Create multiple EdDSA SSH keys - ssh

I've read a bunch on how to do using rsa. Now, how can I create multiple ssh keys using EdDSA i.e. id_ed25519
I can't add the same existing key to multiple github accounts I own (key already in use)
While attempting to create a second key, I'm unable to write a custom name (like one does when using rsa) inside the script
ssh-keygen -t ed25519_customname -C "myemail#gmail.com"
docs don't cover that either
How can I create multiple EdDSA SSH keys?

Related

Multiple SSH Keys for same user on same host

I want to access a host with a specific user, but I want this user to have multiple SSH keys.
Why? This is the user for deployment on the server and there are multiple developers who have to deploy. I'd like to use a different key for each developer.
(Yes, I could create multiple deployment users, but that's quite costly on this managed server)
Example:
bob#bobs-workstation$ ssh -i ~/.ssh/id_rsa.bob deploy#host.com
alice#alices-workstation$ ssh -i ~/.ssh/id_rsa.alice deploy#host.com
Is this even possible?
In similar questions it's always about different users or different hosts and multiple SSH keys, but in this case it's about the same user and the same host with multiple SSH keys.
Turns out I found no questions about that because it's the most trivial case there is:
Yes, it's possible for a single user to accept multiple public SSH keys.
The text of the key files all have to be copied into /home/deploy/.ssh/authorized_keys (deploy was the user in the above example).
This is what the content of authorized_keys could look like:
ssh-rsa *bobsunintellegiblepublickeyformultiplelines* bob_at_deploy#host.com
ssh-rsa *alicesunintellegiblepublickeyformultiplelines* alice_at_deploy#host.com

How does ssh-keygen work?

I'm following the tutorial here and understand that the I'm making a key that is held in a directory somewhere so that when I go to a website, it will automatically see my key and give me access without me having to sign in. Is that correct? what does the "-t" and "-C" mean? What does putting in my email do? Does that mean that when I go to a site, if I put in my email it will automatically have access to my ssh key?
ssh-keygen -t rsa -C "yourname#yourdomain.ext"
First of all, whenever in doubt, consider checking MAN pages first.
In this case, MAN page tells us that -t rsa sets the type of the key to RSA (or, generates the key using RSA algorithm). The MAN page also mentions that it's the default one, so if you don't put that in, it will still generate RSA key.
As for the -C "yourname#yourdomain.ext", -C specifies a comment which will be put in the generated files that can help you identify the key later on (for whatever reason).
Keys don't work "automatically". Normally, you install your public key (NEVER share your private key - that's the purpose of it being private) on a remote machine, and then when you try logging on to it via SSH, there will be a series of challenge requests between the two that will result you being allowed to log on the instance without typing your password if your private key matches one of the installed remote public keys (there can be more than one if for example you install different public keys for every machine you log on from or have some sort of shared account).

Ansible: Change SSH key

I have an inventory of multiple servers. SSH access to these servers is secured using PEM key files. I would like to periodically change the PEM key used by my servers. So, I would like to use Ansible to do the following:
Generate a new PEM key file
For each server in my inventory, connect to the server using old PEM key file
Install new PEM key file
Test to ensure SSH with new key works and old key does not work
What is the best way to do this via Ansible?
You should split this in three playbooks.
The first to generate a new PEM key. This will run locally. See: https://docs.ansible.com/ansible/playbooks_delegation.html#local-playbooks
The second one will do the rollout. So it copies the key to all servers. You can use authorized_key or copy depending on what your preferred workflow is. But thats another question.
The third step then would be a testing playbook, maybe with an assert statement or just using ping to ensure the connection works.
When you have all this playbooks combine them in a single with include or add this three plays in one playbook in the right order. See: https://docs.ansible.com/ansible/playbooks_intro.html

Automatically add Non-Default Private Keys SSH Authentication Agent

For convenience purposes I don't have a "default" private key, usually ~/.ssh/id_rsa, ~/.ssh/id_dsa or ~/.ssh/identity. I have multiple keys to manage multiple accounts, one for work and one for personal. I use SSH agent forwarding to get proper authentication. It all works just fine.
The problem I have is after every logoff/reboot, the SSH agent does not automatically add the my keys because, it seems, it only looks for the default named keys, as stated by GitHug at: Error: Permission denied (public key): Make sure you have a key that is being used.
Is there a way to define what keys the SSH agent should automatically add upon loading or will I have to manually add them each time? Possibly create a script that opens upon logon and adds them.

Using 2 public/private key pairs at the "same" time

So I have 2 public/private key pairs (id_rsa and id_rsa.pub - one of them is sitting in a "key_backup" folder I made currently), one for GitHub and one for passwordless SSH'ing into a cluster. I looked around Google and could only find guides on how to use two public keys at the same time.. does the same hold for private keys?
How can I maintain authentication w/ GitHub while also being able to maintain passwordless login with my cluster?
Thanks!
-kstruct
You can use multiple private keys at the same time by making sure that your ssh key agent knows about both keys: ssh-add id_rsa1 id_rsa2 on Mac OS or Linux, or add both to Pageant on Windows.
The other option would be to create separate Host entries in ~/.ssh/config that points each of your two keys at their intended uses.