SSH Keys: Difference between revisions

Line 10:

== Difference Between SSH and GPG Keys ==

'' '''SSH Keys''': Used primarily for secure authentication to servers and services. They provide access control and secure communication.

* '''SSH Keys''': Used primarily for secure authentication to servers and services. They provide access control and secure communication.

'' '''GPG Keys''': Used for encrypting, decrypting, and signing emails and files. GPG keys provide data integrity and authenticity.

* '''GPG Keys''': Used for encrypting, decrypting, and signing emails and files. GPG keys provide data integrity and authenticity.

'''Always remember NEVER share your PRIVATE keys'''

Line 18:

== Key Type Comparison ==

'''Recommendation''' - '''Best for security and performance''': '''ssh-ed25519''' ~~- '''Best for compatibility''': '''ssh-rsa''' — - '''ssh-ed25519''' (Recommended) -~~ '''Strengths''': Very strong security, small key size, fast performance. - '''Weaknesses''': Newer, less universally supported (but rapidly growing). - '''Use case''': Best for strong security and performance where supported.

'''Recommendation''' -

* '''Best for security and performance''': '''ssh-ed25519'''

** '''Strengths''': Very strong security, small key size, fast performance.

** '''Weaknesses''': Newer, less universally supported (but rapidly growing).

** '''Use case''': Best for strong security and performance where supported.

'' '''ssh-rsa''' (Most Compatible)

* '''ssh-rsa''' (Most Compatible)

~~'''~~ '''Strengths''': Widely supported, highly compatible.

** '''Strengths''': Widely supported, highly compatible.

~~'''~~ '''Weaknesses''': Requires larger keys for equivalent security, slower performance.

** '''Weaknesses''': Requires larger keys for equivalent security, slower performance.

~~''''~~ '''Use case''': Best for broad compatibility.

** '''Use case''': Best for broad compatibility.

'' '''ecdsa-sha2-nistp256''', '''ecdsa-sha2-nistp384''', '''ecdsa-sha2-nistp521'''

~~'''~~ '''Strengths''': Strong security with smaller key sizes, better performance.

* '''ecdsa-sha2-nistp256''', '''ecdsa-sha2-nistp384''', '''ecdsa-sha2-nistp521'''

~~'''~~ '''Weaknesses''': Potentially weaker NIST curves, less compatibility.

** '''Strengths''': Strong security with smaller key sizes, better performance.

*'' '''Use case''': Good for strong security and performance where compatibility is less critical.

** '''Weaknesses''': Potentially weaker NIST curves, less compatibility.

'' '''ssh-dss''' (Don’t Use)

** '''Use case''': Good for strong security and performance where compatibility is less critical.

~~'''~~ '''Strengths''': Early standard.

~~'''~~ '''Weaknesses''': Limited to 1024-bit keys, weaker security, often deprecated.

* '''ssh-dss''' (Don’t Use)

*'' '''Use case''': Not recommended.

** '''Strengths''': Early standard.

** '''Weaknesses''': Limited to 1024-bit keys, weaker security, often deprecated.

** '''Use case''': Not recommended.

Line 43:

Line 49:

'''Most Secure Keys'''

<syntaxhighlight lang="shell">ssh-keygen -t ssh-ed25519 -C "[email protected]"</syntaxhighlight>

~~'' Advanded ED25519 Command~~

ssh-keygen -t ssh-ed25519 -C "[email protected]"

</syntaxhighlight>

<syntaxhighlight lang="shell">ssh-keygen -t ed25519 -C "[email protected]" -f ~/.ssh/username_id_ed25519 -N "your_passphrase"</syntaxhighlight>

'''Advanced ED25519 Command'''

'''~~Compatilble~~ and Secure'''

ssh-keygen -t ed25519 -C "[email protected]" -f ~/.ssh/username_id_ed25519 -N "your_passphrase"

</syntaxhighlight>

'''Compatible and Secure'''

ssh-keygen -t rsa -b 4096 -C "[email protected]"

</syntaxhighlight>

~~<syntaxhighlight lang="shell">ssh-keygen -t rsa -b 4096 -C "[email protected]"</syntaxhighlight>~~

Follow the prompts to save the key, typically in <code>~/.ssh/id_rsa</code>.

