Posts Tagged ‘SSH’

Using multiple private keys with SSH

Friday, July 23rd, 2010

A couple of days ago I posted on how to set up a subversion server with ssh access. In that post, in the section about creating your private ssh key I said that if you already had an id_rsa or id_dsa file in your ~/.ssh directory not to go any further because the generation of a new private key file could over write it. This post explains how to cope with multiple private keys.

ssh uses ~/.ssh/identity as the default filename for the private key when using version 1 of the ssh protocol and it uses ~/.ssh/id_rsa and ~/.ssh/id_dsa as the default filenames for the RSA and DSA private keys when using version 2 of the ssh protocol. However there are several ways of changing this behaviour.

Command line

ssh allows you to provide a different identity/id file using the -i option on the ssh command line as follows:

$ ssh -i /path/to/id_rsa

Where id_rsa can be substituted with id_dsa or identity.

This is the simplest method. And when used in conjunction with a subversion client you can create a [tunnel] in the subversion configuration file like so:

ssh = ssh -i /path/to/identity_file

If you want to support different identity/id files create a new [tunnel] ‘alias’ for each identity file. You can also use the -p option if you want to specify a different port at the same time.

Config file – first method

Another method is to use the ssh config file. The global file is found in /etc/ssh/config however you can also provide config files on a per user basic in ~/.ssh. In the config file you can restrict declarations using the Host declaration. Per the man page:

   Restricts the following declarations (up to the next Host 
   keyword) to be only for those hosts that match one of the 
   patterns given after the keyword.  If more than one pattern 
   is provided, they should be separated by whitespace.  A 
   single `*' as a pattern can be used to provide global defaults 
   for all hosts.  The host is the hostname argument given on 
   the command line (i.e. the name is not converted to a 
   canonicalized host name before matching).

The declaration IdentityFile allows you to specify the private key file that ssh should use. By using Host and IdentityFile you can let ssh pick the identity/id file itself based upon the host name. The following example will pick ~/.ssh/id_dsa for any host other than and In those cases the specified private key files are used.

# General settings
IdentityFile ~/.ssh/id_rsa
IdentifyFile ~/.ssh/id_dsa
IdentityFile ~/.ssh/identity

IdentityFile ~/.ssh/my_specific_key_file

IdentityFile ~/.ssh/my_other_key_file

Note how the config file allows you to specify more than one file at once. When you do ssh will try each of the files in turn or as appropriate.

Config file – second method

The problem with the above method is that you have to keep adding new entries to the config file for new hosts. IdentityFile is actually very powerful and allows you to have wild cards in the path specification. The full man page definition says:

   Specifies a file from which the user's RSA or DSA 
   authentication identity is read.  The default is ~/.ssh/identity 
   for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa 
   for protocol version 2. Additionally, any identities 
   represented by the authentication agent will be used for 

   The file name may use the tilde syntax to refer to a user's 
   home directory or one of the following escape characters: 
   `%d' (local user's home directory), `%u' (local user name), 
    `%l' (local host name), `%h' (remote host name) or `%r' 
   (remote user name).

   It is possible to have multiple identity files specified in 
   configuration files; all these identities will be tried in 

So I have set up my config file as below. It basically tries ~/.ssh/idents/hostname/username/id_* first, then ~/.ssh/idents/hostname/id_*, then the defaults before giving up.

# SSH config file

IdentityFile ~/.ssh/idents/%h/%u/id_rsa
IdentityFile ~/.ssh/idents/%h/%u/id_dsa
IdentityFile ~/.ssh/idents/%h/id_rsa
IdentityFile ~/.ssh/idents/%h/id_dsa
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa

This allows me to support a new server/key file combination just by putting the key file in the appropriate place in the ~/.ssh without having to edit config files.

Setting up a subversion plus ssh server

Tuesday, July 20th, 2010

As someone who is a strong advocate of source control at work I’m actually quite bad at following what I preach. So this lunch time I decided to finally get around to setting up a Subversion server on my Linux server.


I am currently running Ubuntu 9.10 so installed subversion as follows:

$ sudo apt-get install subversion

If you don’t have ssh installed (why not?) install it similarly.

Users and groups

Once you have subversion and ssh installed you can set up the SVN server. Firstly you need to create a suitable users group, an admin user and a repository.

