Friday 18 Juanary 2020 : Change cryptographic algorithms RSA to ED25519 and ECDSA
- STEP 1 – Generating the key pair
- Generate an
ecdsaprivate key using ssh-keygen
- Generate an
- STEP 2 – Copying the public key to server
- STEP 3 – Test the connection
STEP 1 – Generating the key pair
On your home computer
ecdsa private key using ssh-keygen
If you’re using Linux or Mac OS X, open your terminal and run the following command under your username:
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
Generating public/private ed25519 key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/<user id>/.ssh/id_ed25519. Your public key has been saved in /Users/<user id>/.ssh/id_ed25519.pub. The key fingerprint is: SHA256:H6/ZSrfIs42k0QjA2RMUZlfldBHrneC3q+QZjjiO+bU <user id>@<host>.local The key's randomart image is: +--[ED25519 256]--+ | .*.....o +o | | . = o o . . | | + o ... | | . . .....| | . S . ..o.| | . + o . .| | o *.oo . | | oBoO*.o .| | o+=@Eo=.. | +----[SHA256]-----+
ssh-keygen -t ecdsa -b 521 -f ~/.ssh/id_ecdsa
The minimum key size shall be 512 bits for ECDSA.
Generating public/private ecdsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/<user id>/.ssh/id_ecdsa. Your public key has been saved in /Users/<user id>/.ssh/id_ecdsa.pub. The key fingerprint is: SHA256:l2T9C9oTzkMo3KyHmyhjAnGNK+h42SEfglBrdfyhLBA <user id>@<host>.local The key's randomart image is: +---[ECDSA 521]---+ | E. . | | o . o . . | | . * o o .o . | |o = o o..= o . | |o+.. . S * + . | |+..o + = * o . | |.o * o o o * . | | ...+o . + o | | .oo o. o | +----[SHA256]-----+
- You do not need to enter a passphrase, but it’s highly recommended as it protects your private key if compromised. If so, someone would still need your passphrase in order to unlock it. The exception to this is if you’re running an automated process such as as cron job. You should then leave the password out. From ssh.com: “Generally all keys used for interactive access should have a passphrase. Keys without a passphrase are useful for fully automated processes.”
- ED25519 keys should be favoured over ECDSA keys when supported by SSH clients and servers. The Ed25519 algorithm, which is considered state of the art. Elliptic curve algorithms in general are sleek and efficient and unlike the other well known elliptic curve algorithm ECDSA.
STEP 2 – Copying the public key to server
Run the following command to copy the public key on your local computer to server.
cat ~/.ssh/id_ed25519.pub | ssh <username>@<server.domain-name.io> "mkdir -p ~/.ssh; cat >> ~/.ssh/authorized_keys"
The commands above create a new folder
/.ssh with 700 permissions. In that folder is your
authorized_keys file which was just copied from your home computer which has 600 permissions.
STEP 3 – Test the connection
ssh <user id>@<server name>
The login connection must be passwordless now !