How to Relocate the Default SSH Keys Directory from ~/.ssh to a Custom Path (e.g., ~/TopSecret/) for Enhanced Security


2 views

When dealing with sensitive SSH key management, the ability to relocate the default ~/.ssh directory becomes crucial. The OpenSSH client allows configuration through either command-line parameters or the ~/.ssh/config file for persistent changes.

# Core parameter to modify default paths
Host *
    IdentityFile ~/TopSecret/id_rsa
    UserKnownHostsFile ~/TopSecret/known_hosts
    ControlPath ~/TopSecret/controlmaster_%r@%h:%p

For system-wide changes or temporary testing, environment variables offer flexibility:

# Bash/zsh configuration
export SSH_USER_DIR="$HOME/TopSecret"
alias ssh="ssh -F $SSH_USER_DIR/config"

# Verify the override works
ssh -v user@example.com | grep "IdentityFile"

For institutional changes like university-wide deployments, modify /etc/ssh/ssh_config:

# Global SSH client configuration
Match all
    IdentityFile /custom/path/%u/ssh_keys/id_rsa
    StrictHostKeyChecking yes
    HashKnownHosts yes

Here's a complete migration script for moving existing keys securely:

#!/bin/bash
NEW_SSH_DIR="$HOME/TopSecret"

mkdir -p "$NEW_SSH_DIR" && chmod 700 "$NEW_SSH_DIR"
mv ~/.ssh/* "$NEW_SSH_DIR/"
rmdir ~/.ssh

cat > "$NEW_SSH_DIR/config" << EOF
Host *
    IdentityFile $NEW_SSH_DIR/id_rsa
    IdentitiesOnly yes
    ServerAliveInterval 60
EOF

chmod 600 "$NEW_SSH_DIR"/*
restorecon -Rv "$NEW_SSH_DIR"  # For SELinux systems

When implementing custom SSH paths, watch for:

  • Permission errors (directories should be 700, files 600)
  • SELinux/AppArmor context mismatches
  • SSH agent forwarding requirements
  • CI/CD systems expecting default paths

Verify functionality with:

ssh -T git@github.com
ssh -v user@your.server

When sysadmins need to mitigate security risks (e.g., stolen SSH keys), they often enforce non-standard key locations. Here's how to reconfigure SSH to use ~/TopSecret/ instead of the default ~/.ssh.

Create/update ~/.ssh/config with these directives:

Host *
    IdentityFile ~/TopSecret/id_rsa
    UserKnownHostsFile ~/TopSecret/known_hosts
    ControlPath ~/TopSecret/controlmaster_%r@%h:%p

Note: This won't affect system-wide defaults but works for user sessions.

For global changes, modify /etc/ssh/ssh_config or set these variables in shell profiles:

export SSH_HOME=~/TopSecret
alias ssh="ssh -F $SSH_HOME/config"

For legacy tools expecting ~/.ssh:

rm -rf ~/.ssh
ln -s ~/TopSecret ~/.ssh
chmod 700 ~/TopSecret

For extreme cases, recompile OpenSSH with custom paths:

./configure --with-ssh-dir=/etc/TopSecret \
            --with-privsep-path=/var/TopSecret
make && sudo make install
  • Set chmod 600 for private keys
  • Use ssh-keygen -o -a 100 for modern key derivation
  • Rotate keys quarterly via ssh-keygen -p -f ~/TopSecret/id_rsa

If connections fail, enable debug mode:

ssh -vvv user@host -i ~/TopSecret/id_rsa