Secure SSH Keys in Web Interfaces

TL;DR

Protecting your SSH keys when using them through a web interface (like GitLab, GitHub, or Bitbucket) requires careful attention. Avoid storing private keys directly in the interface. Instead, use agent forwarding, deploy keys, or consider alternative authentication methods like passkeys where available.

How to Secure Your SSH Keys

1. Never Store Private Keys Directly: The biggest risk is pasting your entire private key into a web interface’s settings. This exposes it if the service is compromised or has vulnerabilities.
2. Use SSH Agent Forwarding (Recommended):
   • SSH agent forwarding allows you to use your local SSH key without copying it to the server hosting the web interface. Your local machine handles authentication.
   • Enable agent forwarding when connecting via SSH:

     ssh -A user@server

   • Configure your web interface to support agent forwarding (most do). Check their documentation for specific instructions.
3. Deploy Keys (For Specific Repositories):
   • Deploy keys are read-only SSH keys associated with a *specific* repository, not your entire account. This limits the damage if compromised.
   • Generate a new key pair specifically for the web interface/repository:

     ssh-keygen -t ed25519 -C "[email protected]"

     (Use a strong passphrase!)

   • Add the *public* key to the repository’s settings in your web interface. Never add the private key!
4. Consider Passkeys:
   • Passkeys are a more modern and secure authentication method that replaces passwords and SSH keys. They use cryptographic keys stored on your device (e.g., phone, security key).
   • If your web interface supports passkeys, enable them instead of using SSH keys.
5. Restrict Key Permissions:
   • On your local machine, ensure your private key has strict permissions (usually 600):

     chmod 600 ~/.ssh/id_rsa

   • This prevents other users on your system from reading your key.
6. Regularly Review Authorized Keys:
   • If you *must* use authorized keys (less secure than agent forwarding), periodically review the list of authorized keys on the server hosting the web interface to remove any unused or suspicious entries.
7. Enable Multi-Factor Authentication (MFA):
   • Always enable MFA on your web interface account for an extra layer of security, even if you’re using SSH keys.

Important Reminders

• Never share your private key with anyone.
• Be cautious about clicking links or downloading files from untrusted sources, as they could contain malware that steals SSH keys.
• Keep your operating system and SSH software up to date to patch security vulnerabilities.