How to use your Comodo e-mail key for work with SSH

I was recently reading a great new @substack  npm package for sending and receiving encrypted messages. The package automatically looks on github for the public key for anyone registered there and uses that. Neat trick.

That got me thinking about how to verify who your sending a message to and how they can verify who you are.   Adding a self-signed key to your Github account but no-one knows that is actually you except you.  I use  Comodo e-mail key for my work and personal e-mails and wondered if there was way to use that since Comodo is saying its me.

Note: I know – they don’t verify my identity beyond sending to my e-mail but its something at least and a third party can check the key chain so its not totally without value.

One nice thing about this is that I now have a semi permanent public key that I can post online and use for logging into the servers I manage.  I think this is good.  I may be convinced otherwise if I am making some security faux-pa.

So without further ado, here are the instructions for using a Comodo key as your key for more than just e-mail.

Go to Comodo and get your free key.

Update: Step by step notes on that process and how it works.

Once you import this into your key store, export it to your P12 file (with a really secure password please! ) – and BACK IT UP 🙂

Now convert your shiny new email cert to a ssh private key.

Note: I worked this out on OSX – I haven’t tried all the steps on linux or windows yet.

Copy your myemail@someserver.com.p12 file to your ~.ssh directory.

Now open a terminal and cd into your ~.ssh directory

Run this command

openssl pkcs12 -in myemail\@someserver.com.p12 -nocerts -nodes | openssl rsa > id_rsa

This gives you a new private key file in rsa ssh format

Now you have to correct the access on that file.  Run this command

chmod 600 id_rsa

Next run the following command to extract the public key – which you can put on your remote servers to login securely

ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

If you only have one identity, this is all you need to do

Multiple Identities

If you have more than one identity – say a personal email address and a work email address and you want to login to both from your main computer – here are the directions:

First backup what you have done so far.

Next you are going to rename the above files to something that makes sense eg:

mv id_rsa myemail_myserver_id_rsa
mv id_rsa.pub myemail_myserver_id_rsa

Now follow the above instructions to create a new comodo cert for your other email, convert the new cert to an id_rsa and id_rsa.pub and rename them as so:

mv id_rsa myotheremail_myserver_id_rsa
mv id_rsa.pub myotheremail_myserver_id_rsa

Next you have to tell ssh which identity to use when logging into your servers.

Modify your /etc/ssh/ssh_config (linux) or /etc/ssh_config (osx) to add the following lines

Host friendly-name-myemail
HostName long.and.cumbersome.server.name
IdentityFile ~/.ssh/myemail_myserver_id_rsa
User username-on-remote-machine

Host friendly-name-myotheremail
HostName long.and.cumbersome.other.server.name
IdentityFile ~/.ssh/myotheremail_myserver_id_rsa
User username-on-other-remote-machine

## This line should have the default identity file you want to send
Host *
SendEnv LANG LC_*
IdentityFile ~/.ssh/myemail_id_rsa

NOTE: you will only need the “User” line (#4) if you have multiple identities on the server you are trying to login to with the same ssh key.

Now you can login using:

ssh friendly-name

Publishing your (PUBLIC) key

The last tip is about publishing your public key so that people can find it on the internet and send you encrypted messages. I am going to use Github as an example here because of the @substack  (James Halliday) great npm package cipherhub for sending and receiving encrypted messages. The package automatically looks on github for the public key for anyone registered there and uses that. Neat trick.  I also noted that @tjholowaychuk has written an shell script version.

Find them both here

So basically, take your shiny new public key and add it to github (or your blog, or some other public place so people can find it and send you secure messages ).   I think you need to

If you don’t have a Github account, here are some other places to publish your key which you can then link to eg.

The PGP Global Directory

Many thanks to these users questions and answer for tips.

How to get the private key converted:

How to get the public key out of the private key:

How to setup multiple identities:

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s