[PLUG] Re-doing ssh key phrase and key type

Louis Kowolowski louisk at cryptomonkeys.org
Wed Nov 2 15:23:10 UTC 2016


> On Oct 26, 2016, at 5:51 PM, Rich Shepard <rshepard at appl-ecosys.com> wrote:
> 
>> On Tue, 25 Oct 2016, Rich Shepard wrote:
>> 
>> Having new installations of Slackware-14.2 on three hosts now (two more to
>> go after I get these three fully functional), I want to change my ssh
>> private and public keys using a new passphrase and type.
> 
>   Keeping the same thread going, I've read the ssh, sshd, ssh_config,
> sshd_config, ssh-keygen, and ssh-agen man pages and searched the web for
> usage examples and still have a few unanswered questions.
> 
>   On the desktop I generated a new ed25519 key pair. Wanting to set up
> communications between this host and the ThinkPad I tried
> 
>    scp ~/.ssh/id_ed25519.pub typha:.ssh
> 
> (and a couple of different references to the remote host) but the connection
> was refused.
> 
>  I copied the public key to a USB thumb drive and manually installed it in
> typha: ~/.ssh.
> 
>   Then, logged into typha, I tried to scp ~/ from the desktop. Openssh told
> me it didn't recognize the remote machine and asked it I wanted to continue.
> I responded, "yes," and the public key was added to the ThinkPad's
> authorized_hosts file, but the connection was refused. Is the next step to
> specify verbotisty levels, e.g., 'ssh -vv <remote_host>'?
> 
Yes. If this doesn't show you the problem, you may have to start sshd with debugging. Of note, when you do this, sshd will terminate after the first connection. Be careful.


>   On a related issue, as authorized_hosts holds public keys from remote
> hosts, and I'm essentially starting from a clean slate with the portables
> and the desktop, can I remove that old file from the desktop's ~/.ssh/ and
> start over again when I use ssh/scp from a portable to the desktop?
> 
Are you mixing up authorized_keys and known_hosts?

Authorized_keys contains your ssh pub keys
Known_hosts is a list of previously connected-to hosts and their fingerprints 

The latter is only meaningful in the sense that you don't get prompted if you save the information into known hosts.


>   On another related OpenSSH issue: ssh-agent. I've not before used it but
> it looks useful. If I understand the man page, I run it on hosts that will
> remotely connect to the desktop (the portables) so when they boot they'll
> have the public key available to all shells and I'll not need to enter my
> pass phrase each time I want to establish a secure connection. Is this
> correct? Should I also run it on the desktop?
> 
Not exactly. Typically, when you login, you run ssh-add <key> (either manually or automagically) and it will prompt for passphrase of key and add it to your ssh agent. If you use the ssh agent, when you connect to a host via ssh (assuming you aren't passing options to disable the agent) it will look for keys in the agent and auth with them. You don't need to provide a password in this case because you've already done so when you added the key to the agent. You can forward the agent information to the remote host and continue this daisy-chain process. This will work for any keys in the agent. This allows you to use ssh keys but not copy the private key to a remote system.

I run it on my desktop and laptop, because I use both to connect to remote hosts. I don't run it on remote hosts that I don't physically login to. I also don't copy the ssh private key to any host I don't trust.

Sent from my iPhone





More information about the PLUG mailing list