Line 65:

Line 80:

To use your SSH key for connecting to a server, add your public key to the <code>~/.ssh/authorized_keys</code> file on the server:

<syntaxhighlight lang="sh">ssh-add ~/.ssh/username_id_ed25519 ~~[email protected]~~</syntaxhighlight>

~~After this you can login to the server (remote) without anythin <code>ssh [email protected]</code>, if you are prompted for your pin, it is the pin you created when generating your ssh keys~~

ssh-add ~/.ssh/username_id_ed25519

</syntaxhighlight>

You may also ~~ssh~~ directly to a server without adding your ~~ssh~~ key to the ~~server (remote)~~ <code>~/.ssh/authorized_keys</code> file

After this, you can log in to the server (remote) with <code>ssh [email protected]</code>. If you are prompted for your PIN, it is the PIN you created when generating your SSH keys.

You may also SSH directly to a server without adding your SSH key to the server’s <code>~/.ssh/authorized_keys</code> file:

ssh -i ~/.ssh/username_id_ed25519 username@hostname

</syntaxhighlight>

~~<syntaxhighlight lang="sh">ssh -i ~/.ssh/username_id_ed25519 username@hostname</syntaxhighlight>~~

=== Using with Git ===

Line 79:

Line 100:

To use your SSH key with private Git repositories, add the key to your SSH agent and configure the repository URL to use SSH:

<syntaxhighlight lang="sh">ssh-add ~/.ssh/username_id_ed25519

git remote set-url origin [email protected]:username/repo.git</syntaxhighlight>

ssh-add ~/.ssh/username_id_ed25519

git remote set-url origin [email protected]:username/repo.git

</syntaxhighlight>

==== Using to ~~sign~~ Git Commits ====

==== Using to Sign Git Commits ====

To sign Git commits with your SSH key, configure Git to use the key:

<syntaxhighlight lang="sh">git config --global user.signingkey <your-key-id>

git config --global commit.gpgSign true</syntaxhighlight>

git config --global user.signingkey <your-key-id>

git config --global commit.gpgSign true

</syntaxhighlight>

=== Using GPG Keys for SSH Authentication ===

Line 96:

Line 123:

If you don’t already have a GPG key pair, generate one:

<syntaxhighlight lang="sh">gpg --full-generate-key</syntaxhighlight>

gpg --full-generate-key

</syntaxhighlight>

Follow the prompts to create your key pair.

Line 104:

Line 134:

Edit or create the <code>~/.gnupg/gpg-agent.conf</code> file to include the following line:

<syntaxhighlight lang="sh">enable-ssh-support</syntaxhighlight>

enable-ssh-support

</syntaxhighlight>

==== Starting the GPG Agent ====

Line 110:

Line 143:

Start or reload the GPG agent:

<syntaxhighlight lang="sh">gpg-connect-agent updatestartuptty /bye</syntaxhighlight>

gpg-connect-agent updatestartuptty /bye

</syntaxhighlight>

==== Extracting the SSH Public Key from Your GPG Key ====

Line 116:

Line 152:

Use the following command to extract the SSH public key from your GPG key:

ssh-add -L

</syntaxhighlight>

If the key is not listed, you can add it manually:

<syntaxhighlight lang="sh">gpg --export-ssh-key <your-gpg-key-id></syntaxhighlight>

gpg --export-ssh-key <your-gpg-key-id>

</syntaxhighlight>

Replace <code><your-gpg-key-id></code> with your actual GPG key ID.

Line 132:

Line 174:

Ensure your SSH client is configured to use the GPG agent by adding the following to your <code>~/.bashrc</code> or <code>~/.zshrc</code>:

<syntaxhighlight lang="sh">export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)</syntaxhighlight>

export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)

</syntaxhighlight>

Reload your shell configuration:

<syntaxhighlight lang="sh">source ~/.bashrc ## or source ~/.zshrc</syntaxhighlight>

source ~/.bashrc ## or source ~/.zshrc

</syntaxhighlight>

By following these steps, you can use your GPG key for SSH authentication, leveraging the benefits of GPG key management.

