My scrapbook about almost anything I stumble upon in my tech world. If you find anything useful don't forget to give thumbs-up :)


Monday, September 18, 2023

Securing the SSH Keys

SSH or Secure SHell keys are access credentials to anything, any task which support secure tunnel to perform some operations where it can be managing network, operating systems, configurations or to perform secure file transfer. Day to day a typical user use SSH keys to access Source Management System (Git, Bitbucket..etc) or to do Password-less login to remote server. Keeping these keys secure is as much as critical as your username and password and sadly, we as a user don't do a good job in that zone. 

    Technically SSH keys are cryptography keys which creates a secure session between local and remote system, they grant access and control who can do and what. Let's see how to make sure our SSH keys are more secure ( as nothing is 100% secure ) than usual. 

Use ECDSA or ED25519 algorithm rather than RSA algorithm to generate key:

    This doesn't mean that RSA keys are not secure but It can be comparatively easily broken with current computer processing power than ECDSA/ED25519 keys.

Use Bigger bit size Keys:

    Higher the Key bit size, more time it will take to break, so always choose bigger bit size when generating the Keys. 4096 if using RSA or ED25519 algorithm and 512 if using ECDSA algorithm.

Always Use Passphrase:

    One of the biggest mistake, Not to have strong passphrase for our Keys, usually we being lazy do not set any passphrase for our SSH keys which means if any one got access on our keys, they can access whatever system we are accessing with these keys. So keep some passphrase, If not Strong than Simple, but it is still better than not having any passphrase. 

User permission of SSH Keys: 

   Securing file permission of SSH keys are also important, your SSH keys should not be accessed by other users on the system/server/machine. Your ".ssh" directory and private key permission should be only to you (user), not to "user group" and others. 

Based on above points, Let's generate the SSH Key (provided the passphrase when prompt) - 

ssh-keygen -b 521 -t ecdsa -C "" -f ~/.ssh/id_ecdsa_test 
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ecdsa_test

Like the below page to get the update  
Facebook Page      Facebook Group      Twitter Feed      Telegram Group

No comments:

Post a Comment


The postings on this site are my own and don't necessarily represent IBM's or other companies positions, strategies or opinions. All content provided on this blog is for informational purposes and knowledge sharing only.
The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of his information.