Upping your SSH game

Here is how I create my SSH keys, and why I do it the way I do. For a much more in depth and lengthy explanation, go to https://infosec.mozilla.org/guidelines/openssh.

Initial config

If you don't already have a .ssh directory in your home directory, then you need to run these commands:

mkdir ~/.ssh
chmod 700 ~/.ssh

This will create a new directory called .ssh, and set it so it is readable, writable and executable by the user owner (you), but no permissions are given to the group owner, or anyone else on the system. All of your SSH related stuff will go in here; public keys, private keys, known_hosts file, authorized_keys file and ssh config file.

Key Generation

Firstly, don't use DSA keys. They are old, and much less secure. There really isn't a valid reason to use them these days. So just don't.

I prefer ED25519 keys over RSA. While RSA is the most commonly used algorithm, you need to use a big key in order to make it secure (3072-4096 bits). ED25519 is a curve based algorithm that is much faster and more compact. The only downside is that it has only been supported by OpenSSH 6.5+, so it's not compatible with older clients and servers. TL;DR - Use ED25519 for newer (modern) OpenSSH versions, use RSA 3072 or RSA 4096 for older ones.

Heres how to generate the keys in both cases:

# ED25519 - OpenSSH 6.5+
$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_$(whoami)_$(date +%Y-%m-%d) -C "SSH Key for AWS servers"

# RSA 4096 - OpenSSH <=6.4
$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_$(whoami)_$(date +%Y-%m-%d) -C "SSH Key for AWS servers"

These commands will create two files each. In the case of the first command, it will create id_ed25519_jdoe_2020-12-30 and id_ed25519_jdoe_2020-12-30.pub. The public key is the one that you will put out on a server, or in github, etc. The private key should stay right where it is and never be shared, moved, looked at or otherwise disturbed. No, you don't need to put it on a USB drive and copy it to all of your other computers. No, you don't need to upload it to DropBox. The private key should be chmod 600, end of story. You can put your public key on a blimp if you want. You do you.

Related Posts You May Also Like

how-to | ssh

Setting up SSH and GPG keys for GitHub

I find myself needing to set up SSH and GPG keys for use with GitHub, Bitbucket, GitLab and other similar services rather frequently. Here are the steps I use to set this up.

Continue Reading

Post Comments Peoples Thoughts About This Post

  • Etherbitbro
    February 21, 2021 at 19:12
    Hi dear! Bitcoin raised over 50000$ and seting new price records every day. Ethereum has already grown to $ 1800! The launch of futures trading in Ethereum will push the price up to $ 10,000 and higher! Hurry up to make money on the upcoming growth of this currency. Register a wallet and join our community of millionaires. If you have any questions, please reply to this message, we will try to answer as soon as possible - saida.kanatbekkyzy@gmail.com
    January 31, 2021 at 08:00
    Ремонт OMRON AMPLIFIER CARD DUAL CHANNEL STANDARD RANGE 117VAC - 41913-0110 https://prom-electric.ru/remont-omron-amplifier-card-dual-channel-standard-range-117vac-41913-0110/ Диагностика OMRON AMPLIFIER CARD DUAL CHANNEL STANDARD RANGE 117VAC, 41913-0110. Доставка.
  • HAUTH24
    January 29, 2021 at 23:59

Leave A Comment Your Thoughts About This Post