Note: Any and all comments/improvements are welcomed.
A quick introduction
Using SSH public key authentication to connect to a remote system is a robust, more secure alternative to logging in with an account password or passphrase. SSH public key authentication relies on asymmetric cryptographic algorithms that generate a pair of separate keys (a key pair), one “private” and the other “public”. You keep the private key a secret and store it on the computer you use to connect to the remote system.
To copy your public key to the remote server, use the following command:
ssh-copy-id -i ~/.ssh/id_rsa.pub user@servernameYou can now connect to the server using the following command and a password is not required.
ssh -i ~/.ssh/id_rsa user@servernameFor further details, including how to generate a public/private key pair if you do not already have one, please see the following article – How to Set Up SSH Keys on Debian 10.
Protecting your private key
As the private key can be used to access any server that has the public key, it needs to keep it secure. It doesn’t really seem a good idea for it to be lying around on the file system, so I decided to look for a better solution.
1Password SSH Agent
1Password 8 allows you to store your SSH Keys securely along with all your passwords and using the 1Password SSH agent, these SSH keys can be used to seamlessly with your SSH workflows.
The agent authenticates your SSH clients without the client ever being able to read your private key. In fact, your private key never even leaves the 1Password app.
When you attempt to connect to a remote server using SSH and 1Password is locked, you are prompted to unlock it using Touch ID.
Install 1Password8 beta for Mac
At the time of writing, this functionality is only available in the Beta version of 1Password8 (I assume you understand the risks of using beta software!)
https://1password.com/downloads/mac/#beta-downloads
Adding an Existing Private Key to 1Password
If you already have SSH key(s) that you use, you can easily add them to 1Password.
Open 1Password, click + New Item in the top right hand corner
Select SSH Key from the list.
Name the Key and Upload your Public key.
Click Save
Using 1Password to Generate an SSH Key
If you do not already have an SSH Key, 1Password can generate one for you really easily:
Open 1Password, click + New Item in the top right hand corner
Select SSH Key from the list.
Name the New Key, then click + Add Private Key / Generate a New Key
Select the Key Type and Bit Length
Click Save
Enable Touch ID
This process is only really effective if you enable Touch ID unlocking of your 1Password vault, otherwise you will need to enter your master password when you open an SSH session.
Open 1Password Preferences / Security and make sure that Touch ID is enabled.
Turn on the 1Password SSH Agent
Click the Developer section and turn on Use the SSH Agent
Configure SSH
The last step is to configure your SSH client to use the agent for authentication.
The path to agent.sock is lengthy, so first we will create a symbolic link to your home directory.
mkdir -p ~/.1password && ln -s ~/Library/Group\ Containers/2BUA8C4S2C.com.1password/t/agent.sock ~/.1password/agent.sockModify your ~/.ssh/config entries to use the SSH Agent instead of your IdentityFile
Host <HOSTNAME>
Hostname <IP.ADDRESS>
User root
IdentityAgent "~/.1password/agent.sock"Alternatively, if you wish to use the SSH Agent for ALL your SSH Sessions, add the following lines to the top of ~/.ssh/config
Host *
IdentityAgent "~/.1password/agent.sock"Using the 1Password SSH Agent
Now when you open a new SSH session, if 1Password is locked you will be promoted to unlock it using Touch ID.
Job done.
References:
- Set up SSH public key authentication to connect to a remote system – https://kb.iu.edu/d/aews
- How to Set Up SSH Keys on Debian 10 – How to Set Up SSH Keys on Debian 10.
- 1Password for SSH & Git – https://developer.1password.com/docs/ssh
