($USER).
  • !: This negates the result, so the condition is true if ssh-agent is not running.
  • > /dev/null: This part suppresses the output of the pgrep command, sending it to /dev/null, which is a common practice to avoid cluttering the terminal with output when it's not needed.
  • then: If the condition is true (i.e., ssh-agent is not running), the following commands will execute.
ssh-agent -t 1h > "$XDG_RUNTIME_DIR/ssh-agent.env"
  • ssh-agent -t 1h: This starts a new instance of the SSH agent with a timeout of 1 hour. After this period, the agent will stop running.
  • > "$XDG_RUNTIME_DIR/ssh-agent.env": The output, which includes environment variables needed to connect to the SSH agent, is redirected to a file named ssh-agent.env in the directory specified by the XDG_RUNTIME_DIR environment variable. This file will later be sourced to set up the SSH environment.
if [[ ! -f "$SSH_AUTH_SOCK" ]]; then
  • [[ ! -f "$SSH_AUTH_SOCK" ]]: This condition checks if the file specified by the SSH_AUTH_SOCK environment variable does not exist. SSH_AUTH_SOCK is a socket file used for communication with the SSH agent.
source "$XDG_RUNTIME_DIR/ssh-agent.env" >/dev/null
  • source "$XDG_RUNTIME_DIR/ssh-agent.env": If the SSH_AUTH_SOCK does not exist, this command sources the environment variables from the ssh-agent.env file. This sets up the current shell session to use the new SSH agent.
  • >/dev/null: Again, this suppresses any output from the source command.

Summary:

  • The script checks if an SSH agent is running for the current user. If it’s not running, it starts a new SSH agent with a timeout of one hour and saves the environment variables to a file.
  • If the SSH_AUTH_SOCK does not exist (indicating that the agent is not set up), it sources the environment variables from the file to configure the current shell session to communicate with the new SSH agent.

Date:

Screen Dimensions