I recently switched my main work machine from a Windows 7 laptop to a MacBook Pro running Mac OS 10.9. I spend a lot of time working on EC2 instances via SSH and needed to migrate my workflow. This post describes that process.
My Windows SSH setup consisted of:
Setting up this workflow was relatively straight forward thanks to Amazon's excellent documentation. The one extension I made to the process was to store the keys on Wuala without key-specific passwords. Wuala provided several advantages:
- AES-256 Client-side encryption (see Wuala's security documentation)
- Cloud backup and syncing across machines
- File system integration
Wuala's encryption allowed me to forgo key-specific passwords. The cloud backup protects me from client-side failures. With the file system integration, I could simply save SSH connection parameters in PuTTY pointing to the key file in Wuala. The keys are a useless encrypted blob until I log into Wuala, then the SSH connections Just Work. Combined with pinning PuTTY configurations to the start menu, this makes for a very convenient setup.
There were two main disadvantages to this arrangement. First, Wuala's file system integration is not great. It generally has to be run with admin privileges to work at all, and even then it mysteriously fails occasionally. Second, it requires you to trust Wuala/Lacie with your unencrypted SSH keys (see related discussion on Hacker News). With those caveats, I was quite happy and productive with this setup.
Target OS X Workflow
SSH is generally easier on OS X than Windows 7 because OS X is substantially more Unix-like. This is one of the main reasons I decided to move to the Mac in the first place - I wanted my local environment to more closely resemble the remote Linux machines I work with. On OS X you can use foundational Free Software directly:
- OpenSSH for SSH sessions
- OpenSSL for key management and file transfer (via
- Local filesystem + per-key passwords for secure key storage
- OS X Keychain for key passwords
- Wuala for key backup
The biggest change here is the move from PuTTY to OpenSSH/OpenSSL. I wanted to keep using Wuala to securely store my keys, but unfortunately the Wuala client's file system integration is even more broken on OS X than it is on Windows. My solution is to instead rely on native capabilities: use a password for each SSH key and store those passwords in Keychain. This is actually more convenient than Wuala because I only have to log into OS X to access the key passwords, whereas before I had to log into both Windows and Wuala. A backup copy of the keys is still stored in Wuala, but it's not used day-to-day.
Download Original Keys
Log into the Wuala client and download the keys to the Desktop. From there, move each of them into the
.ssh directory with the
mv terminal command:
$mv $HOME/Desktop/mykey.pem $HOME/.ssh
The Wuala client makes it difficult to download the keys directly to
$HOME/.ssh because this directory is generally hidden from Finder. Note that we're working with
.pem formatted keys, rather than PuTTY's
.ppk format; if you only have
.ppk you'll need to convert them. Also note the use of the
$HOME environment variable as shorthand for
Secure the key
mykey.pem is outside of Wuala's protective encryption,we need to secure it with a password. You can't actually add a password to an existing key, so we're going to make a password-protected copy of the key and securely delete the original. (HT fajran)
Make a New Password-protected Key
OpenSSL has a lot of utilities for working with key files, including one for this situation:
openssl rsa -in mykey.pem -des3 -out mykey_pwd.pem
OpenSSL will ask for a password and confirmation. Choose a strong password and remember it - it's not stored in Keychain yet.
Delete the Original Key
We don't want the unencrypted
mykey.pem sitting around on the file system, so we have to delete it. While you could use the
rm command to remove it using the command line, it's better to use Finder's Secure Empty Trash feature:
$HOME/.ssh in the Finder using
Go to Folder... (HT robg).
mykey.pem and send it to the trash.
- Empty the trash using
Secure Empty Trash...
Using Secure Empty Trash ensures that the key information is really, truly, deleted from your machine.
Set Permissions for the Key File
With the encrypted key available in
$HOME/.ssh, you'd expect to simply start up an SSH connection, get prompted for the password and get to work:
ssh -i $HOME/.ssh/mykey_pwd.pem email@example.com
Unfortunately this produces a scary error:
WARNING: UNPROTECTED PRIVATE KEY FILE! The solution is to change the permissions on
mykey.pem so it is only accessible by your user. This is done with a simple
$chmod 0400 $HOME/.ssh/mykey_pwd.pem
0400 mode instructs
chmod to "Allow read by owner" for the specified file.
ssh command again, and Keychain will pop up asking for the password for the private key. Enter the password you chose earlier and select "Remember password in my keychain."
The connection should go through without any further fuss.