SSH key management and secure access
SSH encrypts a remote shell or file copy. Keys replace repeated passwords: a private key stays on your machine; the server stores the public half. This lesson covers key generation, `authorized_keys`, agents, and pitfalls like forwarding.
Widgets: comparison table contrasts password vs key auth for ops concerns. Graph shows where trust is stored (client private key vs server authorized_keys). Code explorer walks through keygen → install → permissions → agent. Tabbed code covers multi-host config and host-key trust.
Password vs public key
Rows map to threats and operations: keys scale automation; passwords scale human memorization only.
| Password | SSH key pair | |
|---|---|---|
| Brute force / spraying | Vulnerable to guessing and reuse across sites | Ed25519/RSA key space; combine with PasswordAuthentication no on servers |
| Automation / CI | Tempts embedding secrets; MFA breaks non-interactive flows | CI uses deploy keys or short-lived certs; Ansible uses ssh-agent or sshpass (avoid) |
| Rotation / revocation | Change password everywhere it was reused | Rotate key pair: add new pubkey, verify login, remove old line from authorized_keys |
| Audit | Hard to prove which human used shared account | Per-key comments in authorized_keys; per-host keys in config |
Trust model
Graph: center is sshd. Your private key never leaves the laptop—it only signs a challenge. The server only ever saw the public line copied into authorized_keys. Compromise of the server does not leak your private key file back from disk (unless you forward the agent unwisely).
Click nodes: laptop holds private key material; server file authorized_keys lists allowed public keys—one line per key, can include from="10.0.0.*" or command="…" prefixes for force-command.
sshd on server
💻Your laptop
🔐~/.ssh/id_ed25519
📋~/.ssh/authorized_keys
Everyday commands
Order matters: generate → install pubkey → fix perms → load into agent. Wrong chmod on ~/.ssh is the #1 reason pubkey auth “silently fails”.
bash
1
ssh-keygen -t ed25519 -C "you@example.com"
▼
2
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server
▼
3
chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
▼
4
eval "$(ssh-agent -s)" && ssh-add ~/.ssh/id_ed25519
▼
Config file for many hosts
Aliases and keys
sshconfig
Host prod
HostName 10.0.1.50
User deploy
IdentityFile ~/.ssh/prod_ed25519
ServerAliveInterval 60Agent forwarding: use sparingly
ssh -A jumps through bastions but exposes your agent to the remote—malicious root on a hop could use your keys. Prefer ProxyJump in ~/.ssh/config instead.
ProxyJump: ssh -J bastion app.internal
Protect private keys with hardware tokens (FIDO2) for high-value access.
⚠️Never commit private keys to Git—use secret managers or short-lived credentials in CI.