Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Monday September 26 2016, @03:54AM   Printer-friendly
from the if-only-i-remember-where-I-laid-them-down dept.

Arthur T Knackerbracket has found the following story:

Whether you're a software developer or a sysadmin, I bet you're using SSH keys. Pushing your commits to Github or managing your Unix systems, it's best practice to do this over SSH with public key authentication rather than passwords. However, as time flies, many of you are using older keys and not aware of the need to generate fresh ones to protect your privates much better. In this post I'll demonstrate how to transition to an Ed25519 key smoothly, why you would want this and show some tips and tricks on the way there.

If you've created your key more than about four years ago with the default options it's probably insecure (RSA < 2048 bits). Even worse, I've seen tweeps, colleagues and friends still using DSA keys (ssh-dss in OpenSSH format) recently. That's a key type similar to RSA, but limited to 1024 bits size and therefore recommended against for a long time. It's plainly insecure and refused for valid reasons in recent OpenSSH versions (see also the changelog for 7.0).

The sad thing about it is that I see posts on how to re-enable DSA key support rather than moving to a more secure type of key. Really, it's unwise to follow instructions to change the configuration for PubkeyAcceptedKeyTypes or HostKeyAlgorithms (host keys are for a later post). Instead, upgrade your keys!

Compare DSA with the technology of locks using keys like this one. You wouldn't want this type of key to unlock your front door, right?

List all your keys:

You're probably thinking... "I'm using my key for a long time, I don't want to change them everywhere now." Valid point, but you don't have to! It's good to know you can have multiple keys on your system and your SSH client will pick the right one for the right system automatically.

It's part of the SSH protocol that it can offer multiple keys and the server picks the one your client will have to prove it has possession of the private key by a challenge. See it in action adding some verbosity to the SSH connect command (-vvv). Also if you're using an SSH agent you can load multiple keys and it will discover them all. Easy as that.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by zocalo on Monday September 26 2016, @07:04AM

    by zocalo (302) on Monday September 26 2016, @07:04AM (#406560)
    Peasant! The *real* elite have doormen *and* butlers. :)
    --
    UNIX? They're not even circumcised! Savages!
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by arslan on Monday September 26 2016, @07:48AM

    by arslan (3462) on Monday September 26 2016, @07:48AM (#406568)

    True. And you split your passphrase between them...

    • (Score: 0) by Anonymous Coward on Monday September 26 2016, @01:41PM

      by Anonymous Coward on Monday September 26 2016, @01:41PM (#406632)

      among them....

      • (Score: 0) by Anonymous Coward on Monday September 26 2016, @04:06PM

        by Anonymous Coward on Monday September 26 2016, @04:06PM (#406680)

        arslan wrote about splitting passphrases, not splitting hairs.