Manage multiple SSH private keys with IdentityFile (여러개의 SSH key 관리)

여러 개의 SSH key를 관리해야 할 필요가 있다. 이 때는 아래를 참고하면 된다.

 

SSH has a per-user configuration file called ‘~/.ssh/config’ that it can use to select your private keys based on the remote user name and remote host by using wildcards. Let’s check out my ‘config’ file:

 IdentityFile ~/.ssh/ids/%h/%r/id_rsa  
 IdentityFile ~/.ssh/ids/%h/%r/id_dsa  
 IdentityFile ~/.ssh/ids/%h/id_rsa  
 IdentityFile ~/.ssh/ids/%h/id_dsa  
 IdentityFile ~/.ssh/id_rsa  
 IdentityFile ~/.ssh/id_dsa

 

The percent-h and percent-r take the host and the remote user from your SSH user and hostname arguments. Consider this example command:

 $ ssh remote_user@remote_hostname.example.com

 

From the example command, the SSH client would use the wildcards to seek the correct key to use:

~/.ssh/ids/remote_hostname.example.com/remote_user/

 

This means that if you had two private keys that you used to access two different servers, you would arrange them as follows. The first one is arranged as follows:

 $ ls -l ~/.ssh/ids/remote.example.com/remote_user/  
 total 16  
 -rw------- 1 kelvin staff 668 Mar 24 20:09 id_dsa  
 -rw-r--r-- 1 kelvin staff 610 Mar 24 20:09 id_dsa.pub  
 $ ssh remote_user@remote.example.com  
 [remote_user@remote ~]$

 

Our second example uses a simple hostname. If a remote user is not required, you can just use the hostname:

 $ ls -l ~/.ssh/ids/webby.example.org/  
 total 16  
 -rw------- 1 kelvin staff 668 Mar 24 20:09 id_rsa  
 -rw-r--r-- 1 kelvin staff 610 Mar 24 20:09 id_rsa.pub  
 $ ssh webby.example.org  
 [webby ~]$

 

For sure, these are totally contrived examples, but you can watch the cascade yourself by adding the verbosity flag(s) to your SSH client session (this one is my client’s WebFaction account):

Trinity:.ssh kelvin$ ssh -v user@user.webfactional.com  
 OpenSSH_5.2p1, OpenSSL 0.9.7l 28 Sep 2006  
 debug1: Reading configuration data /Users/kelvin/.ssh/config  
 debug1: Reading configuration data /etc/ssh_config  
 debug1: Connecting to user.webfactional.com [192.168.0.254] port 22.  
 debug1: Connection established.  
 debug1: identity file /Users/kelvin/.ssh/ids/user.webfactional.com/user/id_rsa type -1  
 debug1: identity file /Users/kelvin/.ssh/ids/user.webfactional.com/user/id_dsa type 2  
 debug1: identity file /Users/kelvin/.ssh/ids/user.webfactional.com/id_rsa type -1  
 debug1: identity file /Users/kelvin/.ssh/ids/user.webfactional.com/id_dsa type -1  
 debug1: identity file /Users/kelvin/.ssh/id_rsa type 1  
 debug1: identity file /Users/kelvin/.ssh/id_dsa type -1  
 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3  
 debug1: match: OpenSSH_4.3 pat OpenSSH_4*  
 debug1: Enabling compatibility mode for protocol 2.0  
 debug1: Local version string SSH-2.0-OpenSSH_5.2  
 debug1: SSH2_MSG_KEXINIT sent  
 debug1: SSH2_MSG_KEXINIT received  
 debug1: kex: server->client aes128-ctr hmac-md5 none  
 debug1: kex: client->server aes128-ctr hmac-md5 none  
 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent  
 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP  
 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent  
 debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY  
 debug1: Host 'user.webfactional.com' is known and matches the RSA host key.  
 debug1: Found key in /Users/kelvin/.ssh/known_hosts:41  
 debug1: ssh_rsa_verify: signature correct  
 debug1: SSH2_MSG_NEWKEYS sent  
 debug1: expecting SSH2_MSG_NEWKEYS  
 debug1: SSH2_MSG_NEWKEYS received  
 debug1: SSH2_MSG_SERVICE_REQUEST sent  
 debug1: SSH2_MSG_SERVICE_ACCEPT received  
 debug1: Authentications that can continue: publickey,password  
 debug1: Next authentication method: publickey  
 debug1: Trying private key: /Users/kelvin/.ssh/ids/user.webfactional.com/user/id_rsa  
 debug1: Offering public key: /Users/kelvin/.ssh/ids/user.webfactional.com/user/id_dsa  
 debug1: Server accepts key: pkalg ssh-dss blen 433  
 debug1: read PEM private key done: type DSA  
 debug1: Authentication succeeded (publickey).  
 debug1: channel 0: new [client-session]  
 debug1: Entering interactive session.  
 Last login: Thu Mar 31 22:31:08 2015 from 192.168.0.200  
 [user@web ~]$

 

Reference: http://www.kelvinwong.ca/2011/03/30/multiple-ssh-private-keys-identityfile/