Tag Archives: ssh

Multiple RSA key pairs using ssh-keygen & .ssh/config (Mac OS X tutorial)

I got tired of typing my password after ssh‘ing to remote servers. After some googling, I found the solution, the ssh-keygen command and ssh-copy-id command. ssh-keygen generates an rsa private/public key pair. Once you generate the keys, you’ll need to store the private key on your computer and the public key to the server. ssh-copy-id command is used to copy the rsa public key onto the remote server. This command will also create the necessary file and change the necessary permissions to make this all work.

I followed a tutorial from Ramesh Natarajan (http://goo.gl/fX68N). I got stuck on trying to copy the public key to the remote server. I’m on a Mac and apparently ssh-copy-id command is not built in. I found the Mac install (located at GitHub, MacPorts or Homebrew) and completed Ramesh’s tutorial. I was able to quickly connect to the remote server without typing in the password… How sweet is that?

All was good until I started to frequently connect to different servers. Ramesh’s tutorial covers a single rsa key pair. For security, it’s best to have a unique rsa key pair for each unique connection . After some searching, this can be accomplished by modifying the ssh-keygen command and using the config file located within the hidden .ssh directory.


I first began by creating another unique rsa key pair:

ssh-keygen -f ~/.ssh/id_rsa_userA -C "userA @ server1"
  • The -f flag specifies the filename of the key file. In the example, it is “id_rsa_userA“. The private key will be “id_rsa_userA” and the public key will be “id_rsa_userA.pub". As you can see from the absolute path, the files will be locate in the home directory and within a hidden .ssh folder.
  • The -C flag is for commenting. The string that follows will be appended to the end of the rsa public key. This helps when you copy the public key to the remote server — you’ll know it was copied because of the comment you provided.

The following is what you will typically see after you execute the previous line of code.

Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): [enter something complex]
Enter same passphrase again: [confirm by entering it again]
Your public key has been saved in /Users/username/.ssh/id_rsa_userA.pub.
The key fingerprint is:
81:d4:12:cd:57:aa:42:47:12:de:4c:23:6a:34:62:78 userA @ somedomain.com
The key's random art image is:
+--[ RSA 2050]----+
|        ..+0.    |
|         .. .    |
|         *.*     |
|       +.o o     |
|     .. +        |
|      S.  ..     |
|        ..       |
|       o + . . . |
|        .  +o.oE+|
+-----------------+
  • After generating the rsa key pair, you have the option of entering a passphrase. You should do this! Check out this GitHub article on that (http://goo.gl/rR1ebp)
  • The location of the public key is given.
  • The fingerprint and random art image is also generated.

Repeat the ssh-keygen command for the other connections. Be sure to keep the filename of the key file unique and the comment unique, as well as relevant to the connection.


Use ssh-copy-id to copy the public rsa key to the remote server. (Install via GitHub, MacPorts or Homebrew).

ssh-copy-id -i ~/.ssh/id_rsa_userA.pub userA@somedomain.com
  • The -i flag allows you to specify the public key to upload.
  • The last argument (userA@somedomain.com) is the remote host connection info.
  • ssh-copy-id will create the authorized_keys file if it doesn’t exist and append the public key (specified after the-i flag “~/.ssh/id_rsa_userA.pub"). It’ll also update various file and folder permissions.
  • You will be required to type in the account password to access the remote server (note: this is not the “passphrase” you created at the beginning of the tutorial)

Test the connection again by ssh command:

ssh userA@somedomain.com

Mac OS X will then ask for you to enter the “passphrase” you should have created when you used the ssh-keygen command. It is important to check the “Remember password in my keychain” box. By doing this, you eliminate from typing in the “passphrase” every time you login to this specific server.

keyChainBox


This step is not necessary, but once connected to the remote server, you can examine the authorized_keys file:

cat ~/.ssh/authorized_keys
  • Within this file, you should be able to see the long key, followed by the comment included when the ssh-keygen command was executed.

You should log out and try another ssh connection to the same server. This time, the “passphrase” is saved by Keychain Access, so you shouldn’t have type it again. If all is well, you should be instantly connected to the remote server.

Repeat the public key transfer of all the remaining server connections.


Next is to store all the connection info into a config file contained within the .ssh folder. This will speed up connection to the remote servers by assigning shortcut names to each unique connection.

touch ~/.ssh/config
vim ~/.ssh/config
  • The file doesn’t exist, so I’m using touch command to create the file.
  • I’m using Vim to input the connection info.

For demonstration purposes, the following contains basic connection info for two different accounts. There is a lot that you can put into the config file, but I only limited it to basic connection info.

Host userA
  HostName somedomain.com
  User userA
  IdentityFile ~/.ssh/id_rsa_userA

Host userB
  HostName anotherdomain.com
  User userB
  IdentityFile ~/.ssh/id_rsa_userB
  • Host userA and Host userBis are used for pattern matching and applies the declarations that follow it (note the indentation of the lines that follow it). userA and Host userB are the names I choose for their unique connections. This will also be used when you remote connect to the server. It’s the shortcut name, so keep this name unique.
  • HostName somedomain.com and HostName anotherdomain.com states the domain of the remote servers.
  • User userA and User userB states the user account to the corresponding remote server.
  • IdentityFile ~/.ssh/id_rsa_userA and IdentityFile ~/.ssh/id_rsa_userB states the specific private rsa key.
  • More info about what can go inside the config file can be found here http://goo.gl/FEF1a5 or by checking out the manual pages in terminal (man ssh_config)

That’s pretty much it. You can then quickly connect to the remote server, without inputting any password by typing in the connection type (ssh, sftp, etc) followed by the shortcut name as listed in the config file — the one after “Host“. Here are some connection examples:

  • sftp userA
  • ssh userA
  • sftp userB
  • ssh userB