SSH Keys: Difference between revisions

From Irregularpedia
Jump to navigation Jump to search
Newer edit →
VisualWikitext
Initial
 
formatting
Tag: wikieditor
Line 10: Line 10:
== Difference Between SSH and GPG Keys ==
== Difference Between SSH and GPG Keys ==


'' '''SSH Keys''': Used primarily for secure authentication to servers and services. They provide access control and secure communication.
* '''SSH Keys''': Used primarily for secure authentication to servers and services. They provide access control and secure communication.
'' '''GPG Keys''': Used for encrypting, decrypting, and signing emails and files. GPG keys provide data integrity and authenticity.
* '''GPG Keys''': Used for encrypting, decrypting, and signing emails and files. GPG keys provide data integrity and authenticity.


'''Always remember NEVER share your PRIVATE keys'''
'''Always remember NEVER share your PRIVATE keys'''
Line 18: Line 18:
== Key Type Comparison ==
== Key Type Comparison ==


'''Recommendation''' - '''Best for security and performance''': '''ssh-ed25519''' - '''Best for compatibility''': '''ssh-rsa''' — - '''ssh-ed25519''' (Recommended) - '''Strengths''': Very strong security, small key size, fast performance. - '''Weaknesses''': Newer, less universally supported (but rapidly growing). - '''Use case''': Best for strong security and performance where supported.
'''Recommendation''' -
* '''Best for security and performance''': '''ssh-ed25519'''
** '''Strengths''': Very strong security, small key size, fast performance.
** '''Weaknesses''': Newer, less universally supported (but rapidly growing).
** '''Use case''': Best for strong security and performance where supported.


'' '''ssh-rsa''' (Most Compatible)
* '''ssh-rsa''' (Most Compatible)
''' '''Strengths''': Widely supported, highly compatible.
** '''Strengths''': Widely supported, highly compatible.
''' '''Weaknesses''': Requires larger keys for equivalent security, slower performance.
** '''Weaknesses''': Requires larger keys for equivalent security, slower performance.
'''' '''Use case''': Best for broad compatibility.
** '''Use case''': Best for broad compatibility.
'' '''ecdsa-sha2-nistp256''', '''ecdsa-sha2-nistp384''', '''ecdsa-sha2-nistp521'''
 
''' '''Strengths''': Strong security with smaller key sizes, better performance.
* '''ecdsa-sha2-nistp256''', '''ecdsa-sha2-nistp384''', '''ecdsa-sha2-nistp521'''
''' '''Weaknesses''': Potentially weaker NIST curves, less compatibility.
** '''Strengths''': Strong security with smaller key sizes, better performance.
*'' '''Use case''': Good for strong security and performance where compatibility is less critical.
** '''Weaknesses''': Potentially weaker NIST curves, less compatibility.
'' '''ssh-dss''' (Don’t Use)
** '''Use case''': Good for strong security and performance where compatibility is less critical.
''' '''Strengths''': Early standard.
 
''' '''Weaknesses''': Limited to 1024-bit keys, weaker security, often deprecated.
* '''ssh-dss''' (Don’t Use)
*'' '''Use case''': Not recommended.
** '''Strengths''': Early standard.
** '''Weaknesses''': Limited to 1024-bit keys, weaker security, often deprecated.
** '''Use case''': Not recommended.


<span id="creating-your-keys"></span>
<span id="creating-your-keys"></span>
Line 43: Line 49:
'''Most Secure Keys'''
'''Most Secure Keys'''


<syntaxhighlight lang="shell">ssh-keygen -t ssh-ed25519 -C "[email protected]"</syntaxhighlight>
<syntaxhighlight lang="shell">
'' Advanded ED25519 Command
ssh-keygen -t ssh-ed25519 -C "[email protected]"
</syntaxhighlight>


<syntaxhighlight lang="shell">ssh-keygen -t ed25519 -C "[email protected]" -f ~/.ssh/username_id_ed25519 -N "your_passphrase"</syntaxhighlight>
'''Advanced ED25519 Command'''
'''Compatilble and Secure'''
 
<syntaxhighlight lang="shell">
ssh-keygen -t ed25519 -C "[email protected]" -f ~/.ssh/username_id_ed25519 -N "your_passphrase"
</syntaxhighlight>
 
'''Compatible and Secure'''
 
<syntaxhighlight lang="shell">
ssh-keygen -t rsa -b 4096 -C "[email protected]"
</syntaxhighlight>


<syntaxhighlight lang="shell">ssh-keygen -t rsa -b 4096 -C "[email protected]"</syntaxhighlight>
Follow the prompts to save the key, typically in <code>~/.ssh/id_rsa</code>.
Follow the prompts to save the key, typically in <code>~/.ssh/id_rsa</code>.


