How to Manage Multiple SSH Key Pairs

I recently overheard someone say that he uses the same SSH key for all of his accounts, which is a bad idea from a security perspective. Additionally, Bitbucket recommends users replace their SSH keys once a year for security. When I first started managing multiple SSH key/password combinations on my personal machine, I learned best practices from a variety of sources. Im writing this information down in one place for the benefit of others.

My current OS of choice is MacOS, but these instructions should work for any *nix system.

First

Open terminal to generate a new SSH key:

ssh-keygen -t rsa -f key_name -b 4096

Here is what each flag means:

• -t specifies the algorithm that makes the key.
• -f specifies a custom name for the key, and an alternate location if its in the form of a path.
• personal_key is the name of the key. Make this as specific as possible.
• -b specifies how many bits long the key will be. One of the servers I SSH into requires a 4096 bit key, so I use that for all of my keys

I always use a key name that is specific and makes sense to me. This makes key management easier in the long term.

You should use a passphrase when prompted.

Second

When you complete the first step two files are created: key_name and key_name.pub. The first is your private key and the second is your public key.
Create a known_hosts file for each account you have because it makes diagnosing issues easier when you have multiple keys. Ideally the name of this file is similar enough to the key name that you arent confused later.

touch known_hosts_keyname 

Third

The config file sets options for each host. Create a comment using the # at the start of a line to label each host. I label each key for visual neatness and to avoid confusion as the list of keys gets longer over time. Create the config file if it doesnt already exist and then open it for editing.

Here is the breakdown of what each line means:

• The URL on the HostName line is the base URL where the repository resides. For example, if you have a personal account on github with personal projects, the URL will be github.com.
• Host is a pattern matcher that is used to differentiate between these sets of configurations. Keep it the same as the HostName so it matches hosts in connections correctly without additional specification.
• User for git based systems will be git. The value of User will be different if you connect to something else (i.e. ec2-user for connecting to an Amazon AWS EC2 instance)
• IdentityFile asks for the location of the identity key we made. Type in the respective path here.
• UserKnownHostsFile specifies an exact location to store all hosts you connect to when youre using that profile. Provide the respective paths here and choose a unique known hosts file name (see step 2 above) so that troubleshooting and key maintenance over time is easier.
• IdentitiesOnly specifies that only the keys provided must be used to connect to a host, even if another service like the ssh-agent offers a key for use.

Fourth

Add keys to ssh agent if passphrase was used. Skip to the next step if you didn't use a passphrase. Start the ssh agent in the terminal:

eval "$(ssh-agent -s)"

Add private keys to the agent in terminal:

ssh-add -K path_to_private_keyname

Note that the -K option works only on mac for keychain access.

Fifth

Add public Keys to clipboard:

cat key_name.pub | pbcopy 

Finally, paste the public key into the appropriate account

With multiple keys, I have the option of creating new keys as needed to keep each connection secure. If I have a single compromised key, then I only worry about changing that single key. My config file then makes it easy for me to use multiple keys.

References
Bitbucket documentation
Github documentation