November 22, 2022

Take care of your SSH identities

Did you know that your ssh Client sends the server all your public keys, one by one, until the server accepts one, when you try to authenticate via public key?

Don't believe me? Try it out yourself:

ssh whoami.filippo.io

Someone could use this to find out which public keys you have installed on your Client. You don't what this, don't you? So how can we avoid the leak of our Clients Public Keys? There is an easy fix, just add this at the end of your ~/.ssh/config file:

Host *
    PubkeyAuthentication no
    IdentitiesOnly yes

Also make sure you don't use just one key for all connections. I hope don't use one password for all your logins - so why should you use one key for all your logins?

It is recommended to use one specific key for each host:

Host github.com
    PubkeyAuthentication yes
    IdentityFile ~/.ssh/github_id_ed25519

You should also read:

Deploy your Java Web App to Heroku