# Linux SSH usage cheatsheet By default the SSH related files are located under the folder `~/.ssh` ## key ### generate new SSH key ```bash ssh-keygen -t ed25519 -C "username@domain.com" ``` - `-t` can refer to other crypto types e.g. RSA - `-C` indicates comment to hash for the key - the content varies between different platforms - in `github.com` this should be your email represented in commit history of the git repository, for example, `224466+yourusername@users.noreply.github.com` - this command prompts you some fields to fill , such as - path to key file, e.g. ` ~/.ssh/id_ed25519` - note `github.com` **only** recognizes this file name, other file names will cause SSH connection errors. - passphrase, to protect the private key - if succeeded, then generate public/private key pair with fingerprint ## agent `ssh-agent` is a process which collect SSH private keys interacting with remote SSH peers ### start an agent ```bash= eval $(ssh-agent -s) ``` - start the agent in background process - note the command `ssh-agent -s` outputs few environemnt variables that need to be used with some other commands later (such as `ssh-add`) , the command `eval` here simple adds all the variables to environment which is handy. - originally `ssh-agent` outputs these variables ```bash=! SSH_AUTH_SOCK=/tmp/ssh-xxxooo12345/agent.1234; export SSH_AUTH_SOCK; SSH_AGENT_PID=1234; export SSH_AGENT_PID; echo Agent pid 1234; ``` ### add private key to the agent ```bash=! SSH_AUTH_SOCK=/tmp/ssh-xxxooo12345/agent.1234 -t 864000 ssh-add <PATH-TO-PRIVATE-KEYFILE> ``` - `<PATH-TO-PRIVATE-KEYFILE>` incidate the private key file, e.g. `~/.ssh/id_ed25519` - lifetime of the key can be specified using `-t` in seconds - if succeeded, the console message will output ```bash! Identity added: /home/youraccount/.ssh/id_ed25519 (/home/youraccount/.ssh/id_ed25519) Lifetime set to 864000 seconds ``` ### add public key to remote peer the steps differ between platforms, for example `github.com` allows users to copy the public key entry inside `~/.ssh/id_ed25519.pub` to the repository setting, read [doc](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account) here ### remove private keys from agent TODO ## public keys for known hosts All in `~/.ssh/known_hosts` ### check remote public keys Check current public keys available in remote peer ```bash! ssh-keyscan -t <CRYPTO-TYPE> <REMOTE-SITE-URL> ``` - `<REMOTE-SITE-URL>` , for example, `github.com` - `<CRYPTO-TYPE>` , e.g. `rsa`, `ed25519` - this command will add new hosts to `~/.ssh/known_hosts` (if not exists) ### remove public key related to remote peer ```bash ssh-keygen -f ~/.ssh/known_hosts -R "github.com" ``` ## Test connectivity ```bash ssh -T <REMOTE-SITE-URL> ``` - `<REMOTE-SITE-URL>` , for example, `git@github.com` - if the console shows following warnings, chances are that **the remote peer has changed its SSH public key**, you'll need to update the new key to your `~/.ssh/known_hosts` - `POSSIBLE DNS SPOOFING DETECTED` - `REMOTE HOST IDENTIFICATION HAS CHANGED` - `The RSA host key for <REMOTE-SITE-URL> has changed` ## Reference - [Connecting to GitHub with SSH](https://docs.github.com/en/authentication/connecting-to-github-with-ssh) - [GitHub's SSH key fingerprints](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints) - the public key entry in the doc can be directly copied and paste to your `~/.ssh/known_hosts`