Managing Multiple SSH RSA Keys


It’s not difficult to argue that using RSA key pairs rather than passwords is more secure when using SSH. Where it can get complicated is when you’re dealing with infrastructure on different networks, such as having one on your local LAN and another in the cloud. For security or political reasons, you may want to use different key pairs for each environment. Since key generation typical uses ~/.ssh/id_rsa as the private key and ~/.ssh/ as the public as defaults, how do you generate multiple keys? And once we’ve create multiple keys, how do we specify which to use for a particular connection?

In this tutorial I will show you how to generate multiple keys and how to use them for different connections.

Generating Keys

You can read Passwordless SSH Logons on CentOS 6 Using RSA Authentication for a more in depth tutorial. Although the tutorial is specific to CentOS, the instructions will work for any OpenSSH client.

Specify a Key to use with SSH

By default, the SSH command will use the default RSA key ~/.ssh/id_rsa. However, we can specify the key using the -i argument with the path of a specific private key. For example, if your private key is called ~/.ssh/aws_vpc1, we can use the following command to instruct SSH to use it.

ssh -i ~/.ssh/aws_vpc1 [email protected]

The drawback with using this method is you’ll need to remember which key to use, where it is, and for what server.

Using SSH Config to Manage Multiple Keys

A more elegant approach with having multiple keys is to create a config file for SSH. Within this file, we can specify which server or servers will use a particular key. Once you have populated the configuration file with servers and their keys, you can simple type SSH with the server name and not have to worry about specifying a key.

  1. Create a new file under ~/.ssh/ called config.
    touch ~/.ssh/config
  2. The file wasn’t be accessible by any other users. Change its file permissions to be read\writable by you, and have no permissions for anyone else.
    chmod 600 ~/.ssh/config
  3. Open the file into a text editor. In this example, I’ll use VI. If you do not have VI or just dislike using it, you can use alternative such as Nano. Any text editor will do.
    vi ~/.ssh/config
  4. In this example, I am going to add a server named WEBNODE01. The default logon account will be webops and its private key will be ~/.ssh/aws_vpc1_id_rsa.
    host WEBNODE01
    User webops
    IdentityFile ~/.ssh/aws_vpc1_id_rsa
    host Name or alias of the server.
    HostName DNS hostname or IP address of server.
    User User to log onto the server with.
    IdentityFile Filename and path to the private key.
  5. Save your changes and exit the text file.
  6. Using the Host value we specified in the config file, we can connect to our server without entering the user or specifying the key.
    ssh WEBNODE01