== Securely Storing ~~your~~ Keys ==

== Securely Storing Your Keys ==

Line 146:

Line 194:

Use <code>ssh-agent</code> to manage your keys and avoid entering the passphrase multiple times:

<syntaxhighlight lang="sh">eval "$(ssh-agent -s)"

ssh-add ~/.ssh/username_id_ed25519</syntaxhighlight>

eval "$(ssh-agent -s)"

ssh-add ~/.ssh/username_id_ed25519

</syntaxhighlight>

=== KeyPassXC ===

Line 156:

Line 207:

== References ==

'' [https://www.openssh.com/ OpenSSH]

* [https://www.openssh.com/ OpenSSH]

'' [https://www.puttygen.com/ PuTTYgen]

* [https://www.puttygen.com/ PuTTYgen]

'' [https://support.apple.com/guide/keychain-access/welcome/mac Keychain Access]

* [https://support.apple.com/guide/keychain-access/welcome/mac Keychain Access]

'' [https://keepassxc.org/ KeyPassXC]

* [https://keepassxc.org/ KeyPassXC]

@@ Line 10: / Line 10: @@
 == Difference Between SSH and GPG Keys ==
-'' '''SSH Keys''': Used primarily for secure authentication to servers and services. They provide access control and secure communication.
+* '''SSH Keys''': Used primarily for secure authentication to servers and services. They provide access control and secure communication.
-'' '''GPG Keys''': Used for encrypting, decrypting, and signing emails and files. GPG keys provide data integrity and authenticity.
+* '''GPG Keys''': Used for encrypting, decrypting, and signing emails and files. GPG keys provide data integrity and authenticity.
 '''Always remember NEVER share your PRIVATE keys'''
@@ Line 18: / Line 18: @@
 == Key Type Comparison ==
-'''Recommendation''' - '''Best for security and performance''': '''ssh-ed25519''' - '''Best for compatibility''': '''ssh-rsa''' — - '''ssh-ed25519''' (Recommended) - '''Strengths''': Very strong security, small key size, fast performance. - '''Weaknesses''': Newer, less universally supported (but rapidly growing). - '''Use case''': Best for strong security and performance where supported.
+'''Recommendation''' -
+* '''Best for security and performance''': '''ssh-ed25519'''
+** '''Strengths''': Very strong security, small key size, fast performance.
+** '''Weaknesses''': Newer, less universally supported (but rapidly growing).
+** '''Use case''': Best for strong security and performance where supported.
-'' '''ssh-rsa''' (Most Compatible)
+* '''ssh-rsa''' (Most Compatible)
-''' '''Strengths''': Widely supported, highly compatible.
+** '''Strengths''': Widely supported, highly compatible.
-''' '''Weaknesses''': Requires larger keys for equivalent security, slower performance.
+** '''Weaknesses''': Requires larger keys for equivalent security, slower performance.
-'''' '''Use case''': Best for broad compatibility.
+** '''Use case''': Best for broad compatibility.
-'' '''ecdsa-sha2-nistp256''', '''ecdsa-sha2-nistp384''', '''ecdsa-sha2-nistp521'''
-''' '''Strengths''': Strong security with smaller key sizes, better performance.
+* '''ecdsa-sha2-nistp256''', '''ecdsa-sha2-nistp384''', '''ecdsa-sha2-nistp521'''
-''' '''Weaknesses''': Potentially weaker NIST curves, less compatibility.
+** '''Strengths''': Strong security with smaller key sizes, better performance.
-*'' '''Use case''': Good for strong security and performance where compatibility is less critical.
+** '''Weaknesses''': Potentially weaker NIST curves, less compatibility.
-'' '''ssh-dss''' (Don’t Use)
+** '''Use case''': Good for strong security and performance where compatibility is less critical.
