Using SSHKeyChain for SSH key management

Richard Miller wrote me and asked for an article discussing the benefits of using the utility SSHKeyChain for SSH key management. The following information assumes that you are familiar with SSH and remote server management via a terminal or other SSH/SFTP/SCP-enabled applcations.

Consider it this:

With SSH alone, you come to the door, present your password to the security guard and if authorized, are granted access.

With an SSH-key, you don’t have to interact with the guard because you have your own key. You can use your key to open the door and get in.

For security however, SSH keys are encrypted and require a password to decrypt them. So, following the same analogy, you now have a key, but the key has a combination lock on it that has to be unlocked before it can be used. This is for good reason as keys in the wrong hands can be a big security risk.

If you are logging in and out of a server frequently however or using SCP to copy files repeatedly, entering your password to decrypt your key again and again becomes very tedious.

Enter SSHKeyChain. What this utility does is “holds your key open in a decrypted state” (by entering your decryption password once) for a specific amount of time or until certain events occur. You can have it hold the key open in a decrypted state indefinately, but this is dangerous unless you are absolutely confident of physical access to the terminal/workstation that you are running it on as anyone that sits down will have access to the remote server. For example, one of SSHKeyChain’s features is the ability to store your decryption password in your Mac OS Key Chain. I would strongly recommend against this however since I like the extra layer of security. I would also strongly recommend locking your workstation whenever you step away if you are using SSHKeyChain. I have my preferences set to remove the keys from SSHKeyChain whenever the system goes to sleep or is rebooted.