I use SSH literally every single day, at work and at home, so for security and because I don't want to spend time typing long secure passwords I use SSH keys for authentication.

What's the problem?

Usually you'll generate a key pair with ssh-keygen, copy the public key to any server you want to log into and you're done. So what's the problem with that? Well if you ever want to renew that single key, increase its length for better security, find out which user and server that key is authorised for etc then you are going to have to change the public key on each of servers you can access.

It would be much better if we had a key pair per user per server, then we can renew, change or delete a key for a single login. We have complete control.

Key Pair Per User Per Server

You could generate a new key for each login but then when we run ssh we have to pass it the path to the key file for that login ssh -i /path/to/key which is inconvenient...

You can set up the SSH config file, located at ~/.ssh/config, with an entry for each of the servers we want to SSH into, like this:

HostName serveraddress
User username
IdentityFile /path/to/key

That's better, now we can specify a key per login but it still requires us to add a new entry to the config file every time we add a new login. Fortunately for us there are a number of variables that we can use in the config to make life easier.

%h	The hostname of the server we're trying to connect to
%r	The username of the server we're trying to connect to

Using these variables we can now write generic paths for keys for any login, for example:

Host *
IdentityFile ~/.ssh/rsa/%h/%r

Now if we do ssh foo@bar SSH will look for a key in ~/.ssh/rsa/bar/foo. Great we can generate a key for each of our logins drop them into the correct directory and ssh automatically knows where the key can be found.

The only manual task left is creating the keys themselves, moving them to the correct directory and setting permissions and ownership.. That sounds like that could easily be automated...

Multi SSH Key Manger

I wrote a little script that takes care of the generation, removal and just general management of a multi SSH key setup.

You can get a copy of it on my GitHub here or clone the repo with:

git clone git@github.com:moebrowne/multi-ssh-key-manager.git

Adding A New Key

Adding a new key can be as simple as:

./ssh-manager.sh create foo@bar.com

This will generate a new password-less RSA 4096 bit key pair to use when SSHing into the bar.com server as the foo user. The create method can be passed a number of flags, for example if we want to add a passphrase for the key just use the --passwd flag and you will be asked for a passphrase. Or use --comment "Descriptive key comment" to add a comment to the key.

Removing A Key

You can securely remove any keys with:

./ssh-manager.sh remove foo@bar.com

By default, the remove method will try and use the shred command when deleting key files but will fall back to rm if shred can't be found.

Listing Keys

To list all the currently stored keys run:

./ssh-manager.sh list

This will list out all keys currently stored. It will display the length, user, server etc for each key in a colour coded easy to read table.