-''' '''Strengths''': Early standard.
-''' '''Weaknesses''': Limited to 1024-bit keys, weaker security, often deprecated.
+* '''ssh-dss''' (Don’t Use)
-*'' '''Use case''': Not recommended.
+** '''Strengths''': Early standard.
+** '''Weaknesses''': Limited to 1024-bit keys, weaker security, often deprecated.
+** '''Use case''': Not recommended.
 <span id="creating-your-keys"></span>
@@ Line 43: / Line 49: @@
 '''Most Secure Keys'''
-<syntaxhighlight lang="shell">ssh-keygen -t ssh-ed25519 -C "[email protected]"</syntaxhighlight>
+<syntaxhighlight lang="shell">
-'' Advanded ED25519 Command
+ssh-keygen -t ssh-ed25519 -C "[email protected]"
+</syntaxhighlight>
-<syntaxhighlight lang="shell">ssh-keygen -t ed25519 -C "[email protected]" -f ~/.ssh/username_id_ed25519 -N "your_passphrase"</syntaxhighlight>
+'''Advanced ED25519 Command'''
-'''Compatilble and Secure'''
+<syntaxhighlight lang="shell">
+ssh-keygen -t ed25519 -C "[email protected]" -f ~/.ssh/username_id_ed25519 -N "your_passphrase"
+</syntaxhighlight>
+'''Compatible and Secure'''
+<syntaxhighlight lang="shell">
+ssh-keygen -t rsa -b 4096 -C "[email protected]"
+</syntaxhighlight>
-<syntaxhighlight lang="shell">ssh-keygen -t rsa -b 4096 -C "[email protected]"</syntaxhighlight>
 Follow the prompts to save the key, typically in <code>~/.ssh/id_rsa</code>.
@@ Line 65: / Line 80: @@
 To use your SSH key for connecting to a server, add your public key to the <code>~/.ssh/authorized_keys</code> file on the server:
-<syntaxhighlight lang="sh">ssh-add  ~/.ssh/username_id_ed25519 [email protected]</syntaxhighlight>
+<syntaxhighlight lang="sh">
-After this you can login to the server (remote) without anythin <code>ssh [email protected]</code>, if you are prompted for your pin, it is the pin you created when generating your ssh keys
+ssh-add ~/.ssh/username_id_ed25519
+</syntaxhighlight>
-You may also ssh directly to a server without adding your ssh key to the server (remote) <code>~/.ssh/authorized_keys</code> file
+After this, you can log in to the server (remote) with <code>ssh [email protected]</code>. If you are prompted for your PIN, it is the PIN you created when generating your SSH keys.
+You may also SSH directly to a server without adding your SSH key to the server’s <code>~/.ssh/authorized_keys</code> file:
+<syntaxhighlight lang="sh">
+ssh -i ~/.ssh/username_id_ed25519 username@hostname
+</syntaxhighlight>
-<syntaxhighlight lang="sh">ssh -i ~/.ssh/username_id_ed25519 username@hostname</syntaxhighlight>
 <span id="using-with-git"></span>
 === Using with Git ===
@@ Line 79: / Line 100: @@
 To use your SSH key with private Git repositories, add the key to your SSH agent and configure the repository URL to use SSH:
-<syntaxhighlight lang="sh">ssh-add ~/.ssh/username_id_ed25519
+<syntaxhighlight lang="sh">
-git remote set-url origin [email protected]:username/repo.git</syntaxhighlight>
+ssh-add ~/.ssh/username_id_ed25519
+git remote set-url origin [email protected]:username/repo.git
+</syntaxhighlight>
 <span id="using-to-sign-git-commits"></span>
-==== Using to sign Git Commits ====
+==== Using to Sign Git Commits ====
 To sign Git commits with your SSH key, configure Git to use the key:
-<syntaxhighlight lang="sh">git config --global user.signingkey <your-key-id>
+<syntaxhighlight lang="sh">
-git config --global commit.gpgSign true</syntaxhighlight>
