forked from tilde.black/docs
54 lines
2.4 KiB
Markdown
54 lines
2.4 KiB
Markdown
# Stronger SSH Keys
|
|
|
|
Have a look in your `~/.ssh` folder and browse through your keys. How many are
|
|
using a recent encryption method or a long bit-length? RSA keys are far and
|
|
away the most popular, and if you're using it with a bit-length that's 2048 or
|
|
lower, you may be in danger.
|
|
|
|
Let's review the common options:
|
|
|
|
- **DSA:** No longer supported and unsafe.
|
|
- **RSA:** Key bit lengths greater than 3072 are still safe, but get lengthy.
|
|
1024 keys are officially unsafe. The clock is ticking on RSA of any key
|
|
length as it has no protection from quantum computing.
|
|
- **ECDSA:** The cryptographic safety of these keys depend on your specific
|
|
hardware, and older/weaker machines may have insufficient entropy. The
|
|
mathematics in use are not completely trusted by the security community.
|
|
- **Ed25519:** An EdDSA implementation using the [Twisted Edwards
|
|
curve](https://en.wikipedia.org/wiki/Twisted_Edwards_curve)! These keys are
|
|
strong, have protection from quantum techniques, and generate a tiny public
|
|
key that's only 68 characters long. They can be generated quickly en mass.
|
|
|
|
Ed25519 is the best recommendation in 2019.
|
|
|
|
## Generate an Ed25519 key
|
|
|
|
ssh-keygen -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C ''
|
|
|
|
Switches:
|
|
|
|
- **-a:** [Key Derivation
|
|
Function](https://en.wikipedia.org/wiki/Key_derivation_function) rounds.
|
|
Higher numbers result in slower passphrase verification, increasing the
|
|
resistance to brute-force password cracking should the private-key be stolen.
|
|
- **-t:** Specifies the type of key to create, in our case the Ed25519.
|
|
- **-f:** Specify the filename of the generated key file. If you want it to be
|
|
discovered automatically by the SSH agent, it must be stored in the default
|
|
`.ssh` directory within your home directory. There are other strategies for
|
|
organizing specific machine keys not covered in this guide.
|
|
- **-C:** Sets the comment. If left unset the comment can leak your local
|
|
username.
|
|
|
|
When asked to enter a passphrase, do so. An ssh key without a passphrase is
|
|
vulnerable if stolen.
|
|
|
|
If you want to know how to configure SSH to use a tilde.black specific key
|
|
see [Configuring SSH](ssh-config.md)
|
|
|
|
### Keys used in cron-jobs
|
|
|
|
Some keys may be used for automated scripts and are not appropriate to
|
|
passphrase. In this case, extra security can be gained by setting
|
|
`authorized_keys` entries to restrict the commands the key is permitted to
|
|
run, down to the command-line arguments.
|