Line 65: Line 80:
To use your SSH key for connecting to a server, add your public key to the <code>~/.ssh/authorized_keys</code> file on the server:
To use your SSH key for connecting to a server, add your public key to the <code>~/.ssh/authorized_keys</code> file on the server:


<syntaxhighlight lang="sh">ssh-add ~/.ssh/username_id_ed25519 [email protected]</syntaxhighlight>
<syntaxhighlight lang="sh">
After this you can login to the server (remote) without anythin <code>ssh [email protected]</code>, if you are prompted for your pin, it is the pin you created when generating your ssh keys
ssh-add ~/.ssh/username_id_ed25519
</syntaxhighlight>


You may also ssh directly to a server without adding your ssh key to the server (remote) <code>~/.ssh/authorized_keys</code> file
After this, you can log in to the server (remote) with <code>ssh [email protected]</code>. If you are prompted for your PIN, it is the PIN you created when generating your SSH keys.
 
You may also SSH directly to a server without adding your SSH key to the server’s <code>~/.ssh/authorized_keys</code> file:
 
<syntaxhighlight lang="sh">
ssh -i ~/.ssh/username_id_ed25519 username@hostname
</syntaxhighlight>


<syntaxhighlight lang="sh">ssh -i ~/.ssh/username_id_ed25519 username@hostname</syntaxhighlight>
<span id="using-with-git"></span>
<span id="using-with-git"></span>
=== Using with Git ===
=== Using with Git ===
Line 79: Line 100:
To use your SSH key with private Git repositories, add the key to your SSH agent and configure the repository URL to use SSH:
To use your SSH key with private Git repositories, add the key to your SSH agent and configure the repository URL to use SSH:


<syntaxhighlight lang="sh">ssh-add ~/.ssh/username_id_ed25519
<syntaxhighlight lang="sh">
git remote set-url origin [email protected]:username/repo.git</syntaxhighlight>
ssh-add ~/.ssh/username_id_ed25519
git remote set-url origin [email protected]:username/repo.git
</syntaxhighlight>
 
<span id="using-to-sign-git-commits"></span>
<span id="using-to-sign-git-commits"></span>
==== Using to sign Git Commits ====
==== Using to Sign Git Commits ====


To sign Git commits with your SSH key, configure Git to use the key:
To sign Git commits with your SSH key, configure Git to use the key:


<syntaxhighlight lang="sh">git config --global user.signingkey <your-key-id>
<syntaxhighlight lang="sh">
git config --global commit.gpgSign true</syntaxhighlight>
git config --global user.signingkey <your-key-id>
git config --global commit.gpgSign true
</syntaxhighlight>
 
<span id="using-gpg-keys-for-ssh-authentication"></span>
<span id="using-gpg-keys-for-ssh-authentication"></span>
=== Using GPG Keys for SSH Authentication ===
=== Using GPG Keys for SSH Authentication ===
Line 96: Line 123:
If you don’t already have a GPG key pair, generate one:
If you don’t already have a GPG key pair, generate one:


<syntaxhighlight lang="sh">gpg --full-generate-key</syntaxhighlight>
<syntaxhighlight lang="sh">
gpg --full-generate-key
</syntaxhighlight>
 
Follow the prompts to create your key pair.
Follow the prompts to create your key pair.


Line 104: Line 134:
Edit or create the <code>~/.gnupg/gpg-agent.conf</code> file to include the following line:
Edit or create the <code>~/.gnupg/gpg-agent.conf</code> file to include the following line:


<syntaxhighlight lang="sh">enable-ssh-support</syntaxhighlight>
<syntaxhighlight lang="sh">
enable-ssh-support
</syntaxhighlight>
 
<span id="starting-the-gpg-agent"></span>
<span id="starting-the-gpg-agent"></span>
==== Starting the GPG Agent ====
==== Starting the GPG Agent ====
Line 110: Line 143:
Start or reload the GPG agent:
Start or reload the GPG agent:


<syntaxhighlight lang="sh">gpg-connect-agent updatestartuptty /bye</syntaxhighlight>
<syntaxhighlight lang="sh">
gpg-connect-agent updatestartuptty /bye
</syntaxhighlight>
 
