SSH: Temporary Keys for Secure Access

TL;DR

Creating temporary SSH key pairs adds a layer of security by limiting the lifespan of credentials used to connect to remote servers. This reduces the risk if a key is compromised. Here’s how to do it.

Generating Temporary SSH Keys

1. Check for ssh-keygen: Most Linux and macOS systems have this tool pre-installed. Open your terminal and type:

   ssh-keygen -t rsa

   If it’s not found, you may need to install the OpenSSH client package (e.g., sudo apt install openssh-client on Debian/Ubuntu).

2. Generate a key with a short validity: Use the -f option to specify a filename and the -t rsa option for RSA keys. The important part is using the -v flag to set a validity period.

   ssh-keygen -t rsa -f ~/.ssh/temp_key -N "" -v +1h

   This creates a key named temp_key in your .ssh directory that will expire after one hour (+1h). The -N "" part sets an empty passphrase (for simplicity, but consider using a passphrase for increased security).

3. Set appropriate permissions: Ensure the key file has restricted access.

   chmod 600 ~/.ssh/temp_key

4. Connect to the server: Use the generated key when connecting with SSH.

   ssh -i ~/.ssh/temp_key user@server_address

   Replace user and server_address with your actual username and server address.

5. Verify connection: Once connected, confirm you’re using the temporary key (e.g., by checking authorized keys on the server).
6. Key Expiration & Automatic Removal (Optional): The key will automatically become unusable after its validity period expires. You can also manually remove it:

   rm ~/.ssh/temp_key

Benefits of Temporary Keys

• Reduced Attack Window: If a key is compromised, the attacker has limited time to use it.
• Improved Security Posture: Encourages good security practices by avoiding long-lived credentials.
• Automation Friendly: Easily scriptable for automated tasks requiring temporary access.

Important Considerations

• Passphrases: While the example uses an empty passphrase, always consider using a strong passphrase to protect your key even during its short lifespan.
• Key Management: Keep track of generated keys and their expiration times.
• Authorized Keys: Be careful when adding temporary keys to authorized_keys files on servers. Consider automated management tools for larger deployments.