Detour: SSH Permissions

SSH keys on fresh computers

My trusty Dell xps13 from about a decade back stopped charging the other day (maybe more on that later if I ever figure out the reason) so I’ve had to migrate to my Thinkpad x230. As interesting a technology as it is, I still find QubesOS unwieldy as a daily driver. I’d like to revisit it in the future, but for the moment I decided to overwrite it with Manjaro with the Sway window manager preinstalled. It’s beautiful and works intuitively out of the box.

With everything more or less set up, I needed to get my ssh keys onto this device in order to access my git repositories hosted on gitlab in order to, say, work on this blog from this new installation. Every time I’ve done this before I’ve had to look up what permissions to set my private keys, what to add to my config file, etc. Never again (at least, I’ll look it up here instead).

Suppose the private and public key you use to access gitlab are called my_key and my_key.pub, respectively. By default they should be in ~/.ssh, though you can point ssh to look in any other directory. Having the keys in the ~/.ssh directory isn’t enough to log into gitlab, however. If you try and check the outputs, you see that it only attempts the default keys:

ssh -Tvvv git@gitlab.com

---Output---
...
debug1: Will attempt key: /home/<user>/.ssh/id_rsa 
debug1: Will attempt key: /home/<user>/.ssh/id_ecdsa 
debug1: Will attempt key: /home/<user>/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/<user>/.ssh/id_ed25519 
debug1: Will attempt key: /home/<user>/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/<user>/.ssh/id_xmss 
debug1: Will attempt key: /home/<user>/.ssh/id_dsa
...

You can explicitly tell ssh to use my_key to log into gitlab via ssh’s config file, which by default is ~/.ssh/config. Add these lines:

Host gitlab.com
	HostName gitlab.com
	IdentityFile ~/.ssh/my_key

The HostName informs which ssh which hostnames (i.e. blahblah@gitlab.com) to apply to, and the IdentityFile points to which ssh key to use to log into anything with that hostname. (Some resource on the web told me to write IdentityFile ~/.ssh/my_key.pub instead, but that’s nonsense: the official docs say that the IdentityFile “Specifies a file from which the user’s identity key is read when using public key authentication”, where the identity key is “a private key that is used in SSH for granting access to servers.")

Finally, the private key needs to have fairly restrictive permissions to have the daemon’s approval. Set the private key to have 600 permissions with chmod 600 ~/.ssh/my_key.

After all that, ssh -T git@gitlab.com should respond happily.