best practices

Understanding things inside ~/.ssh

xuanchien

xuanchien

2 min read

We have been using SSH all the time but not all people really understand the files we put inside the ~/.ssh folder on our computer. It was a myth to me when I was first using SSH, but things are pretty clear to me now and I want to share this with all of you, just in case you don't know.

known_hosts

This file is responsible for verifying the host we have connected to. If it was the first time you connect to a host, you would probably see the following message:

The authenticity of host 'example.com (10.0.0.0)' can't be established.
RSA key fingerprint is    SHA256:VqgUG8v+gxrigR1csELYv6Un6l7HxMgPgMj9wyUr7G4.
Are you sure you want to continue connecting (yes/no)?

The moment you select yes to continue connecting, the hostname along with the public key of the server will be saved as a new line in this file. Why we need this file? Just imagine that for some reason our routing has been compromised by a hacker and he is trying to redirect us to the wrong server (and if we are not careful, we can send sensitive information to this wrong server). At this time, when we SSH to the host again, our SSH client detects that the server public key has changed and it would not allow us to continue because this key is different from the key saved in known_hosts, which is a safe way to protect us from continue sending sensitive information to the server.
This, however, also creates a little problem to some developers when connecting to a server which has been changed recently because his SSH request will be declined. In that case, you should confirm that the server has indeed been changed and then simply open the known_hosts file and remove the line containing the host you are trying to connect; after that connect again.

config

This file is created manually to specify the right host address and right key to use when connecting to a certain host. For example, let's say that I have a very long host address like this: abcdwefsdfasdfagaksdjkajfdgka.example.com. In addition, I have to specify a private key (using -i option in SSH) to connect to this server. The command I use is like this:

ssh -i ~/.ssh/privatekey.pem dev@abcdwefsdfasdfagaksdjkajfdgka.example.com

It just does not feel comfortable to me. Instead, I can create a config file inside the ~/.ssh folder and put this content into the file

Host mydev
   HostName abcdwefsdfasdfagaksdjkajfdgka.example.com
   IdentityFile ~/.ssh/privatekey.pem
   User dev

After having this in config file, I can SSH to this server easily

ssh mydev

This method is very useful if you need to clone multiple github projects using different accounts (check out my old post about this topic: http://thelazylog.com/how-to-configure-ssh-for-multiple-github-accounts/)

authorized_keys

This file only exists on the machine which is acting as a server, and it is also manually created. You want to use this file if you hate typing the password every time you use SSH. By putting your client public key into this file on the server, you can connect to the server without typing the password. This is called key-based SSH login.
How does it work? The server will use the client public key in authorized_keys file to lock the message in a way that only your computer with the corresponding private key can unlock the message. This is why when you creating an SSH key, it often asks you to set the passphrase for the private key so that in case your computer get stolen, you still have time to disable the old public key. If you are interested in cryptography, you might want to read more about this on Wikipedia: https://en.wikipedia.org/wiki/Public-key_cryptography

I hope the information of this post is helpful to you. Happy coding!

Read more