Security can be easily overlooked when building a product, especially when working with an outsourced engineering team. You want to trust them, so you give them access to your servers. But then you discover fraudulent activity, and, well, you start to panic.
In hindsight, you realize you never should have shared your Secure Shell (SSH) key, instead storing it in a vault with restricted user access. If, however, someone has a private SSH key to your Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instance and you’re worried about a malicious attack, you have two options to revoke their access:
- Create a new key-pair in the AWS console and boot up a new instance (assuming the attacker is removed from IAM users). This requires configuring the instance, which can be time-consuming — especially when you have several of them.
- Replace the public key in ~/.ssh/authorized_keys on your existing instance so the attacker can no longer unlock it with their private key.
- Run show crypto key mypubkey rsa to see if you do, in fact, have a key fully generated and registered under a non-default name. If there is, then you can tell the ssh process to use this key with ip ssh rsa keypair-name xxx.If the first command doesn't show anything useful then I'd say you can go ahead and generate a new key.
- Aug 18, 2017 Apparently a SSH key consists of two files, in this case idrsa and idrsa.pub. (the two githubrsa files are probably left from a previous GitHub Desktop installation some time ago). Delete the idrsa files. The Bash command for deleting files is rm -f, so I needed to do this.
Linux: Copy the output to the clipboard with this command: $ cat /.ssh/ From Bitbucket, enter a Label for your new key, for example, Public key #2. Paste the copied public key into the SSH Key field: Click Save. Bitbucket sends you an email to confirm the addition of the key.
Here’s a summary of how to replace the keys mentioned in option No. 2 above:
(For more, DigitalOcean has a great tutorial on setting up SSH keys.)
Ssh Key Generation
- On your local machine in the terminal, generate a new key pair:
ssh-keygen -t rsa
- When prompted to save the file, hit Enter for the default location or choose your own path.
- When prompted for a passphrase, you can leave the field empty. Although it does not hurt to have more security, if the key pair is used elsewhere for CI or automation, you will need to leave the passphrase empty — machines cannot guess passphrases.
- Copy the public key you just saved on your machine to your EC2 authorized keys file:
cat ~/.ssh/id_rsa.pub | ssh [email protected] 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys
where ~/.ssh/id_rsa.pub is the new key on your machine and [email protected] is the username and IP address of your EC2 instance. - At this point, your new public key should be on your EC2 instance in the authorized_keys file, and all you have to do is remove the old one. Make sure you can SSH into your EC2 instance with the new key first.
- Once you’re in, you can remove the old key using
vim ~/.ssh/authorized_keys
Just go to the line with the old key and remove it:dd
Note: If you tried editing the file and didn’t save it, or the connection was interrupted, an .authorized_keys.swp file will be created, and the next time you try to edit your authorized_keys, you will get a nasty message. Just delete the .swp file, and you should be good to edit. - Save the file.
Make sure to update the key if you’re using it elsewhere, like on a continuous integration (CI) server. Otherwise you’ll be scratching your head when none of your builds are working.
Generate A New Ssh Key And Delete Old Password
This version of GitHub Enterprise will be discontinued on This version of GitHub Enterprise was discontinued on 2019-10-16. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise.For help with the upgrade, contact GitHub Enterprise support.
After you've checked for existing SSH keys, you can generate a new SSH key to use for authentication, then add it to the ssh-agent.
If you don't already have an SSH key, you must generate a new SSH key. If you're unsure whether you already have an SSH key, check for existing keys.
If you don't want to reenter your passphrase every time you use your SSH key, you can add your key to the SSH agent, which manages your SSH keys and remembers your passphrase.
Generating a new SSH key
- Open TerminalTerminalGit Bashthe terminal.
- Paste the text below, substituting in your GitHub Enterprise email address.This creates a new ssh key, using the provided email as a label.
- When you're prompted to 'Enter a file in which to save the key,' press Enter. This accepts the default file location.
- At the prompt, type a secure passphrase. For more information, see 'Working with SSH key passphrases'.
Adding your SSH key to the ssh-agent
Before adding a new SSH key to the ssh-agent to manage your keys, you should have checked for existing SSH keys and generated a new SSH key. When adding your SSH key to the agent, use the default macOS
ssh-add
command, and not an application installed by macports, homebrew, or some other external source.- Start the ssh-agent in the background.
- If you're using macOS Sierra 10.12.2 or later, you will need to modify your
~/.ssh/config
file to automatically load keys into the ssh-agent and store passphrases in your keychain. - Add your SSH private key to the ssh-agent and store your passphrase in the keychain. If you created your key with a different name, or if you are adding an existing key that has a different name, replace id_rsa in the command with the name of your private key file.Note: The
-K
option is Apple's standard version ofssh-add
, which stores the passphrase in your keychain for you when you add an ssh key to the ssh-agent.If you don't have Apple's standard version installed, you may receive an error. For more information on resolving this error, see 'Error: ssh-add: illegal option -- K.' - Add the SSH key to your GitHub account.
If you have GitHub Desktop installed, you can use it to clone repositories and not deal with SSH keys. It also comes with the Git Bash tool, which is the preferred way of running
git
commands on Windows.- Ensure the ssh-agent is running:
- If you are using the Git Shell that's installed with GitHub Desktop, the ssh-agent should be running.
- If you are using another terminal prompt, such as Git for Windows, you can use the 'Auto-launching the ssh-agent' instructions in 'Working with SSH key passphrases', or start it manually:
- Add your SSH private key to the ssh-agent. If you created your key with a different name, or if you are adding an existing key that has a different name, replace id_rsa in the command with the name of your private key file.
- Add the SSH key to your GitHub account.
- Start the ssh-agent in the background.
- Add your SSH private key to the ssh-agent. If you created your key with a different name, or if you are adding an existing key that has a different name, replace id_rsa in the command with the name of your private key file.
- Add the SSH key to your GitHub account.
- Start the ssh-agent in the background.
- Add your SSH private key to the ssh-agent. If you created your key with a different name, or if you are adding an existing key that has a different name, replace id_rsa in the command with the name of your private key file.
- Add the SSH key to your GitHub account.
Further reading
- 'About SSH'
- 'Working with SSH key passphrases'