Computer Security

Configure ssh for multiple servers

Secure Shell (SSH) is the backbone of the systems administrators tools for connection to remote system.

These are my notes that I thought I would share with everyone on how I configure ssh.



When generating key pairs I sometimes make two different sets based on how they are used. For access to local machines on my network I do not require a passphrase. For machines I access remotely I usually do require a passphrase. To generate your keys use the following command

$ ssh-keygen -t dsa

You can will be given a choice to enter a passphrase if you like. If you do not want a passphrase just hit enter.

This will generate two files
id_dsa # This is the file that goes in your .ssh folder.
I like to rename the files so I can remember which key file belongs to which host.
I usally use id_dsa-username-host.domain.com

id_dsa.pub # This is the public key that will be copied to the remote machine.
I use the same naming conventions with the .pub extension.
I keep a copy in my local .ssh folder for later re-use, or if I used the same keys on multiple machines.
It is added to the ~/.ssh/authorized_keys2 file.


Its not a good idea to use the same keys for multiple machines. So we need to configure ssh to deal with multiple keys. The authorized_keys2 file can have multiple public keys in them.

If you look at the id_dsa.pub file that was created with ssh-keygen it will look something like this.

ssh-dss AAAAB3NzaC1kc3MAAACBAJzCH/SwyhV8y9riXFFHM3Dex9QOfK/3GZjySjWVKTWks0UA2tC0
uj0hA+BkPBrebCCN2UPFAb5L1+3yjTaowPIiUyz8kSRP9qqlXE3fDrpF2zes5deszikdnYwTaRF8jy4p
4QWTI+YizQxFqColjIt3UN1mcFK2QbDbS0sgP0s5AAAAFQCEOK+txMivnRVsz3bvXUE/0b+eowAAAIEA
lr9S/B5LXZo+urT5UIawOyhTyHvMlzAhkyECYgEczqq1WxnloheJbpuRSL7joYFlA/IIyu1GTUbPclOS
h0K4H6bfVdEOe+KofZ1EL6m78s14hYznw9gHHMh0pDcx6Hvha1NV36D686E2gNC8DcsQQHyer0agAidu
dZF1II7bYuQAAACAebfLBKWUFknIBXmZ6hdqzlGOZh1+dXGOKf7FOdmuOaCc7QCzxjA5kFJ+k60Z0xAE
5qaW8IxbggY/jb5kwV7QjLu8oWpLrXl7Hbm4pOYNmxUT14Y7kYQM5eXWmtDPRlxNLGMHpzcwyizBaSyV
5QTlWJeJT9ocrgZuzOhXyxuv05k= username@host



To keep the keys documented in the autherized_keys file a =username@host to end of it, you may freely change this if you like.

So if I have two keys set up that are different say one has a paraphrase and one does not I would generate the two keys put them in the autherized_keys file separated by a blank line. So your autherized_keys file would look like this.

ssh-dss AAAAB3NzaC1kc3MAAACBAJzCH/SwyhV8y9riXFFHM3Dex9QOfK/3GZjySjWVKTWks0UA2tC0
uj0hA+BkPBrebCCN2UPFAb5L1+3yjTaowPIiUyz8kSRP9qqlXE3fDrpF2zes5deszikdnYwTaRF8jy4p
4QWTI+YizQxFqColjIt3UN1mcFK2QbDbS0sgP0s5AAAAFQCEOK+txMivnRVsz3bvXUE/0b+eowAAAIEA
lr9S/B5LXZo+urT5UIawOyhTyHvMlzAhkyECYgEczqq1WxnloheJbpuRSL7joYFlA/IIyu1GTUbPclOS
h0K4H6bfVdEOe+KofZ1EL6m78s14hYznw9gHHMh0pDcx6Hvha1NV36D686E2gNC8DcsQQHyer0agAidu
dZF1II7bYuQAAACAebfLBKWUFknIBXmZ6hdqzlGOZh1+dXGOKf7FOdmuOaCc7QCzxjA5kFJ+k60Z0xAE
5qaW8IxbggY/jb5kwV7QjLu8oWpLrXl7Hbm4pOYNmxUT14Y7kYQM5eXWmtDPRlxNLGMHpzcwyizBaSyV
5QTlWJeJT9ocrgZuzOhXyxuv05k= username@host

ssh-dss AAAAB3NzaC1kc3MAAACBAJChJwJxXdeXt0tVuKBs+yL30AuP7WBoIyYx7cwO0UO/iYkJViDe
6idSXZPd+Vm9TvO11v3TYMjFsqDG25ekhDRnQ0t//PGsu7QySgsL5DmWKgIu53599sdweQvb+SZGWgw8
ijX1lDM1YjE3GoTltTk1+voeILG3GQVs4IRUf3QzAAAAFQDilamkUeDqnIRUFl0ynyKrVjQ4JwAAAIAG
alRvFcgNCWo8O0CZ2EU1hqNG6eAR9AaGgAVHvTjFqTYuT0qQVU636NUmZRjVxGiJO8WusOLXiFk1M5jY
ZApAkeDnj3MM3YYoVagt/iXJTYm3wQShDW+xOoUqajKvXPydOWSEvMQhswv335gHBbyx/PeQSi0EifhH
m/ltHUPQHwAAAIA4z+C/hEVsh2giY4gFhAtydYtIS17pTvD9AISlShXYOIpqn9tt+7TTxDiVQMIhIn2S
/Z2ZpAG0V1qN8QbCNlSSwtA/b+hSjqpsELF6+e7aIsgcZQCGFfZ7gMT6pD2iwto2nseSJRhfaLBBly3q
JVZ9WrNnRSIY+R12L/Aauemp3g== remote-uername@host

So now we need to deal with how to handle multiple key files on the host.
ssh can use a ~/.ssh/config file so you do not have to remember which keyfile goes with which host.

A typical config file will look like this.

Host ftp.mydomain.com
IdentityFile ~/.ssh/id_dsa-me-www.mydomain.com
User me
Host ftp.mydomain.com
IdentityFile ~/.ssh/id_dsa-ftpadmin-www.mydomain.com
User ftpadmin
Host www.mydomain.com
IdentityFile ~/.ssh/id_dsa-me-www.mydomain.com
User me
Host home.otherdomain.net
IdentityFile ~/.ssh/id_dsa-me23-home.other.net
Port 2222
User me23

So here we have 4 different logins, and by simply specifying the username on the ssh command line ssh will look at the config file and match the host.domainname and the User tag and will know which IdentityFile need to be used for the host. You can also specify the port number and if you connect with different port numbers it will sort that out as well.


Hope this helps some of you manage your ssh connections. I find it very useful.