SSH keys and security

I am currently improving my deployment process (I work at a web development agency, and manage and develop 10 or so different sites).

I use a desktop machine, a local (virtual) development server with SVN repo on, and have a separate dedicated live server.

To deploy, I currently SSH (using PuTTY with key and passphrase) into the local devserver, run a script which exports from SVN, gzips, SCP to live server, then unpacks, set permissions etc. I don’t currently use an SSH key on live server, so I have to enter the SSH pass for the live server whenever I deploy.

How would you use SSH keys in this setup? Should I use keys with passphrases to improve security? Without passphrases to improve ease of deployment? Or only use a passphrase for the dev or dedicated machine?

Should I limit SSH to only with key on the live server?

I should certainly start using Pageant locally, but is there anything like this for linux to linux ssh? Any guidance appreciated!

Looks like pageant and agent-forwarding is what I’ve been looking for. Nicely described here: http://www.unixwiz.net/techtips/ssh-agent-forwarding.html

Hi r2d2,
you could look into the following method:

Dev server: generate SSH keys with a strong passphrase and employ a ssh-agent of your choice
Live server: authorize Dev server’s keys and limit that key’s access to a strict set of commands

Then the deployment process could be the following:

1. Prepare content on Dev
2. Using the ssh-agent, establish a Rsync connection over a SSH channel, transferring and compressing the content at the same time
3. Adjust permissions if you need to (rsync also offers options on permissions handling)