Wednesday, 18 September 2013

#SSH Improve Security of #PrivateKey Files #CRYPTO

Always a worthy topic: massive playlist; How-To Implement and Improve SSH security ...

"Improving the security of your SSH private key files
Ever wondered how those key files in ~/.ssh actually work? How secure are they actually?
As you probably do too, I use ssh many times every single day — every git fetchand git push, every deploy, every login to a server. And recently I realised that to me, ssh was just some crypto voodoo that I had become accustomed to using, but I didn’t really understand. That’s a shame — I like to know how stuff works. So I went on a little journey of discovery, and here are some of the things I found.
When you start reading about “crypto stuff”, you very quickly get buried in an avalanche of acronyms. I will briefly mention the acronyms as we go along; they don’t help you understand the concepts, but they are useful in case you want to Google for further details.
Quick recap: If you’ve ever used public key authentication, you probably have a file~/.ssh/id_rsa or ~/.ssh/id_dsa in your home directory. This is your RSA/DSA private key, and ~/.ssh/ or ~/.ssh/ is its public key counterpart. Any machine you want to log in to needs to have your public key in~/.ssh/authorized_keys on that machine. When you try to log in, your SSH client uses a digital signature to prove that you have the private key; the server checks that the signature is valid, and that the public key is authorized for your username; if all is well, you are granted access.
So what is actually inside this private key file?
The unencrypted private key format
Everyone recommends that you protect your private key with a passphrase (otherwise anybody who steals the file from you can log into everything you have access to). If you leave the passphrase blank, the key is not encrypted. Let’s look at this unencrypted format first, and consider passphrase protection later.
A ssh private key file typically looks something like this:

But if you want the admin's top pick ...

One-Time-Passwords for SSH Authentication with Yubikey - Hak5

One-Time-Passwords for SSH Authentication with Yubikey - Hak5 by Hak5

Click To Subscribe in a Reader   

Free Content For Your Website Totally Free!

Welcome! :)


No comments :

Post a comment

Only members (obviously) can comment; no moderation; direct to page.

Note: only a member of this blog may post a comment.