Today I learned

Using separate SSH keys per host


It's a good idea to keep a different key for every host. That way, should one be compromised, you're not compromising your access to all your hosts. An easy way to do this is to configure your SSH to automatically look for the key based on the host you're connecting to.

Configuring SSH

Edit the file ~/.ssh/config and add this Host * rule in. Whenever SSH connects to a host, it will now look for a corresponding key in ~/.ssh/key/<user>@<host>.

Host *
  IdentityFile ~/.ssh/keys/%[email protected]%h

Organize your keys

Put your SSH keys in ~/.ssh/keys/ in the format of <user>@<host>. My key folder looks a little bit something like this.

├─── [email protected]
├─── [email protected]
├─── [email protected]
├─── [email protected]
├─── [email protected]
└─── [email protected]

You're done!

Try it out by connecting to a host that you have a key for.

$ ssh [email protected]

  Hi rstacruz! You've successfully authenticated, but
  GitHub does not provide shell access.
  Connection to closed.

Generating new keys

To create new keys, simply use ssh-keygen. When prompted for where to place files, put them in <HOME>/.ssh/keys/[email protected]. Here's an example.

$ ssh-keygen

  Generating public/private rsa key pair.
  Enter file in which to save the key: /home/rsc/.ssh/keys/[email protected]
  Enter passphrase

You have just read Using separate SSH keys per host, written on February 13, 2019. This is Today I Learned, a collection of random tidbits I've learned through my day-to-day web development work. I'm Rico Sta. Cruz, @rstacruz on GitHub (and Twitter!).

← More articles