Sharing Host SSH Keys with Embedded Platforms
As embedded platforms grow larger in capabilities, it is not uncommon to perform development natively in the board itself. SSH agent forwarding allows developers to use their SSH keys across different machines without having to copy the private keys to those machines. This technique is particularly useful in scenarios involving embedded platforms, which are typically shared by multiple developers.
The Challenge with SSH Key Management
Working with services like GitHub or GitLab requires an SSH key to be associated with the account for operations like making commits. While there are alternatives, they come with their own set of issues:
- Personal Access Tokens (PATs):
- They can be less secure if not handled properly.
- They are easy to forget and require regeneration, which adds to the overhead.
- Creating New Keys on Each Embedded Platform:
- This approach is insecure, especially when the embedded board is shared among multiple users, increasing the risk of key exposure.
Understanding SSH Agents
SSH agents act as key managers that hold private SSH keys in memory, eliminating the need to enter a passphrase for every operation involving the SSH key.
How to Start an SSH Agent
To start an SSH agent on your host machine, open a terminal and execute:
eval "$(ssh-agent -s)"
To add your SSH private key to the agent, use:
ssh-add ~/.ssh/id_rsa
This setup ensures that your SSH keys are securely stored in memory and are accessible for SSH operations.
Forwarding SSH Keys to Embedded Platforms
SSH agent forwarding can be used to securely use your host's SSH keys on an embedded platform without physically copying the keys to the platform. This is particularly useful for operations that require SSH access, such as git operations with repositories on GitHub or GitLab.
Steps to Forward SSH Keys
Enable SSH Agent Forwarding on Your Host:
When initiating an SSH connection to the embedded platform, use the -A option with the ssh command:
ssh -A user@embedded_platform
This flag tells SSH to forward the SSH agent connection.
Verify Connection on the Embedded Platform:
Once logged into the embedded platform, you can verify that the SSH agent forwarding works by listing the available SSH keys with:
ssh-add -l
If successful, you should see the keys from your host machine listed.
Perform Operations Requiring SSH Keys:
With SSH agent forwarding enabled, you can perform git operations or connect to other servers using the forwarded SSH keys just as you would from your host machine.
Takeaways
- NEVER add SSH keys to a shared device.
- Leave Personal Access Tokens for automated scripts and use them with minimal scope permissions.
- Use SSH agent forwarding instead :)