←back to thread

Sign arbitrary data with your SSH keys

(www.agwa.name)
637 points h1x | 10 comments | 13 Nov 21 09:13 UTC | HN request time: 0.379s | source | bottom
1. kybernetyk ◴[13 Nov 21 10:48 UTC] No.29208914[source]
So a little offtopic but I’m still curious: how do you handle multiple machines and SSH keys? I mean do you run ssh-keygen on a new machine and have for each computer a separate key pair or do you have one key pair that you copy on every new machine?

I have seen both and using one key pair looks very convenient but also makes me feel a little uneasy.

I myself have a key pair for each of my machines.

How do you handle it?

replies(5): >>29208933 #>>29209007 #>>29209086 #>>29209300 #>>29209370 #
2. rkeene2 ◴[13 Nov 21 10:55 UTC] No.29208933[source]
I use two keypairs, but with no ability to read the private key (smartcard).
replies(1): >>29209263 #
3. Hendrikto ◴[13 Nov 21 11:12 UTC] No.29209007[source]
I have one key pair per machine and service. About 20 pairs on my laptop, 15 on my desktop.
4. adrian_b ◴[13 Nov 21 11:32 UTC] No.29209086[source]
You can avoid specifying a lot of parameters at each SSH connection by defining aliases, e.g. of the form ssh-servername.

In each alias you put the appropriate "-i private_key_for_that_server", the server name and also "-l user_name" if you have a different user there and "-p port" if the server uses a non-standard port.

Thus, after the initial key setup, connecting to any server with different credentials is no more complex than when using a single key pair.

Except for an extra keygen step, the initial setup is not more complex than when using a single key pair, as you have to copy the public keys anyway, which is the more difficult part of the setup.

replies(1): >>29209663 #
5. visualphoenix ◴[13 Nov 21 12:19 UTC] No.29209263[source]
This is what I do as well. Yubikey configured as a smartcard running gpg-agent with enable-ssh-support.
6. visualphoenix ◴[13 Nov 21 12:28 UTC] No.29209300[source]
In the past I’ve used a certificate authority for ssh setup as one nice way to stop the proliferation of ssh keys. The other route is to use one hardware key fob with a gpg identity on it and use that as your global method of access.
7. ttyprintk ◴[13 Nov 21 12:42 UTC] No.29209370[source]
With ssh-agent, up to five secret keys are tried (that’s a magic number on the server side). After five, I guess you must specifically maintain which secret key is used for each host or hostname pattern.

If you frequently move between workstations, maybe look into the new hardware key features (Circ’s version 8.3). If you have multiple users that all connect to the same account, a SSH CA (circa version 7.4) would permit new access without needing to constantly modify server-side authorized_keys.

8. theli0nheart ◴[13 Nov 21 13:46 UTC] No.29209663[source]
You might want to look into using .ssh/config instead, as it is built into SSH. In addition to letting you specify keys/usernames for arbitrary hosts, you can also use rules for wildcards, etc.
replies(1): >>29209739 #
9. rsfern ◴[13 Nov 21 13:59 UTC] No.29209739{3}[source]
Shell completion over ssh is one of the really nice benefits of sshconfig. I’m not sure if this is zsh specific though
replies(1): >>29209776 #
10. theli0nheart ◴[13 Nov 21 14:04 UTC] No.29209776{4}[source]
It’s definitely not, I use bash and completion works great. I’d be surprised if there was a major shell that was not supported.