SSH Certificate Authentication

  • Generate ssh certificate
    ssh-keygen -t rsa -b 4096 -C "[email protected]"
    
  • Install ssh-ident
    mkdir -p ~/bin; wget -O ~/bin/ssh goo.gl/MoJuKB; chmod 0755 ~/bin/ssh
    ln -s ~/bin/ssh ~/bin/scp
    ln -s ~/bin/ssh ~/bin/sftp
    echo 'export PATH=~/bin:$PATH' >> ~/.bashrc
    
  • Enable ssh forwarding
    alias ssh=~/bin/ssh -A
    
  • Config file with multiple identities
    1. Move you keyfile to ~/.ssh/identities//
    2. Create a ~/.ssh-ident file. DONOT add -A option for ssh because scp and sftp don’t support it.
       # Specifies which identity to use depending on the path I'm running ssh
       # from.
       # For example: ("mod-xslt", "personal") means that for any path that
       # contains the word "mod-xslt", the "personal" identity should be used.
       # This is optional - don't include any MATCH_PATH if you don't need it.
       MATCH_PATH = [
         # (directory pattern, identity)
         (r"mod-xslt", "personal"),
         (r"ssh-ident", "personal"),
         (r"opt/work", "work"),
         (r"opt/private", "secret"),
       ]
          
       # If any of the ssh arguments have 'cweb' in it, the 'personal' identity
       # has to be used. For example: "ssh myhost.cweb.com" will have cweb in
       # argv, and the "personal" identity will be used.
       # This is optional - don't include any MATCH_ARGV if you don't
       # need it.
       MATCH_ARGV = [
         (r"cweb", "personal"),
         (r"corp", "work"),
       ]
          
       # Note that if no match is found, the DEFAULT_IDENTITY is used. This is
       # generally your loginname, no need to change it.
       # This is optional - don't include any DEFAULT_IDENTITY if you don't
       # need it.
       # DEFAULT_IDENTITY = "foo"
          
       # This is optional - don't include any SSH_ADD_OPTIONS if you don't
       # need it.
       SSH_ADD_OPTIONS = {
         # Regardless, ask for confirmation before using any of the
         # work keys.
         "work": "-c",
         # Forget about secret keys after ten minutes. ssh-ident will
         # automatically ask you your passphrase again if they are needed.
         "secret": "-t 600",
       }
          
       # This is optional - dont' include any SSH_OPTIONS if you don't
       # need it.
       # Otherwise, provides options to be passed to 'ssh' for specific
       # identities.
       SSH_OPTIONS = {
         # Disable forwarding of the agent, but enable X forwarding,
         # when using the work profile.
         "work": "-Xa",
          
         # Always forward the agent when using the secret identity.
         "secret": "-A",
       }
          
       # Options to pass to ssh by default.
       # If you don't specify anything, UserRoaming=no is passed, due
       # to CVE-2016-0777. Leave it empty to disable this.
       SSH_DEFAULT_OPTIONS = "-oUseRoaming=no"
          
       # Which options to use by default if no match with SSH_ADD_OPTIONS
       # was found. Note that ssh-ident hard codes -t 7200 to prevent your
       # keys from remaining in memory for too long.
       SSH_ADD_DEFAULT_OPTIONS = "-t 7200"
          
       # Output verbosity
       # valid values are: LOG_ERROR, LOG_WARN, LOG_INFO, LOG_DEBUG
       VERBOSITY = LOG_INFO
      

Reference:
https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/
http://rabexc.org/posts/using-ssh-agent
https://github.com/ccontavalli/ssh-ident

Written on June 24, 2018