Until now, we've assumed you have a single SSH identity that uniquely identifies you to an SSH server. You do have a default identity—our earlier ssh-add examples operated on it—but you may create as many other identities as you like.
Why use several identities? After all, with a single SSH identity, you can connect to remote machines with a single passphrase. That's very simple and convenient. In fact, most people can survive perfectly well with just one identity. Multiple identities have important uses, however:
If you use different SSH keys for different remote accounts, and one of your keys is cracked, only some of your remote accounts are vulnerable.
Using an SSH key with an empty passphrase, you can create secure, automated processes between interacting computers, such as unattended backups. [11.1.2.2] However, you definitely don't want your regular logins to use an unencrypted private key, so you should create a second key for this purpose.
You can configure your remote account to respond differently based on which key is used for connecting. For example, you can make your Unix login session run different startup files depending on which key is used.
Your remote account can be set up to run specific programs when an alternative key is used, via forced commands. [8.2.3]
In order to use multiple identities, you need to know how to switch between them. There are two ways: manually, and automatically with an agent.
ssh and scp
let you switch your identity with the -i
command-line option and the IdentityFile configuration keyword. For
either of these techniques, you provide the name of your desired
private-key file (OpenSSH) or identification file (Tectia). [7.4.2] Table 6-3 displays a summary of
the syntax.
If you use an SSH agent, identity switching is handled automatically. Simply load all the desired identities into the agent using ssh-add. Thereafter, when you attempt a connection, your SSH client requests and receives a list of all your identities from the agent. The client then tries each identity in turn until one authenticates successfully, or they all fail. Even if you have 10 different identities for 10 different SSH servers, a single agent (containing these keys) provides appropriate key information to your SSH clients for seamless authentication with all 10 servers.
All of this happens transparently with no effort on your part. Well, almost no effort. If you have several identities loaded in the agent, and more than one can apply in a given situation, the agent might pick the wrong one. For example, suppose you have two OpenSSH identities stored in the files id-normal and id-backups. You use id-normal for terminal sessions, and id-backups for invoking a remote backup program on the same server machine (e.g., using a forced command [8.2.3]). Each day when you log in, you load both keys into an agent, using a clever script that locates and loads all key files in a given directory:
#!/bin/csh
cd ~/.ssh/my-keys # An example directory
foreach keyfile (*)
ssh-add $keyfile
endWhat happens when you invoke an SSH client?
$ ssh server.example.com
In this case, the remote backup program gets run, authenticating with the key in file id-backups. You see, the wildcard in your script returns a list of key files in alphabetical order, so id-backups is added before id-normal, as if you'd typed:
$ ssh-add id-backups
$ ssh-add id-normalTherefore, your SSH clients always use the
key id-backups when connecting to
server.example.com because the agent provides it
first in response to a client request. This might not be what you
intended. In this case you could specify the right key on the command
line using the -i option:
$ ssh -i id-normal server.example.com
or use the IdentityFile
configuration keyword in ~/.ssh/config. [7.4.2]
Multiple identities can be extremely useful. In particular, you can configure your remote accounts to respond differently to different identities. This is a three-step process:
Generate a new SSH identity, as we have discussed in this chapter.
Set up a detailed client configuration that does what you want, using your new identity. This is the subject of Chapter 7.
Set up your account on the SSH server machine to respond to your new identity in a desired manner. This is covered in detail in Chapter 8.
We strongly encourage you to experiment with this technique. You can do some really powerful and interesting things with SSH this way. If you're just running simple terminal sessions with SSH, you are missing half the fun.