OpenSSH/Config

From Ever changing code
< OpenSSH
Revision as of 16:18, 17 January 2022 by Pio2pio (talk | contribs) (→‎generate ssh key)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

generate ssh key

ssh-keygen -t ecdsa -b 521                  # -> ~/.ssh/id_ecdsa and ~/.ssh/id_ecdsa.pub
ssh-keygen -t ecdsa -b 521 -f ./path/mykey  # ->    ./path/mykey and    ./path/mykey.pub
Choosing an Algorithm and Key Size

SSH supports several public key algorithms for authentication keys. These include:

rsa
an old algorithm based on the difficulty of factoring large numbers. A key size of at least 2048 bits is recommended for RSA; 4096 bits is better. RSA is getting old and significant advances are being made in factoring. Choosing a different algorithm may be advisable. It is quite possible the RSA algorithm will become practically breakable in the foreseeable future. All SSH clients support this algorithm.
dsa
an old US government Digital Signature Algorithm. It is based on the difficulty of computing discrete logarithms. A key size of 1024 would normally be used with it. DSA in its original form is no longer recommended.
ecdsa
a new Digital Signature Algorithm standarized by the US government, using elliptic curves. This is probably a good algorithm for current applications. Only three key sizes are supported: 256, 384, and 521 (sic!) bits. We would recommend always using it with 521 bits, since the keys are still small and probably more secure than the smaller keys (even though they should be safe as well). Most SSH clients now support this algorithm.
ed25519
this is a new algorithm added in OpenSSH. Support for it in clients is not yet universal. Thus its use in general purpose applications may not yet be advisable.

authorized_keys

Below the restrict option is a future proof (according to the documentation) method to disable additional features like port forwarding, pty allocation, etc., stopping any attackers from using the key for pivoting or any other malicious activity. The command option forces the command given to be run when this key is used, stopping an attacker from gaining command execution on the machine.

vi ~/.ssh/authorized_keys
command="/usr/local/bin/honeykey admin@honeypot",restrict ssh-rsa AAAAB3Nz******6iakD admin@honeypot

Resources