Today I had to generate a separate Private and Public Key in order to access my new blockchain node so I took the opportunity to setup a fresh, unique key pair that are also protected by 2FA authentication, interactive password. Later I will take it a step further and protect it with a Yubikey.
Even though RSA was a standard for asymetric SSH keys for years, keys below 2048-bit length are not considered safe anymore due to evolution in hardware. It's time to upgrade to a stronger, elliptic curve algorithm, ED25519 which is faster, more secure and shorter in bytes.
Having a basic understanding of SSH and ssh-keygen installed.
ssh-keygen -t ed25519 -C "email@example.com"
thank you Andrew, my dear colleague for the command recommendation!
You will be prompted to enter the key destination path,
Enter file in which to save the key: /Users/enchanterio/.ssh/id_ed25519_devto_tutorial
Choose a passphrase (DO NOT LEAVE BLANK).
Enter passphrase (empty for no passphrase): Enter same passphrase again:
Your private key has been saved in /Users/enchanterio/.ssh/id_ed25519_devto_tutorial.
Your public key has been saved in /Users/enchanterio/.ssh/id_ed25519_devto_tutorial.pub.
The key fingerprint is:
The key's randomart image is:
+--[ED25519 256]--+ | | | | | . | | . o | |. ..=.. S | | Eo+oo*. . | |.=++o& =o. | |+.+=O.@.=. | |o=B+.*==.. | +----[SHA256]-----+
Connect to a server, add the content of your new local Pub Key
cat ~/.ssh/id_ed25519_devto_tutorial.pub to the server's
.ssh/authorized_keys file and remove the old RSA Key:
Disconnect from the server. Now we will do an additional trick to associate the specific IP address with this new Private Key without affecting rest of the SSH connections based on the old RSA Key.
Host blockchain-node HostName <YOUR_IP_ADDRESS> User root IdentityFile /Users/enchanterio/.ssh/id_ed25519_devto_tutorial
You will be prompted to unlock your SSH key by password:
Enter passphrase for key '/Users/enchanterio/.ssh/id_ed25519_devto_tutorial': <type pwd...> Done! Connected. Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-43-generic x86_64)
And the server you just connected to, authenticated you against your new password protected, ED25519 Elliptic Private Key. Gg.