Over a million developers have joined DZone.

Avoid Using Same SSH Private Key For All Your Servers

DZone's Guide to

Avoid Using Same SSH Private Key For All Your Servers

If you're using multiple servers for one project, and use the same private key for all of them, you may be putting your data at risk. Use SSH to mitigate these risks.

· Security Zone
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

The more projects you handle, the more servers you manage. But when you use SSH to servers of different projects, are you using the same private key?

And how secure do you feel about this? Let's imagine. One day, your powerful private key gets compromised somehow. Boom! All your servers and all your projects are in danger.

Check out this post, and get improved security for all your projects, in just five minutes!

Avoid Using Same SSH Private Key For All Your Servers

Step 1: Generate Different SSH Key Pairs For Different Projects

Using ssh-keygen, we can easily generate as many SSH key pairs as we need. Let's say we already have two key pairs for two projects: project1_id_rsa and project2_id_rsa.

Step 2: Use Different Private Keys Selectively but in an Easy Way!

Version 1.0: We need to manually specify a private key when we send an SSH to different servers.

# ssh to server in project1
ssh -i project1_id_rsa user1@server1

# ssh to server in project2
ssh -i project2_id_rsa user2@server2

It works, but typing those extra characters thousands of times is not fun. And it's pointless.

Version 2.0: Create an alias in ~/.ssh/config, then use SSH with that alias.

# Server in project1
host server1
     StrictHostKeyChecking no
     Port 22
     User user1
     IdentityFile /data/project1_id_rsa

# Server in project2
host server2
     StrictHostKeyChecking no
     Port 22
     User user2
     IdentityFile /data/project2_id_rsa

Using SSH with an alias is quite easy and straightforward. Here's how to do it:

# ssh to server in project1
ssh server1

# ssh to server in project2
ssh server2

So are we good now? Hang on, my friend. Not yet.

Let's say you have tens of, or hundreds of, servers. You don't want to configure them one by one, right?

Version 3.0: Update ~/.ssh/config to load all SSH private keys.

# Load private key of project1
IdentityFile /data//project1_id_rsa

# Load private key of project2
IdentityFile /data/project2_id_rsa

Now you can use SSH like you normally would: "ssh user1@server1".

SSH will try to use all your private keys one by one. To confirm this, use SSH with the -vvv option.

# $ ssh -vvv user1@server1 date 2>&1 | grep "debug1: Offering RSA public key"
#   debug1: Offering RSA public key: /data/.ssh/project1_id_rsa
#   debug1: Offering RSA public key: /data/.ssh/project2_id_rsa

You can argue it will waste some time on the retry. Yes, it does. But it's fast enough to get the job done before we can even notice the difference.

And SSH tries the keys from top to bottom. So, if we put frequently used keys at the top it will speed things up a little bit.

Step 3: [Optional] Secure Your SSH Private Key With Passphrase

To make it better, add passphrase protection for your SSH private keys. Check this article on the topic: Manage SSH Key File With Passphrase.

So now, go have a try at using SSH with the tips shared in this post!

Please leave me comments, if you have any questions or feedback.

And don't forget to share this post, if you find it might be useful for your friends or colleagues.

Related Reading:

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

ssh ,security ,server management

Published at DZone with permission of Denny Zhang, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}