To make an SSH connection to a Fuchsia device, some ffx
commands
(such as ffx target show
and ffx log
)
require Fuchsia-specific SSH keys to be present on the host machine.
During development, one or more public SSH keys
(listed in fuchsia_authorized_keys
) are loaded to a Fuchsia device,
typically when a new Fuchsia image is flashed to the device.
Once the device is loaded with these public SSH keys, the ffx
commands
(running from the host machine where a matching private SSH key is stored)
can establish an SSH connection to the device.
By default, Fuchsia-specific SSH keys are stored in the
$HOME/.ssh
directory of the host machine, as shown below:
$HOME/.ssh/fuchsia_ed25519
$HOME/.ssh/fuchsia_ed25519.pub
$HOME/.ssh/fuchsia_authorized_keys
Note: These keys are not password protected. Don't use these keys for non-development devices.
These files contain the following:
fuchsia_ed25519
: A private SSH key. The content of this file must not be revealed or shared.fuchsia_ed25519.pub
: A public SSH key that pairs with the private SSH key infuchsia_ed25519
.fuchsia_authorized_keys
: A list of one or more authorized public SSH keys.
The fuchsia_authorized_keys
file must include the public SSH key in
fuchsia_ed25519.pub
. During the flashing process, the fuchsia_authorized_keys
file gets uploaded from the host machine to the Fuchsia device.
If you have multiple development machines, it's recommended that the Fuchsia SSH keys are synchronized across your development machines. This may require you to copy the existing Fuchsia SSH keys files from one machine to another.
To generate Fuchsia-specific SSH keys on your host machine, do the following;
Note: These Fuchsia-specific SSH keys are only used to connect to Fuchsia devices during development. Generating these SSH keys won't alter your current SSH settings.
-
Generate a new private and public SSH key pair:
ssh-keygen -P "" -t ed25519 -f "${HOME}/.ssh/fuchsia_ed25519" -C "${USER}@$(hostname -f) Shared SSH Key for Fuchsia"
-
Generate a
fuchsia_authorized_keys
file:ssh-keygen -y -f "${HOME}/.ssh/fuchsia_ed25519" > "${HOME}/.ssh/fuchsia_authorized_keys"
-
Verify that Fuchsia-specific SSH keys are generated:
ls ~/.ssh | grep fuchsia
This command prints output similar to the following:
$ ls ~/.ssh | grep fuchsia fuchsia_authorized_keys fuchsia_ed25519 fuchsia_ed25519.pub
After creating new SSH keys, you'd need to
flash your Fuchsia device again so that the device is loaded with
the new fuchsia_authorized_keys
file.