You can have as many public keys as you like. When using ssh, you can specify which one to use if it is a non-standard name (id_rsa, id_dsa) using ssh -i <path to key>
You can see which keys are authorized to login by looking at ~/.ssh/authorized_keys Each key is listed, one per line.
Open a terminal and run this command to create a new key. You can pick from two encryption methods: RSA or DSA.
ssh-keygen -t dsa
Follow the prompts. If you want to use a key with no passphrase (for example, for use with cron jobs) then leave the passphrase empty.
Once finished your private and public key will be in ~/.ssh/
Your private key will be named id_dsa or id_rsa. Be sure to keep this file secret, and back it up somewhere secure. The id_dsa.pub or id_rsa.pub is your public key. These can be freely given to anyone and copied anywhere to a box where you'd like to grant yourself SSH access.
If you have password-based authentication available on a server, there is a simple way to copy your public key over to allow key-based authentication.
ssh-copy-id -i ~/.ssh/id_dsa.pub user@server
This will automatically create the ~/.ssh directory on the new server, copy your public key to the authorized_keys file and set the correct permissions on the directory and the file.
Otherwise, make sure the permissions are set correctly. .ssh should be set to 0700, and authorized_keys set to 0600. Without these permissions, public key authentication will not work.
You can modify your configuration file for SSH to simplify connections.
Say, for example, you wanted to connect to a server on a non-standard port, without a DNS name. A terminal command might look like this:
ssh [email protected] -p 9822
You can put all these custom settings in ~/.ssh/config instead:
Host seekrit-server User dumont HostName 192.168.15.79 Port 9822
Then your command would be this:
ssh seekrit-server
This would also work with any SFTP clients as well.
You can jump through another box to SSH into a second one (and third, fourth, etc.):
ssh -J jumpbox.beandog.org dest.beandog.org
Setup rate-limiting in the firewall so users can only attempt a connection every certain number of times per minute. Here's an example from Ubuntu's wiki.
iptables -N rate-limit iptables -A rate-limit -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 3 -j RETURN iptables -A rate-limit -j DROP iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit
Running ssh in a while loop exits early
ssh may be reading things from stdin, so pipe /dev/null to it directly:
ssh < /dev/null