SSH Key Management

Overview

SSH keys are used for secure authentication with servers, Git repositories, and other services. At Lemone, we primarily use 1Password SSH Agent for secure key storage and management.

---

Modern Approach: 1Password SSH Agent

Note

Recommended: Use 1Password SSH Agent for secure, convenient SSH key management.

Benefits

• Secure storage: Keys stored encrypted in 1Password vault
• No local key files: Keys never written to disk
• Cross-device sync: Access keys on all your devices
• Automatic signing: Git commits automatically signed
• Touch ID support: Biometric authentication for key usage

Setup

Step 1: Enable SSH Agent in 1Password

1. Open 1Password
2. Go to Preferences → Developer
3. Enable "Use the SSH agent"
4. Enable "Display key names when authorizing connections"

Step 2: Configure SSH to Use 1Password

Edit ~/.ssh/config:

Host *
    IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

On Linux:

Host *
    IdentityAgent ~/.1password/agent.sock

Step 3: Store SSH Keys in 1Password

1. Generate a new SSH key or import existing one
2. Store in 1Password with:
3. Title: "SSH Key - GitLab" (or appropriate service)
4. Username: Your email or username
5. Private key: Paste or generate
6. Public key: Automatically generated

Step 4: Test Connection

# Test GitLab
ssh -T git@codepot.nl

# Test Exonet
ssh web01.exonet.lemone.network

# Test Kinsta
ssh -p PORT user@host.kinsta.cloud

Managing Multiple Keys

1Password SSH Agent automatically provides the correct key based on the host.

To see which keys are available:

ssh-add -L

Resources

• 1Password SSH Agent Documentation
• 1Password SSH Agent Setup Guide

---

Legacy Approach: Manual SSH Key Management

Warning

Deprecated: This manual approach is no longer recommended. Use 1Password SSH Agent instead.

Switching Between SSH Keys Manually

If you need to temporarily switch between different SSH keys:

Step 1: Navigate to SSH Directory

cd ~/.ssh

Step 2: Remove Currently Registered Keys

ssh-add -D

Step 3: Add Specific Key

# Add Exonet deploy key
ssh-add exonet_deploy_key

# Add GitLab key
ssh-add id_ed25519_gitlab

# Add personal key
ssh-add id_ed25519

Step 4: Verify Added Keys

ssh-add -l

Note: You'll need to repeat these steps when switching between different keys for different services.

---

Generating SSH Keys

Modern (Ed25519)

Recommended: Ed25519 keys are more secure and shorter than RSA.

ssh-keygen -t ed25519 -C "your_email@example.com"

Legacy (RSA)

Only use if Ed25519 is not supported:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Best Practices

1. Use a passphrase: Always protect your private key with a strong passphrase
2. Store in 1Password: Never leave unencrypted keys on disk
3. One key per service: Create separate keys for different services (GitLab, Exonet, etc.)
4. Descriptive names: Use clear names like id_ed25519_gitlab, exonet_deploy_key

---

Adding SSH Keys to Services

GitLab (codepot.nl)

1. Generate or copy public key:

   cat ~/.ssh/id_ed25519.pub
   

2. Log in to codepot.nl

3. Go to User Settings → SSH Keys
4. Paste public key
5. Add descriptive title (e.g., "MacBook Pro M2 - 2024")
6. Click Add key

GitHub

1. Copy public key
2. Go to github.com/settings/keys
3. Click New SSH key
4. Paste public key and save

Exonet Server

# Copy public key to server
ssh-copy-id user@web01.exonet.lemone.network

# Or manually:
cat ~/.ssh/id_ed25519.pub | ssh user@web01.exonet.lemone.network "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Kinsta

1. Log in to MyKinsta
2. Go to Sites → Your Site → Info
3. Find SFTP/SSH section
4. Click Add public key
5. Paste public key

---

SSH Config

Create ~/.ssh/config for easier SSH access:

# GitLab
Host codepot codepot.nl
    HostName codepot.nl
    User git
    IdentityFile ~/.ssh/id_ed25519_gitlab
    IdentitiesOnly yes

# Exonet
Host exonet web01 web01.exonet.lemone.network
    HostName web01.exonet.lemone.network
    User your-username
    IdentityFile ~/.ssh/id_ed25519_exonet
    IdentitiesOnly yes

# Kinsta
Host kinsta-site1
    HostName site.kinsta.cloud
    Port 12345
    User site-user
    IdentityFile ~/.ssh/id_ed25519_kinsta
    IdentitiesOnly yes

Usage:

# Instead of: ssh user@web01.exonet.lemone.network
ssh exonet

# Instead of: ssh -p 12345 user@site.kinsta.cloud
ssh kinsta-site1

---

Troubleshooting

Permission Denied (publickey)

Check key permissions:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub

Verify key is loaded:

ssh-add -l

Test connection with verbose output:

ssh -vT git@codepot.nl

SSH Agent Not Running

Start SSH agent (if not using 1Password):

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

For persistent agent (add to ~/.zshrc or ~/.bashrc):

if [ -z "$SSH_AUTH_SOCK" ] ; then
    eval "$(ssh-agent -s)"
    ssh-add ~/.ssh/id_ed25519
fi

Wrong Key Being Used

Use specific key:

ssh -i ~/.ssh/specific_key user@host

Clear all keys and add specific one:

ssh-add -D
ssh-add ~/.ssh/specific_key

---

Security Best Practices

1. Never share private keys: Only share public keys (.pub files)
2. Use passphrases: Always protect private keys with strong passphrases
3. Store in 1Password: Don't leave unencrypted keys on disk
4. Rotate regularly: Update keys periodically (yearly recommended)
5. Remove old keys: Delete unused keys from services
6. Use separate keys: Don't reuse the same key across services
7. Monitor usage: Check GitLab/GitHub for unexpected key usage

---

See Also

• Git Development Guide - Git configuration and SSH signing
• GitLab - GitLab server management
• Exonet Hosting - Exonet server access
• Kinsta Hosting - Kinsta SSH access