This document walks you through some common workflows using Keycutter to manage SSH keys.
The output is omitted for readability.
FIDO SSH keys make this possible (you can't do it using Yubikey GPG backed SSH).
Set KEYCUTTER_ORIGIN to specify which Yubikey the keys are for:
export KEYCUTTER_ORIGIN=yubikey1Create an SSH key for GitHub user alex on dev1:
keycutter create github.com_alex
ssh -T github.com_alex
git clone git@github.com_alex:mbailey/keycutter.gitCreate SSH key for github user alexwork:
keycutter create github.com_alexwork
ssh -T github.com_alexwork
git clone git@github.com_alexwork:mbailey/keycutter.gitFIDO SSH keys never leave the device you need to create new keys on each device. Keycutter's "SSH Keytag" pattern means you don't need to alter your SSH config at all when connecting with another Yubikey.
export KEYCUTTER_ORIGIN=yubikey2Then repeat the steps above for both GitHub accounts.
Create an SSH key for your Sourcehut account:
keycutter create git.sr.ht_alex
ssh -T git.sr.ht_alex
git clone git@git.sr.ht_alex:~alex/myprojectFor a work Sourcehut account:
keycutter create git.sr.ht_workuser
ssh -T git.sr.ht_workuser
git clone git@git.sr.ht_workuser:~workuser/workprojectSet the origin and create the key:
export KEYCUTTER_ORIGIN=yubikey1
keycutter create personalCreate an entry in the keycutter/hosts file for your homeserver, then push the public key:
keycutter push-keys homeserverThis will attempt key authentication first, then fall back to password if needed.
Finally, connect to the host:
ssh homeserverkeycutter agent add-host github homeserver
keycutter agent add-key github github.com_alex
ssh homeserver
ssh -T github.com_alexWhen you need to set up SSH access to a new host:
# Create a key for the specific host
keycutter create remote.example.com_alex
# Push the key to the host (will prompt for password)
keycutter push-keys remote.example.com
# Now you can SSH to the host
ssh remote.example.com# Create a new key
keycutter create prod-server_alex
# Push keys (will use existing SSH authentication)
keycutter push-keys prod-server
# Connect using the new key
ssh prod-serverBefore pushing keys, you can see which keys would be offered to a host:
# See which keys would be authorized
keycutter authorized-keys remote.example.com
# Then push them
keycutter push-keys remote.example.comThe push-keys command intelligently handles authentication by:
- First attempting to use existing SSH key authentication
- Falling back to password authentication if needed
- Automatically handling keycutter's RemoteCommand configuration
Keycutter provides flexible update options to suit different workflows:
Update everything - git repository, requirements, SSH config, and touch detector:
keycutter updateThis performs a complete update sequence and is the recommended approach for most users.
For development or specific maintenance tasks, you can update individual components:
# Pull latest changes from git (master branch only)
keycutter update git
# Update SSH config files from current installation
keycutter update config
# Check and update system requirements
keycutter update requirements
# Update YubiKey touch notification tool
keycutter update touch-detectorWhen developing or testing local changes:
# From your feature branch or worktree
keycutter update config # Updates config without git pull
# Or use environment variable
KEYCUTTER_ROOT=/path/to/worktree keycutter update configThis is particularly useful when:
- Testing configuration changes before committing
- Working on feature branches
- Developing in git worktrees
For more details on development workflows, see the Development Guide