Create the group like so:

$ sudo groupadd -g 127 svnusers

The group id (127 above) needs to be unique so unless you know a free group id value check to see the last id used in the groups file as follows:

$ tail /etc/group

Then create an SVN admin user using useradd as below:

$ sudo useradd -c "SVN Admin" -u 2000 -g 127 -d /home/svnadmin -m -s /bin/bash svnadmin

Again the user id (2000 above) needs to be unique. This time look at /etc/passwd to find out the last id used. The group id (127 above) should be the same value as the group you created. The rest of the options tell useradd to create a home directory and to set the default shell to be bash.

Set the password for the SVN admin user like so:

$ sudo passwd svnadmin

Finally add any other users to the svnusers group by editing /etc/group and adding the additional users in a comma separated list on the end. For example:


Server setup

Now its time to create a repository. Firstly create the directory where all the repositories will be stored. I put mine in /var since my /var is on separate partition (to protect from disk full issues). However you can put them where you want. So create the directory and set the permissions as below:

$ mkdir -p /path/to/subversion/repositories
$ chown -R root.svnusers /path/to/subversion/repositories
$ chmod -R 770 /path/to/subversion/repositories

When using ssh, svnserve is used as the SVN server. svnserve requires the full path to repository to be provided by the client to access the repository. You may not want to expose your file system that much so you can write a small script to modify the behaviour. Use which to find out where svnserve is and rename it.

$ which svnserve
$ sudo mv /usr/bin/svnserve /usr/bin/svnserve.bin

Then using your favourite editor create the script below and save it under the old svnserve name.

exec /usr/bin/svnserve.bin -r /path/to/subversion/repositories "$@"

Finally set the execute permissions.

$ sudo chmod 755 /usr/bin/svnserve

Creating a project

Now its time to create a project. Change to the svnadmin user and enter the password.

$ su - svnadmin

Now create a project and turn off other access so that only members of the svnusers group and the admin user can access it.

$ svnadmin create /path/to/subversion/repositories/my_first_project
$ chmod -R o-rwx /path/to/subversion/repositories/my_first_project

Finally you need to configure the project’s access permissions by editing


In the [general] section uncomment or add:

anon-access = none
auth-access = write

Now save the file.


Now you should be able to access the svn repository from anywhere provided the user is in the svnusers group. Test as follows from a client.

$ svn list svn+ssh://

You will be asked for the ssh password for the machine running subversion. And that’s it. You should be able to use your project. You can add new projects using the svnadmin user.

Further tweaks

There a couple of additional things you may want to do. Firstly my subversion server is behind a firewall. The machine it is on is accessed using ssh on a different port to the default. Secondly keep being asked for the ssh password can become quite a pain. Using public key authentication does make things somewhat easier.

Using an alternative ssh port

Annoyingly SVN does not understand the ‘username@domain:port’ syntax. It doesn’t know what to do with the port. However you can use svn’s configuration files to create a custom ‘protocol’. This allows you to add support for an alternative port through the configuration file.

You client user should have a file


If not, create it. In it there should be a [tunnels] section. To that you can add a new ‘protocol’. I created sshhome as follows:

sshhome = ssh -q -p 1234

The -q option prevents the “Killed by signal 15” message that you see with some versions of subversion. You can then use sshhome instead of ssh as the protocol and it will use the specified port. E.g.

$ svn list svn+sshhome://

Public key authentication

Finally to save having to enter your password all the time you can create a public key and install it on the server. On the client change to the ~/.ssh directory. Now if there’s already a file in it called id_dsa or id_rsa STOP. I’m not sure how to support multiple keys yet and create a new key will over write these files. If all is well create a set of keys as below. Do not use an empty passphrase. It’s also good security not to use your password as the passphrase.

$ ssh-keygen -t dsa -C ""
Generating public/private dsa key pair.
Enter file in which to save the key (/Users/username/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/username/.ssh/id_dsa.
Your public key has been saved in /Users/username/.ssh/
The key fingerprint is:

Now you need to put the public key on to the server. Copy the file in to your home directory on the SVN server. You can use scp for that.

$ scp

Then log in to the SVN server and change to the ~/.ssh directory. In that directory add the public key to the file of authorized keys and set the permissions. Then delete the public key file. See below:

$ cat  >> ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys
$ rm

And that should be it. Try listing your project directory again. This time for the first time it will ask you for your password but then it will only ask for the password infrequently.