I was recently reading a great new @substack npm package for sending and receiving encrypted messages. The package automatically looks on github for the public key for anyone registered there and uses that. Neat trick.
That got me thinking about how to verify who your sending a message to and how they can verify who you are. Adding a self-signed key to your Github account but no-one knows that is actually you except you. I use Comodo e-mail key for my work and personal e-mails and wondered if there was way to use that since Comodo is saying its me.
Note: I know – they don’t verify my identity beyond sending to my e-mail but its something at least and a third party can check the key chain so its not totally without value.
One nice thing about this is that I now have a semi permanent public key that I can post online and use for logging into the servers I manage. I think this is good. I may be convinced otherwise if I am making some security faux-pa.
So without further ado, here are the instructions for using a Comodo key as your key for more than just e-mail.
Go to Comodo and get your free key.
Update: Step by step notes on that process and how it works.
Once you import this into your key store, export it to your P12 file (with a really secure password please! ) – and BACK IT UP 🙂
Now convert your shiny new email cert to a ssh private key.
Note: I worked this out on OSX – I haven’t tried all the steps on linux or windows yet.
Copy your myemail@someserver.com.p12 file to your ~.ssh directory.
Now open a terminal and cd into your ~.ssh directory
Run this command
openssl pkcs12 -in myemail\@someserver.com.p12 -nocerts -nodes | openssl rsa > id_rsa
This gives you a new private key file in rsa ssh format
Now you have to correct the access on that file. Run this command
chmod 600 id_rsa
Next run the following command to extract the public key – which you can put on your remote servers to login securely
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
If you only have one identity, this is all you need to do
Multiple Identities
If you have more than one identity – say a personal email address and a work email address and you want to login to both from your main computer – here are the directions:
First backup what you have done so far.
Next you are going to rename the above files to something that makes sense eg:
mv id_rsa myemail_myserver_id_rsa
mv id_rsa.pub myemail_myserver_id_rsa
Now follow the above instructions to create a new comodo cert for your other email, convert the new cert to an id_rsa and id_rsa.pub and rename them as so:
mv id_rsa myotheremail_myserver_id_rsa
mv id_rsa.pub myotheremail_myserver_id_rsa
Next you have to tell ssh which identity to use when logging into your servers.
Modify your /etc/ssh/ssh_config (linux) or /etc/ssh_config (osx) to add the following lines
Host friendly-name-myemail
HostName long.and.cumbersome.server.name
IdentityFile ~/.ssh/myemail_myserver_id_rsa
User username-on-remote-machine
Host friendly-name-myotheremail
HostName long.and.cumbersome.other.server.name
IdentityFile ~/.ssh/myotheremail_myserver_id_rsa
User username-on-other-remote-machine
## This line should have the default identity file you want to send
Host *
SendEnv LANG LC_*
IdentityFile ~/.ssh/myemail_id_rsa
NOTE: you will only need the “User” line (#4) if you have multiple identities on the server you are trying to login to with the same ssh key.
Now you can login using:
ssh friendly-name
Publishing your (PUBLIC) key
The last tip is about publishing your public key so that people can find it on the internet and send you encrypted messages. I am going to use Github as an example here because of the @substack (James Halliday) great npm package cipherhub for sending and receiving encrypted messages. The package automatically looks on github for the public key for anyone registered there and uses that. Neat trick. I also noted that @tjholowaychuk has written an shell script version.
So basically, take your shiny new public key and add it to github (or your blog, or some other public place so people can find it and send you secure messages ). I think you need to
If you don’t have a Github account, here are some other places to publish your key which you can then link to eg.
Many thanks to these users questions and answer for tips.
How to get the private key converted:
Leon's Blog 