security
 SSH, multiple identities, but no passwords!
May 05, 2009

SSH, multiple identities, but no passwords!

SSH, multiple identities, but no passwords!

Secure Shell is a great tool for securely connecting between several machines. In the past weeks, I am using it more and more, but I was getting tired of typing too much. I found a great article on setting up passwordless authentication using public/private keys and defining multiple SSH identities, but it still wasn’t enough.

I manage multiple Unix users on Dreamhost, a plethora of Linux virtual machines at work, running Jenkins builders and two additional machines at home. With ssh-keygen, you can generate multiple different public/private keypairs (aka an identity). The section “Selecting Keys” of the above-mentioned article describes how you can select a specific identity for connecting to a specific host. The example below shows how to connect to one of my DreamHost user accounts in a passwordless manner:

$ ssh -i ~/.ssh/dh-user1 user1@boba.dreamhost.com

If you have a long list of accounts, it would definitely be easy to use shortcuts for every combination of user@host and link that up to a specific SSH identity. Well, this is possible with the use of an SSH config file. I found out about this file here and then read more about it in the man page.

When you have user1 and user2 as accounts on your remote machine, in my case boba.dreamhost.com, and having different SSH identities for each user (dh-user1[.pub] and dh-user2[.pub]), how do you link everything together to be able to just type one of the following:

$ ssh dh-user1
$ ssh dh-user2

Actually, this is quite easy. Here is the ~/.ssh/config file in my local account (the account I’m making SSH connections from):

Host dh-user1
User user1
HostName boba.dreamhost.com
IdentityFile ~/.ssh/dh-user1
 
Host dh-user2
User user2
HostName boba.dreamhost.com
IdentityFile ~/.ssh/dh-user2

Every section in this file starts with Host ConnectionName followed by a number of connection parameters that are fully described in the man page. In my case, I specify the real host name, the username on the remote machine, and the identity file I want to link to that account.

Done!