Configuring SSH (keys) and Git

This post is about configuring SSH so that you can e.g. login into remote computer with terminal only, use git without password (a bit of controversy here, because the ssh-keys are password in another form IMO). Actually, for remote terminal, it is possible to login with username as password unless it is restricted. However, I prefer fancier way of life using SSH keys.

1. SSH Key Generation

The first step is generating the so called private-public key pair for this asymmetric encryption. The public key is what you can share with the whole internet without endangering your secret, whereas private key should be kept secured just like your everyday passwords.

To generate a private-public key pair, one of the following command can be used:

$ ssh-keygen -t rsa -b 4096 -C tjango@thisLaptop
$ ssh-keygen -t ed25519 -C tjango@thatDesktop

• Not a security expert here, but AFAIK, RSA should have key length >= 3072-bit to be sufficiently secure in current age.
  • To avoid thinking about these, I therefore prefer ED25519 whenever it is supported.
• My personal preference is to add a comment with the -C option as I have multiple identities in a computer. Note that this comment does not have to be the email this used for the login specifically.
• As a lazy person, I just leave the Passphrase blank
• If the created key has an uncommon name, it (the private key) needs to add to ssh-agent manually as follow:

  $ ssh-add ~/.ssh/id_rsa_whatever_name
  

2. Remote Side

The next step is to get the public key (with extension .pub) to the remote computer somehow.

Remote Shell with SSH

This is what I presume to be the original intent of SSH. For this purpose, we have to get the content in our public key into ~/.ssh/authorized_keys of the remote computer by hook or by crook.

1. the simple way with ssh-copy-id utility

    $ ssh-copy-id [-i ~/.ssh/id_some_key.pub] yourLoginName@remoteName
   

2. manually, either
   • using SCP and so on as described in this wiki
   • or simply just SSH to remote, nano/vim the ~/.ssh/authorized_keys, and paste the content

Git (GitHub etc)

This is relatively straight forward. Usually you just need to go to Settings -> SSH (and GPG) Keys and add a new key there.

3. Test Connection etc

After all has been set up, I will usually perform a connectivity check to make sure everything is working properly.

$ ssh -vT yourLoginName@remoteName  # for remote SSH
$ ssh -vT git@github.com            # for git at GitHub. For other host, change accordingly

• For the first connection, you will be prompted with a dialogue about the host key fingerprint. Do check their websites to verify it.
• If it is not working, check the messages on the terminal to see which keys have been tried for the connection (verbose option is on with the -v switch).

4. Others

SSH-Agent

SSH-Agent is a tool to manage SSH-keys (mostly for keys with atypical filenames). Here are some commands that I have used:

$ ssh-agent -s  # start the agent
$ ssh-add -l    # show fingerprints of keys
$ ssh-add -L    # show public keys

Another way to show fingerprint is with ssh-keygen, which works with both public and private keys.

$ ssh-keygen -lvf ~/.ssh/id_key  # -v for randomart.

Manage Multiple Git Identities with SSH_Config

In the event where you have multiple identities (e.g. public and personal) on the same host (e.g. Github.com), it would be a better idea to have a way to manage them so that I would not accidentally use my public personality to push to my private repo. This is where ssh_config comes into play. In the file ~/.ssh/config, add the following lines:

# private tjango account
Host github-tjango
  HostName github.com
  User tjango
  IdentityFile ~/.ssh/id_ed25519_tjango
  IdentitiesOnly yes

# work account
Host github-work
  HostName github.com
  User workname
  IdentityFile ~/.ssh/id_ed25519_workname
  IdentitiesOnly yes

And remember for the remote url, it has to be changed to github-tjango and github-work respectively (either via git CLI, GUI or directly in .git/config file).

GPG

GPG stands for GnuPG, which is a way to sign digitally. This way, git can add a verified tag besides your commits, saying that you personally done that. I am a bit too lazy for this so maybe next time.

---

References

• Archlinux Wiki on SSH
• Man Page on SSH_Config
• GitLab Help
• Github Help
• jexchan’s Gist on Multiple SSH