{"id":100,"date":"2015-07-14T21:14:10","date_gmt":"2015-07-14T19:14:10","guid":{"rendered":"http:\/\/www.underealm.com\/tech\/?p=100"},"modified":"2015-07-14T21:16:45","modified_gmt":"2015-07-14T19:16:45","slug":"ssh-keys-for-dummies","status":"publish","type":"post","link":"https:\/\/www.underealm.com\/tech\/2015\/07\/ssh-keys-for-dummies\/","title":{"rendered":"RSA\/DSA ssh(d) keys, a synthetic guide"},"content":{"rendered":"<p>There is a lot of useless and cryptic information in regard to any type of encryption, typical as per USA&#8217;s <abbr title=\"Fear, Uncertainty, Doubt\">FUD<\/abbr> standards. I&#8217;ll post here a synthesis of the steps necessary to wave plain text password logins goodbye.<\/p>\n<p>I&#8217;ll assume you already have the private\/public key couple by now, if not <a href=\"http:\/\/www.electrictoolbox.com\/PuTTY-rsa-dsa-keys\/\">you can use puttygen<\/a>. This topic is well covered, although they have a tendency to suggest a low level of encryption. <em>Isn&#8217;t it strange how for apparently &#8220;anybody&#8221; an 8 letter password, or a 2048 bit key, is enough for everyone?<\/em> For the record, I used a 4096 bit DSA key.<\/p>\n<p>I will also assume that you&#8217;re setting up a server on Linux, so <abbr title=\"Your mileage may vary\">ymmv<\/abbr>.<\/p>\n<p>Coming back to the topic at hand, you have a private key, that you use to login from your computer, and a public key that you will deploy to one or more PCs\/servers. The public key will probably look like this:<\/p>\n<pre class=\"nums:false highlight:0\">---- BEGIN SSH2 PUBLIC KEY ----\r\nComment: \"dsa-key-[DATE]\"\r\n[MULTI-LINE KEY]\r\n---- END SSH2 PUBLIC KEY ----<\/pre>\n<p>This won&#8217;t work in most cases, as SSHD expects a certain format. You will then have to convert that key into this:<\/p>\n<pre class=\"nums:false highlight:0\">ssh-dss [KEY BROUGHT TO A SINGLE LINE WITHOUT SPACES] [OPTIONAL COMMENTS]<\/pre>\n<p>The beginning of the line is <strong>ssh-dss<\/strong> for <strong>DSA keys<\/strong>, <strong>ssh-rsa<\/strong> for <strong>RSA keys<\/strong>. With this line of text in hand, you can open <code>~\/.ssh\/authenticated_keys<\/code> on your servers, copy the key data into it, and save.<\/p>\n<p>The last thing to do is to reconfigure the sshd.<\/p>\n<pre class=\"toolbar:1 nums:false highlight:0\" title=\"\/etc\/ssh\/sshd_config\">\u2026\r\nServerKeyBits 1024\r\n\u2026\r\nAuthorizedKeysFile      %h\/.ssh\/authorized_keys\r\n\u2026\r\nPasswordAuthentication no\r\n\u2026<\/pre>\n<p>While checking the configuration I noticed that the ephemeral key size (<strong>ServerKeyBits<\/strong>) was defaulted to 1 kilobit. <strong>ONE FREAKING KILOBIT<\/strong>. To give you a comparison, in 2002 on IRC channels we used DH with 2048 bits of encryption. That&#8217;s 13 years ago. <em>For chat<\/em>. You might want to turn it up several notches.<\/p>\n<p>For the server to actually use the key you provided, you will need to uncomment the <strong>AuthorizedKeysFile<\/strong>, keep in mind that the path may differ. It could be <strong>.ssh\/authorized_keys<\/strong> on <strong>CentOS<\/strong>, <strong>%h\/.ssh\/authorized_keys<\/strong> on <strong>Ubuntu<\/strong>, so on and so forth.<\/p>\n<p><em>AFTER<\/em> you made sure you can actually log in with your DSA\/RSA key, you will disable plain text authentication by uncommenting <strong>AuthorizedKeysFile<\/strong> and setting it to no.<\/p>\n<p>This is all the black magic involved in it, without the convoluted mess that always surrounds OpenSSL\/SSHD documentations.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There is a lot of useless and cryptic information in regard to any type of encryption, typical as per USA&#8217;s FUD standards. I&#8217;ll post here a synthesis of the steps necessary to wave plain text password logins goodbye. I&#8217;ll assume you already have the private\/public key couple by now, if not you can use puttygen. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[30,31,27,28,26,29],"class_list":["post-100","post","type-post","status-publish","format-standard","hentry","category-sysad","tag-dh","tag-diffie-hellman","tag-dsa","tag-openssh","tag-rsa","tag-ssh"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/posts\/100"}],"collection":[{"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/comments?post=100"}],"version-history":[{"count":0,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/posts\/100\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/media?parent=100"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/categories?post=100"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.underealm.com\/tech\/wp-json\/wp\/v2\/tags?post=100"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}