Sharing Host SSH Keys with Embedded Platforms

From RidgeRun Developer Wiki


As embedded platforms grow larger in capabilities, it is not uncommon to perform development natively in the board itself. SSH agent forwarding allows developers to use their SSH keys across different machines without having to copy the private keys to those machines. This technique is particularly useful in scenarios involving embedded platforms, which are typically shared by multiple developers.

The Challenge with SSH Key Management

Working with services like GitHub or GitLab requires an SSH key to be associated with the account for operations like making commits. While there are alternatives, they come with their own set of issues:

  • Personal Access Tokens (PATs):
    • They can be less secure if not handled properly.
    • They are easy to forget and require regeneration, which adds to the overhead.
  • Creating New Keys on Each Embedded Platform:
    • This approach is insecure, especially when the embedded board is shared among multiple users, increasing the risk of key exposure.

Understanding SSH Agents

SSH agents act as key managers that hold private SSH keys in memory, eliminating the need to enter a passphrase for every operation involving the SSH key.

How to Start an SSH Agent

To start an SSH agent on your host machine, open a terminal and execute:

eval "$(ssh-agent -s)"

To add your SSH private key to the agent, use:

ssh-add ~/.ssh/id_rsa
TIP!

Start automatically your ssh agent with every session by adding the following to your shell init script (~/.bashrc, ~/.zshrc, etc...):

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa

Alternatively, you have the option to utilize the ssh-add command without specifying a particular key, thus instructing it to add all of your keys to the agent.

eval "$(ssh-agent -s)"
ssh-add

This setup ensures that your SSH keys are securely stored in memory and are accessible for SSH operations.

Forwarding SSH Keys to Embedded Platforms

SSH agent forwarding can be used to securely use your host's SSH keys on an embedded platform without physically copying the keys to the platform. This is particularly useful for operations that require SSH access, such as git operations with repositories on GitHub or GitLab.

Note

DONT WORRY!

Your host keys are only valid in the current SSH session and are not stored anywhere.

Steps to Forward SSH Keys

Enable SSH Agent Forwarding on Your Host:

When initiating an SSH connection to the embedded platform, use the -A option with the ssh command:

ssh -A user@embedded_platform

This flag tells SSH to forward the SSH agent connection.

TIP!

If you use an SSH configuration file for storing common hosts such as ~/.ssh/config, you can add the option "ForwardAgent yes" to enable the Agent Forwarding without modifying your ssh <host> command. For example:

Host nx
   HostName 192.168.0.21
   User nvidia
   ForwardAgent yes

And then just run as usual:

ssh nx

Verify Connection on the Embedded Platform:

Once logged into the embedded platform, you can verify that the SSH agent forwarding works by listing the available SSH keys with:

ssh-add -l

If successful, you should see the keys from your host machine listed.

Perform Operations Requiring SSH Keys:

With SSH agent forwarding enabled, you can perform git operations or connect to other servers using the forwarded SSH keys just as you would from your host machine.

Takeaways

  • NEVER add SSH keys to a shared device.
  • Leave Personal Access Tokens for automated scripts and use them with minimal scope permissions.
  • Use SSH agent forwarding instead :)