+git config --global user.signingkey <your-key-id>
+git config --global commit.gpgSign true
+</syntaxhighlight>
 <span id="using-gpg-keys-for-ssh-authentication"></span>
 === Using GPG Keys for SSH Authentication ===
@@ Line 96: / Line 123: @@
 If you don’t already have a GPG key pair, generate one:
-<syntaxhighlight lang="sh">gpg --full-generate-key</syntaxhighlight>
+<syntaxhighlight lang="sh">
+gpg --full-generate-key
+</syntaxhighlight>
 Follow the prompts to create your key pair.
@@ Line 104: / Line 134: @@
 Edit or create the <code>~/.gnupg/gpg-agent.conf</code> file to include the following line:
-<syntaxhighlight lang="sh">enable-ssh-support</syntaxhighlight>
+<syntaxhighlight lang="sh">
+enable-ssh-support
+</syntaxhighlight>
 <span id="starting-the-gpg-agent"></span>
 ==== Starting the GPG Agent ====
@@ Line 110: / Line 143: @@
 Start or reload the GPG agent:
-<syntaxhighlight lang="sh">gpg-connect-agent updatestartuptty /bye</syntaxhighlight>
+<syntaxhighlight lang="sh">
+gpg-connect-agent updatestartuptty /bye
+</syntaxhighlight>
 <span id="extracting-the-ssh-public-key-from-your-gpg-key"></span>
 ==== Extracting the SSH Public Key from Your GPG Key ====
@@ Line 116: / Line 152: @@
 Use the following command to extract the SSH public key from your GPG key:
-<syntaxhighlight lang="sh">ssh-add -L</syntaxhighlight>
+<syntaxhighlight lang="sh">
+ssh-add -L
+</syntaxhighlight>
 If the key is not listed, you can add it manually:
-<syntaxhighlight lang="sh">gpg --export-ssh-key <your-gpg-key-id></syntaxhighlight>
+<syntaxhighlight lang="sh">
+gpg --export-ssh-key <your-gpg-key-id>
+</syntaxhighlight>
 Replace <code>&lt;your-gpg-key-id&gt;</code> with your actual GPG key ID.
@@ Line 132: / Line 174: @@
 Ensure your SSH client is configured to use the GPG agent by adding the following to your <code>~/.bashrc</code> or <code>~/.zshrc</code>:
-<syntaxhighlight lang="sh">export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)</syntaxhighlight>
+<syntaxhighlight lang="sh">
+export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
+</syntaxhighlight>
 Reload your shell configuration:
-<syntaxhighlight lang="sh">source ~/.bashrc  ## or source ~/.zshrc</syntaxhighlight>
+<syntaxhighlight lang="sh">
+source ~/.bashrc  ## or source ~/.zshrc
+</syntaxhighlight>
 By following these steps, you can use your GPG key for SSH authentication, leveraging the benefits of GPG key management.
 <span id="securely-storing-your-keys"></span>
-== Securely Storing your Keys ==
+== Securely Storing Your Keys ==
 <span id="ssh-agent"></span>
@@ Line 146: / Line 194: @@
 Use <code>ssh-agent</code> to manage your keys and avoid entering the passphrase multiple times:
-<syntaxhighlight lang="sh">eval "$(ssh-agent -s)"
+<syntaxhighlight lang="sh">
-ssh-add ~/.ssh/username_id_ed25519</syntaxhighlight>
+eval "$(ssh-agent -s)"
+ssh-add ~/.ssh/username_id_ed25519
+</syntaxhighlight>
 <span id="keypassxc"></span>
 === KeyPassXC ===
@@ Line 156: / Line 207: @@
 == References ==
-'' [https://www.openssh.com/ OpenSSH]
+* [https://www.openssh.com/ OpenSSH]
-'' [https://www.puttygen.com/ PuTTYgen]
+* [https://www.puttygen.com/ PuTTYgen]
-'' [https://support.apple.com/guide/keychain-access/welcome/mac Keychain Access]
+* [https://support.apple.com/guide/keychain-access/welcome/mac Keychain Access]
-'' [https://keepassxc.org/ KeyPassXC]
+* [https://keepassxc.org/ KeyPassXC]