Ubuntu Wiki - SSH/OpenSSH/Keys

Mon Feb 22 15:11:11 UTC 2016

I see the Wiki is still locked down.  Earlier in the month Pasi
mentioned here on the list that edits should be sent as diffs.  Could
you please edit the page SSH/OpenSSH/Keys

https://help.ubuntu.com/community/SSH/OpenSSH/Keys

from the diff below?   It is time to mention Ed25519 keys and begin to
forget DSA.

Thanks.

Regards,
Lars

1c1
< ## page was renamed from SSH/Keys
---
> # page was renamed from SSH/Keys
16c16
< <ssh-rsa or ssh-dss> <really long string of nonsense> <username>@<host>
---
> <ssh-ed25519 or ssh-rsa> <really long string of nonsense>
<username>@<host>
23c23
< SSH can use either "RSA" (Rivest-Shamir-Adleman) or "DSA" ("Digital
Signature Algorithm") keys.  Both of these were considered
state-of-the-art algorithms when SSH was invented, but DSA has come to
be seen as less secure in recent years.  RSA is the only recommended
choice for new keys, so this guide uses "RSA key" and "SSH key"
interchangeably.
---
> SSH can use either "Ed25519", "RSA" (Rivest-Shamir-Adleman), or "DSA"
("Digital Signature Algorithm") keys.  Both RSA and DSA were considered
state-of-the-art algorithms when SSH was invented, but DSA has come to
be seen as less secure in recent years.  Ed25519 or RSA is the
recommended choice for new keys, Ed25519 being preferable.
27c27
< Using key based logins with ssh is generally considered more secure
than using plain password logins.  This section of the guide will
explain the process of generating a set of public/private RSA keys, and
using them for logging into your Ubuntu computer(s) via OpenSSH.
---
> Using key based logins with ssh is generally considered more secure
than using plain password logins.  This section of the guide will
explain the process of generating a set of public/private SSH keys, and
using them for logging into your Ubuntu computer(s) via OpenSSH.
29c29
< = Generating RSA Keys =
---
> = Generating SSH Keys =
31c31
< The first step involves creating a set of RSA keys for use in
authentication.
---
> The first step involves creating a set of SSH keys for use in
authentication.
56c56
< Congratulations!  You now have a set of keys.  Now it's time to make
your systems allow you to login with them
---
> Congratulations!  You now have a set of keys.  Check the manual page
for ssh-keygen for other options, such as increasing the key size,
embedding a comment, or specifying a filename for the keys.  Now it's
time to make your systems allow you to login with them
60c60
< You need to change all your locks if your RSA key is stolen.
Otherwise the thief could impersonate you wherever you authenticate with
that key.
---
> You need to change all your locks if your SSH key is stolen.
Otherwise the thief could impersonate you wherever you authenticate with
that key.
62c62
< An SSH key passphrase is a secondary form of security that gives you a
little time when your keys are stolen.  If your RSA key has a
[[StrongPasswords|strong passphrase]], it might take your attacker a few
hours to guess by brute force.  That extra time should be enough to log
in to any computers you have an account on, delete your old key from the
`.ssh/authorized_keys` file, and add a new key.
---
> An SSH key passphrase is a secondary form of security that gives you a
little time when your keys are stolen.  If your SSH key has a
[[StrongPasswords|strong passphrase]], it might take your attacker a few
hours to guess by brute force.  That extra time should be enough to log
in to any computers you have an account on, delete your old key from the
`.ssh/authorized_keys` file, and add a new key.
66c66
< The decision to protect your key with a passphrase involves
convenience x security.  Note that if you protect your key with a
passphrase, then when you type the passphrase to unlock it, your local
computer will generally leave the key unlocked for a time.  So if you
use the key multiple times without logging out of your local account in
the meantime, you will probably only have to type the passphrase once.
---
> The decision to protect your key with a passphrase involves
convenience x security.  Note that if you protect your key with a
passphrase, then when you type the passphrase to unlock it, your local
computer will generally leave the key unlocked for a time.  So if you
use the key multiple times without logging out of your local account in
the meantime, you will probably only have to type the passphrase once,
especially if your account is using an SSH agent.
72c72
< Note: The default is a 2048 bit key. You can increase this to 4096
bits with the -b flag (Increasing the bits makes it harder to crack the
key by brute force methods).
---
> Note: The default for RSA is a 2048 bit key. You can increase this to
4096 bits with the -b flag (Increasing the bits makes it harder to crack
the key by brute force methods).
84c84
< The key you need to transfer to the host is the public one. If you can
log in to a computer over SSH using a password, you can transfer your
RSA key by doing the following from your own computer:
---
> The key you need to transfer to the host is the public one. If you can
log in to a computer over SSH using a password, you can transfer your
SSH key by doing the following from your own computer: