Ed25519

Security
Page content

like ssh and secure keys ?

Generate Secure Key

ssh-keygen -o -a 100 -t ed25519 -C "MyFamousComment"
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)"
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname) at $(date \"+%Y-%m-%d\")"
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname) at $(date \"+%Y-%m-%d %H:%M\")"

What’s ed25519 ?

Wikipedia about Curve25519

2^{{255}}-19

Distribute Key

ssh-copy-id user@remotehost

Connect to Remote

Connect to Remove without Agent Forwarding (use this unless you know what you’re dooing …)

ssh -a remotehost

Connect with Agent Forwarding

or if you need Agent Forwarding

ssh -A remotehost

Confirm Agent Forwarding

to confirm if agent forwarding is working, you can check your environment:

boss ~$ env |grep SSH
SSH_TTY=/dev/ttyp0
SSH_AUTH_SOCK=/tmp/ssh-sx8jqoWoD7/agent.10207
SSH_CONNECTION=192.168.2 55484 192.168.1.1 22
SSH_CLIENT=192.168.108.2 55484 22

Check if Passphrase is set

ssh-keygen -y -f .ssh/id_ed25519

Change Passphrase

ssh-keygen -p -f .ssh/id_ed25519
Enter old passphrase:
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.

Extract Public Key from Private Key

ssh-keygen -y -f ~/.ssh/id_ed25519
ssh-keygen -y -f ~/.ssh/id_ed25519 > ~/.ssh/id_ed25519.pub

Change Comment on Privat Key

ssh-keygen -c -C "my new comment" -f ~/.ssh/id_ed25519
Old comment: whatever-was-here
Comment 'my new comment' applied

SSH Authentication with Password (without Key)

ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no -l user switchxxx

Keychain

keychain is a manager for ssh-agent, typically run from ~/.bash_profile. It allows your shells and cron jobs to easily share a single ssh-agent process. By default, the ssh-agent started by keychain is long-running and will continue to run, even after you have logged out from the system.

doas pkg_add keychain

$ keychain

 * keychain 2.8.5 ~ http://www.funtoo.org
 * Starting ssh-agent...

restrict Access via Authorized_Keys

you may wanna give some users access to a certain maschine, but just allow some commands. you can, for example, allow to get a file from a backup folder via ssh key

root@yourserver # cat /root/.ssh/authorized_keys

# Allow SCP for theirserver
command="scp -f /home/backup/fullbackup.tar.gz",no-port-forwarding,no-agent-forwarding,no-X11-forwarding ssh-ed25519 AAAAC3Nzaxxxxxxxxxxxxxxxxxxxxx "pubkey from yourserver"
Any Comments ?

sha256: be0cba61fa1de426003366292f125646919236f04bc8a1c8674ca8ecd5387792