What I Learned at Work this Week: SSH Key File with Multiple Public Keys
Loyal readers know that I do a lot of work with reading and writing to an SFTP. Files in an SFTP are meant to be secure, so there will always be protocols in place to authenticate users before they can be read. Users commonly use a username and password combination for auth, but the most secure method is SSH. This week, I got an unusual SSH request. Before we talk about that, let’s review what SSH means.
The SSH (Secure Shell) protocol uses a pair of keys to create an encrypted connection between systems. The remote system will hold a private key, which matches up with a public key that can be shared with the system holding the sensitive information. The key are linked by an asymmetric cryptographic algorithm, which is responsible for the security. The keys can only match each other and, unlike passwords, they are impossible to guess.
I can’t explain too much more about how this works, but an understanding of the basic functionality of an SSH key should be enough for us here. Let’s move on to the client request : the client asked if we could allow an authorization to one location for multiple SSH keys.
The Auth Structure
In our system, we store client public keys in s3 and pull them when a certain client is attempting to auth into the SFTP. As part of the authentication process, the client provides a user name, which we use to determine the location of their particular SSH key. So one easy solution would be to create a second location to store the second public key and give the client that new location as a user name. The client wanted both keys to be associated with a single user, so that was out.
I did a lot of research looking for other options, but consistently found results suggesting putting the key in a separate location. I had previously gotten advice from a manager suggesting an alternate solution, so even though I couldn’t find anything about it online, I gave it a shot:
ssh-rsa [GENERATED-KEY-STRING] phpseclib-generated-key
ssh-rsa [SECOND-GENERATED-KEY-STRING] phpseclib-generated-key
That’s it. I literally put two public keys in one file and separated them with a new line. I tested auth with both private keys, and it worked. So if you’re having the same problem as I was, give this a try!
I read a lot of different articles online trying to find an answer to my question, but never did. Maybe it’s because my search terms weren’t right or maybe it’s because the answer would be obvious to anyone but me. This post doesn’t have much depth or insight, but I wanted to write it just in case it saves someone like me time in the future. Hopefully this trick to add an extra public key to your pub.key file helps!