SSH Keys
By default, Lando will forward all the correctly formatted, owned, and permissioned ssh keys, including PASSPHRASE PROTECTED keys it finds in your ~/.ssh and lando.config.userConfRoot/keys directories into each service. This means that you should be able to use your ssh keys like you were running commands natively on your machine.
Additionally, Lando will set the default SSH user inside your services to whatever is your host username. You can also make use of the ENVVARS which are injected into every service as follows:
LANDO_HOST_UID=501
LANDO_HOST_GID=20
LANDO_HOST_USER=mePlease note that lando.config.userConfRoot/keys is a location managed by Lando so it is recommended that you do not alter anything in this folder.
NOTE: Unless you've configured a custom lando bootstrap, lando.config.userConfRoot should resolve to $HOME/.lando. This means, by default, your keys should be available on your host at $HOME/.lando/keys.
| Host Location | Managed |
|---|---|
~/.ssh | no |
lando.config.userConfRoot/keys | yes |
If you are unsure about what keys get loaded, you can use the commands for key discovery as follows:
# Check out service logs for key loading debug output
# Obviously replace appserver with the service you are interested in
lando logs -s appserver
# Check the .ssh config for a given service
# Obviously replace appserver with the service you are interested in
lando ssh -s appserver -c "cat /etc/ssh/ssh_config"Customizing
Starting with Lando 3.0.0-rrc.5, users can customize the behavior of key loading. This provides the flexibility for users to handle some edge cases in the ways that make the most sense for them.
Generally, we expect that users put these customizations inside their userspace Lando Override File because they are likely going to be user specific.
Disable key loading
The below will completely disable user ssh key loading. Note that this will only disable loading keys from your host ~/.ssh directory. It will continue to load Lando managed keys.
keys: falseLoading specific keys
If you have a lot of keys, you may run into the problem expressed here and here. To make sure that Lando tries an actionable key before the Too many authentication failures error, you can enumerate the specific keys to use on a given project. Note that these keys must live in ~/.ssh.
keys:
- id_rsa
- some_other_keyChanging the max key limit
You can also modify your Lando global config to change the amount of keys that triggers the warning.
maxKeyWarning: 25Setting this to a sufficiently large integer effectively disables the warning.
Using a custom ssh config file
Lando doesn't automatically forward the contents of your local ssh config. You can inject a custom ssh config into the services that need it.
keys: false
services:
appserver:
overrides:
volumes:
- ./config:/var/www/.ssh/configIn the above .lando.local.yml example, we are disabling key loading for the project (keys: false) and using a custom ssh config for the service named appserver.
This assumes your custom file exists in the app root and is named config. Also note that you will want to mount at the user ssh config location and not the system level one. This file will, generally, live at $HOME/.ssh/config which resolves to /var/www/.ssh/config for many, but not all, Lando services.
If you are unsure how to to get $HOME, you can discover it by watching either this or this video tutorial or by running the command as follows:
lando ssh -s SERVICE -c "env | grep HOME"