DEV Community

loading...

Levelling-up your SSH Private Key from RSA to ED25519 + Symmetric Password Protection

Lukas Lukac
I train devs how to program full-stack blockchain apps on Ethereum with {Go, JS, Smart Contracts, IPFS}. StackOverflowing for 10+ years
・2 min read

Today I had to generate a separate Private and Public Key in order to access my new blockchain node so I took the opportunity to setup a fresh, unique key pair that are also protected by 2FA authentication, interactive password. Later I will take it a step further and protect it with a Yubikey.

Even though RSA was a standard for asymetric SSH keys for years, keys below 2048-bit length are not considered safe anymore due to evolution in hardware. It's time to upgrade to a stronger, elliptic curve algorithm, ED25519 which is faster, more secure and shorter in bytes.

Requirements

Having a basic understanding of SSH and ssh-keygen installed.

Step 1/3 - Generate a new ED25519 Priv Key

ssh-keygen -t ed25519 -C "lukas@gmailorwhatever.com"
Enter fullscreen mode Exit fullscreen mode

thank you Andrew, my dear colleague for the command recommendation!

You will be prompted to enter the key destination path,

Enter file in which to save the key: 
/Users/enchanterio/.ssh/id_ed25519_devto_tutorial
Enter fullscreen mode Exit fullscreen mode

Choose a passphrase (DO NOT LEAVE BLANK).

Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Enter fullscreen mode Exit fullscreen mode

Your private key has been saved in /Users/enchanterio/.ssh/id_ed25519_devto_tutorial.

Your public key has been saved in /Users/enchanterio/.ssh/id_ed25519_devto_tutorial.pub.

The key fingerprint is:
SHA256:qxCxjp6thlj59cjQKy+qTrPnlTNfCq/RKNP+bYCwyA8 lukas@gmailorwhatever.com

The key's randomart image is:

+--[ED25519 256]--+
|                 |
|                 |
|    .            |
|   . o           |
|. ..=.. S        |
| Eo+oo*. .       |
|.=++o& =o.       |
|+.+=O.@.=.       |
|o=B+.*==..       |
+----[SHA256]-----+
Enter fullscreen mode Exit fullscreen mode

Step 2/3 - Configuring SSH agent

Connect to a server, add the content of your new local Pub Key cat ~/.ssh/id_ed25519_devto_tutorial.pub to the server's .ssh/authorized_keys file and remove the old RSA Key:

authorized_keys
ignore that the key on the image is different from the above in this tutorial, I took the screenshot before I wrote the tutorial

Disconnect from the server. Now we will do an additional trick to associate the specific IP address with this new Private Key without affecting rest of the SSH connections based on the old RSA Key.

vim ~/.ssh/config
Enter fullscreen mode Exit fullscreen mode
Host blockchain-node
        HostName <YOUR_IP_ADDRESS>
        User root
        IdentityFile /Users/enchanterio/.ssh/id_ed25519_devto_tutorial
Enter fullscreen mode Exit fullscreen mode

Step 3/3 - Dialing the connection

Execute:

ssh blockchain-node
Enter fullscreen mode Exit fullscreen mode

You will be prompted to unlock your SSH key by password:

Enter passphrase for key '/Users/enchanterio/.ssh/id_ed25519_devto_tutorial':
<type pwd...>

Done! Connected. Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-43-generic x86_64)
Enter fullscreen mode Exit fullscreen mode

And the server you just connected to, authenticated you against your new password protected, ED25519 Elliptic Private Key. Gg.

Discussion (0)