<span id="extracting-the-ssh-public-key-from-your-gpg-key"></span>
<span id="extracting-the-ssh-public-key-from-your-gpg-key"></span>
==== Extracting the SSH Public Key from Your GPG Key ====
==== Extracting the SSH Public Key from Your GPG Key ====
Line 116: Line 152:
Use the following command to extract the SSH public key from your GPG key:
Use the following command to extract the SSH public key from your GPG key:


<syntaxhighlight lang="sh">ssh-add -L</syntaxhighlight>
<syntaxhighlight lang="sh">
ssh-add -L
</syntaxhighlight>
 
If the key is not listed, you can add it manually:
If the key is not listed, you can add it manually:


<syntaxhighlight lang="sh">gpg --export-ssh-key <your-gpg-key-id></syntaxhighlight>
<syntaxhighlight lang="sh">
gpg --export-ssh-key <your-gpg-key-id>
</syntaxhighlight>
 
Replace <code>&lt;your-gpg-key-id&gt;</code> with your actual GPG key ID.
Replace <code>&lt;your-gpg-key-id&gt;</code> with your actual GPG key ID.


Line 132: Line 174:
Ensure your SSH client is configured to use the GPG agent by adding the following to your <code>~/.bashrc</code> or <code>~/.zshrc</code>:
Ensure your SSH client is configured to use the GPG agent by adding the following to your <code>~/.bashrc</code> or <code>~/.zshrc</code>:


<syntaxhighlight lang="sh">export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)</syntaxhighlight>
<syntaxhighlight lang="sh">
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
</syntaxhighlight>
 
Reload your shell configuration:
Reload your shell configuration:


<syntaxhighlight lang="sh">source ~/.bashrc  ## or source ~/.zshrc</syntaxhighlight>
<syntaxhighlight lang="sh">
source ~/.bashrc  ## or source ~/.zshrc
</syntaxhighlight>
 
By following these steps, you can use your GPG key for SSH authentication, leveraging the benefits of GPG key management.
By following these steps, you can use your GPG key for SSH authentication, leveraging the benefits of GPG key management.


<span id="securely-storing-your-keys"></span>
<span id="securely-storing-your-keys"></span>
== Securely Storing your Keys ==
== Securely Storing Your Keys ==


<span id="ssh-agent"></span>
<span id="ssh-agent"></span>
Line 146: Line 194:
Use <code>ssh-agent</code> to manage your keys and avoid entering the passphrase multiple times:
Use <code>ssh-agent</code> to manage your keys and avoid entering the passphrase multiple times:


<syntaxhighlight lang="sh">eval "$(ssh-agent -s)"
<syntaxhighlight lang="sh">
ssh-add ~/.ssh/username_id_ed25519</syntaxhighlight>
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/username_id_ed25519
</syntaxhighlight>
 
<span id="keypassxc"></span>
<span id="keypassxc"></span>
=== KeyPassXC ===
=== KeyPassXC ===
Line 156: Line 207:
== References ==
== References ==


'' [https://www.openssh.com/ OpenSSH]
* [https://www.openssh.com/ OpenSSH]
'' [https://www.puttygen.com/ PuTTYgen]
* [https://www.puttygen.com/ PuTTYgen]
'' [https://support.apple.com/guide/keychain-access/welcome/mac Keychain Access]
* [https://support.apple.com/guide/keychain-access/welcome/mac Keychain Access]
'' [https://keepassxc.org/ KeyPassXC]
* [https://keepassxc.org/ KeyPassXC]

Revision as of 00:26, 10 September 2024

SSH Keys

What They Are

SSH keys are a pair of cryptographic keys used for secure access to systems over a network. They consist of a public key, which is shared, and a private key, which is kept secret. SSH keys provide a more secure and convenient way to authenticate than traditional passwords.

Difference Between SSH and GPG Keys

  • SSH Keys: Used primarily for secure authentication to servers and services. They provide access control and secure communication.
  • GPG Keys: Used for encrypting, decrypting, and signing emails and files. GPG keys provide data integrity and authenticity.

Always remember NEVER share your PRIVATE keys

Key Type Comparison

Recommendation -

  • Best for security and performance: ssh-ed25519
    • Strengths: Very strong security, small key size, fast performance.
    • Weaknesses: Newer, less universally supported (but rapidly growing).
    • Use case: Best for strong security and performance where supported.
  • ssh-rsa (Most Compatible)
    • Strengths: Widely supported, highly compatible.
    • Weaknesses: Requires larger keys for equivalent security, slower performance.
    • Use case: Best for broad compatibility.
  • ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521
    • Strengths: Strong security with smaller key sizes, better performance.
    • Weaknesses: Potentially weaker NIST curves, less compatibility.
    • Use case: Good for strong security and performance where compatibility is less critical.
  • ssh-dss (Don’t Use)
    • Strengths: Early standard.
    • Weaknesses: Limited to 1024-bit keys, weaker security, often deprecated.
    • Use case: Not recommended.

