Ir para conteúdo principal
Lucas Caton

Why I regenerated my SSH key and maybe you should too

Lucas Caton

Lucas Caton

@lucascaton
security
I think we all agree it's a good practice to regenerate your SSH key from time to time. Not sure about you, but the first thing that comes to my mind when I think about that is: it'd take forever to replace my key in all servers I need to access, all online services that use my key, etc.
Overcoming my laziness, I decided at least to list those place it turned out it was a small list:
  • Servers
  • Github
  • BitBucket
Although now it looks more reasonable, I was still lazy to do it. But then I noticed that Github recommends the use of HTTPS instead of SSH for Git repositories syncs:
1
What does one thing have to do with another? Well, by using HTTPS, you don't need to upload your SSH key to Github (check this out: mine isn't longer at Github).
BitBucket also supports it, which means I'd be able to regenerate my SSH key without having to upload it again to these services.

Servers

What's left? Servers! From now on, every time I realise it's time to regenerate my SSH key, all I need to update are the servers. I ended up making a list of servers that I'd need to update and found out in the end it wasn't a big list and it'd be way easier than I thought it would.
Let's face the truth: I had been using the same SSH key in the last 5 years or so and it'd be totally worth it to ensure my security as well as the security of the projects from the company I work for.

Becoming safer

There's more! This is the interesting part of this post: I've changed other things that made everything even safer:
  • My new SSH key uses 4096 bits - recommended by Github - instead of the default (2048 bits).
  • As I mentioned before, I've changed all my local repositories to use HTTPS instead of SSH (see how in the end of this post).
  • I'm now using a personal access token rather than my Github password (you can create it here), along with two-factor authentication, which I was already using.
  • Cool, but would I need to type this token every time? Nope. There's a nifty tool called ssh-agent that can save your token. If you're using macOS, it's even easier: Keychain can save and encrypt your token for you.
  • My SSH key now has a passphrase, also saved encrypted on macOS's Keychain, which means I don't need to type it every time either.

HTTPS is faster!

According to some tests I made here, HTTPS is faster than SSH:
bash
# SSH
$ time git clone [email protected]:rails/rails.git
# 24.28s user 9.56s system 49% cpu 1:08.20 total
bash
# HTTPS
$ time git clone https://github.com/rails/rails.git
# 13.52s user 6.41s system 39% cpu 50.730 total

In order to use HTTPS in my Git repos, do I need to re-clone every project?

Nope. Just open .git/config file and replace:
bash
url = [email protected]:username/repo.git
with:
bash
url = https://github.com/username/repo.git

Conclusion

Regenerating your SSH key every now and then isn't as painful as you might think. I'd recommend doing it every 3 years or even less if you're paranoic or you work on something critic.

Post atualizado em 02/10/2017, 10:00:00