By default, Lando will forward all the correctly formatted, owned, and permissioned
ssh keys, including PASSPHRASE PROTECTED keys it finds in your
lando.config.userConfRoot/keys directories into each service. This means that you should be able to use your ssh keys like you were running commands natively on your machine.
Additionally, Lando will set the default SSH user inside your services to whatever is your host username. You can also make use of the ENVVARS which are injected into every service as follows:
LANDO_HOST_UID=501 LANDO_HOST_GID=20 LANDO_HOST_USER=me
Please note that
lando.config.userConfRoot/keys is a location managed by Lando so it is recommended that you do not alter anything in this folder.
NOTE: Unless you've configured a custom
lando.config.userConfRoot should resolve to
$HOME/.lando. This means, by default, your keys should be available on your host at
If you are unsure about what keys get loaded, you can use the commands for key discovery as follows:
# Check out service logs for key loading debug output # Obviously replace appserver with the service you are interested in lando logs -s appserver # Check the .ssh config for a given service # Obviously replace appserver with the service you are interested in lando ssh -s appserver -c "cat /etc/ssh/ssh_config"
Starting with Lando 3.0.0-rrc.5, users can customize the behavior of key loading. This provides the flexibility for users to handle some edge cases in the ways that make the most sense for them.
Generally, we expect that users put these customizations inside their userspace Lando Override File because they are likely going to be user specific.
Disable key loading
The below will completely disable user
ssh key loading. Note that this will only disable loading keys from your host
~/.ssh directory. It will continue to load Lando managed keys.
Loading specific keys
If you have a lot of keys, you may run into the problem expressed here and here. To make sure that Lando tries an actionable key before the
Too many authentication failures error, you can enumerate the specific keys to use on a given project. Note that these keys must live in
keys: - id_rsa - some_other_key
Changing the max key limit
You can also modify your Lando global config to change the amount of keys that triggers the warning.
Setting this to a sufficiently large integer effectively disables the warning.
Using a custom
ssh config file
If you want complete control over the
ssh config Lando is using on your project, you should set
keys: false and also inject a custom
ssh config into the services that need it.
keys: false services: appserver: overrides: volumes: - ./config:/var/www/.ssh/config
In the above
.lando.local.yml example, we are disabling key loading for the project and using a custom
ssh config for the service named
This assumes your custom file exists in the app root and is named
config. Also note that you will want to mount at the user
ssh config location and not the system level one. This file will, generally, live at
$HOME/.ssh/config which resolves to
/var/www/.ssh/config for many, but not all, Lando services.
lando -s SERVICE -c "env | grep HOME"