Creating Your Keys

Terminal

To generate an SSH key using the terminal, use the following command:

Most Secure Keys

<syntaxhighlight lang="shell"> ssh-keygen -t ssh-ed25519 -C "[email protected]" </syntaxhighlight>

Advanced ED25519 Command

<syntaxhighlight lang="shell"> ssh-keygen -t ed25519 -C "[email protected]" -f ~/.ssh/username_id_ed25519 -N "your_passphrase" </syntaxhighlight>

Compatible and Secure

<syntaxhighlight lang="shell"> ssh-keygen -t rsa -b 4096 -C "[email protected]" </syntaxhighlight>

Follow the prompts to save the key, typically in ~/.ssh/id_rsa.

GUI

Tools like PuTTYgen for Windows or Keychain Access for macOS can be used to generate SSH keys using a graphical interface.

Using Your Keys

Using to SSH

To use your SSH key for connecting to a server, add your public key to the ~/.ssh/authorized_keys file on the server:

<syntaxhighlight lang="sh"> ssh-add ~/.ssh/username_id_ed25519 </syntaxhighlight>

After this, you can log in to the server (remote) with ssh [email protected]. If you are prompted for your PIN, it is the PIN you created when generating your SSH keys.

You may also SSH directly to a server without adding your SSH key to the server’s ~/.ssh/authorized_keys file:

<syntaxhighlight lang="sh"> ssh -i ~/.ssh/username_id_ed25519 username@hostname </syntaxhighlight>

Using with Git

Private Repos

To use your SSH key with private Git repositories, add the key to your SSH agent and configure the repository URL to use SSH:

<syntaxhighlight lang="sh"> ssh-add ~/.ssh/username_id_ed25519 git remote set-url origin [email protected]:username/repo.git </syntaxhighlight>

Using to Sign Git Commits

To sign Git commits with your SSH key, configure Git to use the key:

<syntaxhighlight lang="sh"> git config --global user.signingkey <your-key-id> git config --global commit.gpgSign true </syntaxhighlight>

Using GPG Keys for SSH Authentication

Generating a GPG Key Pair

If you don’t already have a GPG key pair, generate one:

<syntaxhighlight lang="sh"> gpg --full-generate-key </syntaxhighlight>

Follow the prompts to create your key pair.

Enabling SSH Support in GPG

Edit or create the ~/.gnupg/gpg-agent.conf file to include the following line:

<syntaxhighlight lang="sh"> enable-ssh-support </syntaxhighlight>

Starting the GPG Agent

Start or reload the GPG agent:

<syntaxhighlight lang="sh"> gpg-connect-agent updatestartuptty /bye </syntaxhighlight>

Extracting the SSH Public Key from Your GPG Key

Use the following command to extract the SSH public key from your GPG key:

<syntaxhighlight lang="sh"> ssh-add -L </syntaxhighlight>

If the key is not listed, you can add it manually:

<syntaxhighlight lang="sh"> gpg --export-ssh-key <your-gpg-key-id> </syntaxhighlight>

Replace <your-gpg-key-id> with your actual GPG key ID.

Adding the Public Key to Your authorized_keys on the Remote Server

Copy the extracted public key and add it to the ~/.ssh/authorized_keys file on the remote server.

Configuring Your Shell to Use the GPG Agent for SSH

Ensure your SSH client is configured to use the GPG agent by adding the following to your ~/.bashrc or ~/.zshrc:

<syntaxhighlight lang="sh"> export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket) </syntaxhighlight>

Reload your shell configuration:

<syntaxhighlight lang="sh"> source ~/.bashrc ## or source ~/.zshrc </syntaxhighlight>

By following these steps, you can use your GPG key for SSH authentication, leveraging the benefits of GPG key management.

Securely Storing Your Keys

SSH Agent

Use ssh-agent to manage your keys and avoid entering the passphrase multiple times:

<syntaxhighlight lang="sh"> eval "$(ssh-agent -s)" ssh-add ~/.ssh/username_id_ed25519 </syntaxhighlight>

KeyPassXC

KeyPassXC is a cross-platform password manager that can securely store your SSH keys.

References

Retrieved from "https://irregularpedia.org/index.php?title=SSH_Keys&oldid=287"