SSH Identity File Management
Best practices for managing multiple SSH identity files. Covers key generation, file permissions, IdentitiesOnly, and organizing keys by service.
Detailed Explanation
Managing SSH Identity Files
As the number of servers and services you connect to grows, managing SSH keys becomes increasingly important. A well-organized identity file strategy prevents authentication confusion and improves security.
Recommended Key Naming Convention
~/.ssh/
id_ed25519_github # GitHub personal
id_ed25519_github.pub
id_ed25519_work # Work servers
id_ed25519_work.pub
id_ed25519_aws # AWS instances
id_ed25519_aws.pub
config # SSH config file
Config with Multiple Identity Files
Host github.com
IdentityFile ~/.ssh/id_ed25519_github
IdentitiesOnly yes
Host *.internal.company.com
IdentityFile ~/.ssh/id_ed25519_work
IdentitiesOnly yes
Host *.amazonaws.com
IdentityFile ~/.ssh/id_ed25519_aws
IdentitiesOnly yes
Host *
AddKeysToAgent yes
IdentityFile ~/.ssh/id_ed25519
Why IdentitiesOnly Matters
Without IdentitiesOnly yes, SSH sends all keys loaded in your agent to the server. This causes problems: servers may reject you after too many failed key attempts (usually 5), or you may accidentally authenticate with the wrong key. Always pair specific IdentityFile entries with IdentitiesOnly yes.
File Permissions
SSH is strict about file permissions. Incorrect permissions will cause silent failures:
| Path | Permission | Command |
|---|---|---|
~/.ssh/ |
700 | chmod 700 ~/.ssh |
| Private keys | 600 | chmod 600 ~/.ssh/id_* |
| Public keys | 644 | chmod 644 ~/.ssh/*.pub |
config |
600 | chmod 600 ~/.ssh/config |
Key Rotation
Rotate SSH keys periodically (every 6-12 months) by generating new keys, updating your config and remote services, and then removing old keys.
Use Case
System administrators and developers managing access to multiple servers, cloud instances, and Git hosting services with separate SSH keys for each.