Stepping up my ssh game

In the past, I used ssh almost solely for remote administration of a couple of boxes, which were well within my physical control (in the server room at work, the one at my desk at home, etc.). However, I’ve started using my laptop more and a number of services/tools that I want to use (Gitorious, Bazaar, Git, Launchpad, etc.) build on top of ssh. So I figured it was finally time to up my game on that front.

I always knew I should protect my private key with a passphrase, but to be honest, I’ve never done it–until recently. Just googling on ssh, you get pages of material that completely gloss over adding a passphrase to your identity key and why it’s important. Dave Dribin at least mentions it in his article on ssh-agent and Leopard’s integration with it. The basic premise is that someone has gained access through your account: through your web browser, using a terrible password, leaving your laptop unattended at the coffee shop, or perhaps it was stolen. If someone has your private ssh key, and it isn’t protected by a passphrase, then you’re in for a world of hurt, especially if you’ve been talking to a bunch of boxes. Better yet, they know exactly which hosts to compromise first. They’re listed in ~/.ssh/known_hosts.

However, adding a passphrase isn’t all glorious either. Most folks would like to simply ssh into a box, and start working. No password involved (at that’s one of the beauties of public key authentication). Adding a passphrase to your key means that ssh will want to ask for your passphrase every time you connect to a box. That is, unless you use ssh-agent.

ssh-agent has been around for quite some time, and helps to relieve that burden of entering your password every time. On the Mac, you had to launch it yourself or set it up to launch when you log in. I don’t use ssh that much, so it’s annoying to have it around constantly, and–as Dave Dribin points out–there are concerns there too. Dave also point out, that Leopard changes how ssh-agent is integrated. It now fires up only when you need it, and you can incorporate your identity into KeyChain, making it much more convenient to work with identities protected with a passphrase. He also has a follow-on article about how to use the KeyChain in a more secure manner. If you don’t happen to be using Mac OS X, there are other graphical agents for Linux that can do similar things (gnome-keyring comes to mind).

So, I’ve finally got my new keys installed and my old ones removed. It didn’t take very long–about 10 minutes once I was happy with how the integration with Leopard would work.

Oh, BTW, there’s a nice little article by Paul Keck on how to set up ssh keys. Getting the keys generated is easy, the man page tells you how to do that pretty well, but he has a nice little section on “single-purpose keys.” It wasn’t until recently that I realized you could put command="/path/to/command args..." in front of the key in ~/.ssh/authorized_keys to run a specific command upon sshing into the box. It’s pretty nifty, and that’s exactly how Bazaar, Git, and a host of other tools utilize the ssh transport.

Neat stuff! ssh has to be one of the best tools ever. It’s flexibility is unmatched. So make sure you keep it secure. :-)