[PLUG] Re-doing ssh key phrase and key type

Louis Kowolowski louisk at cryptomonkeys.org
Wed Nov 2 15:08:35 UTC 2016


> On Oct 25, 2016, at 5:13 PM, Rich Shepard <rshepard at appl-ecosys.com> wrote:
> 
>   Having new installations of Slackware-14.2 on three hosts now (two more to
> go after I get these three fully functional), I want to change my ssh
> private and public keys using a new passphrase and type.
> 
>   Now, ~/.ssh/ contains authorized_keys, known_hosts, and id_dsa. My web
> search finds suggestions to use Ed25519, which 'man ssh-keygen' lists as an
> option. And, /etc/ssh/ contains the following files:
> 
> moduli                ssh_host_ecdsa_key.pub    ssh_host_rsa_key.pub
> ssh_config            ssh_host_ed25519_key      sshd_config
> ssh_config.works      ssh_host_ed25519_key.pub  sshd_config.works
> ssh_host_dsa_key      ssh_host_key              supervise/
> ssh_host_dsa_key.pub  ssh_host_key.pub
> ssh_host_ecdsa_key    ssh_host_rsa_key
> 
>   So, rather than changing the passphrase (the '-p' option to ssh-keygen)
> do I just generate a new one for all hosts, specifying Ed25519 as the
> encryption algorithm? And, remove all current files in ~/.ssh/?
> 
>   Advice needed so I get it all correct and cleaned up the first time.

This is bordering on a tome. Sorry.

This is mostly generic, although I believe it is limited to openssh (as opposed to ssh.com).
For any key you want to deploy, you should copy the public portion (traditionally ends with .pub) to the remote host and append it to the appropriate authorized_keys file. By default, this is in ~/.ssh. It should have permissions of 0600, owned by you. The .ssh dir should have permissions of 0700 and be owned by you. This is all true whether you are copying your first key or subsequent keys.

As a general statement, you can have as many keys as you wish. The private keys can be in places other than ~/.ssh. If you want to get fancy, you should read up on ssh_config (~/.ssh/config) because that's where you will hide all your configuration knobs, including things like which keys work with which hosts. If you wish to use the ssh agent (there are pros and cons, look up the security trade offs) be aware that while the agent can have more than 3 keys, ssh will not try more than 3 keys so to avoid frustration, you should define host and key pairs in your ssh config.

You should not be using a DSA key for ssh. They are too small in the openssh implementation and don't have enough entropy to be secure by modern standards. The best choice is ed25519 (note that it's only supported on openssh >=6.5. Ecdsa is supported openssh >=5.7). That said, there is nothing (yet) wrong with ecdsa, or rsa, as long as the rsa is at least 3072b. There is nothing wrong with having multiple keys that work with the same host. As long as you keep track of when you need to replace them, so you aren't left communicating over a vulnerable channel.

If you want to avoid being prompted to accept ssh host keys, take a look at the SSHFP (ssh fingerprint) DNS record.

You may wish to keep your DSA key in archive for a year or 2 in case you find a host that still uses it. If you're allowing password auth, this may be less of an issue.

Lastly, for anybody who wants to have fun locking down ssh cipher suites, the link below goes in to delightful detail on all the gory bits and what they're for.

https://stribika.github.io/2015/01/04/secure-secure-shell.html

Sent from my iPhone


More information about the PLUG mailing list