Stories
Slash Boxes
Comments

SoylentNews is people

Upgrade Your SSH Keys

posted by cmn32480 on Monday September 26 2016, @03:54AM   Printer-friendly
from the if-only-i-remember-where-I-laid-them-down dept.

Arthur T Knackerbracket has found the following story:

Whether you're a software developer or a sysadmin, I bet you're using SSH keys. Pushing your commits to Github or managing your Unix systems, it's best practice to do this over SSH with public key authentication rather than passwords. However, as time flies, many of you are using older keys and not aware of the need to generate fresh ones to protect your privates much better. In this post I'll demonstrate how to transition to an Ed25519 key smoothly, why you would want this and show some tips and tricks on the way there.

If you've created your key more than about four years ago with the default options it's probably insecure (RSA < 2048 bits). Even worse, I've seen tweeps, colleagues and friends still using DSA keys (ssh-dss in OpenSSH format) recently. That's a key type similar to RSA, but limited to 1024 bits size and therefore recommended against for a long time. It's plainly insecure and refused for valid reasons in recent OpenSSH versions (see also the changelog for 7.0).

The sad thing about it is that I see posts on how to re-enable DSA key support rather than moving to a more secure type of key. Really, it's unwise to follow instructions to change the configuration for PubkeyAcceptedKeyTypes or HostKeyAlgorithms (host keys are for a later post). Instead, upgrade your keys!

Compare DSA with the technology of locks using keys like this one. You wouldn't want this type of key to unlock your front door, right?

List all your keys:

You're probably thinking... "I'm using my key for a long time, I don't want to change them everywhere now." Valid point, but you don't have to! It's good to know you can have multiple keys on your system and your SSH client will pick the right one for the right system automatically.

It's part of the SSH protocol that it can offer multiple keys and the server picks the one your client will have to prove it has possession of the private key by a challenge. See it in action adding some verbosity to the SSH connect command (-vvv). Also if you're using an SSH agent you can load multiple keys and it will discover them all. Easy as that.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Upgrade Your SSH Keys | Log In/Create an Account | Top | 24 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by opinionated_science on Monday September 26 2016, @02:09PM

    by opinionated_science (4031) on Monday September 26 2016, @02:09PM (#406650)

    All good ssh tips. For extra paranoia My machines use tinc as the only entry port.

    Once you have a good vpn setup, all services can listen only on the inside ports, greatly reducing the attack surface.

    Is this also a common thing for you folks?

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Monday September 26 2016, @03:13PM

    by Anonymous Coward on Monday September 26 2016, @03:13PM (#406669)

    Never heard if tinc.
    Thanks!