Twisted Edwards Curve SSH Keys
If you use SSH keys and haven’t migrated to the newer ED25519 Twisted Edwards curve key pairs – well you should. It is presently the most recommended key type. Faster and possibly more secure than RSA key types. Even though this type has been supported by OpenSSH for a number of years now, there are still some tricks to have up your sleeve.
Create a new SSH Key:
$ ssh-keygen -a 100 -t ed25519 -f ~/.ssh/key-file -C "[email protected]"
Don’t forget to add the key to your SSH Agent.
$ ssh-add ~/.ssh/key-file
This should have created a
key-file.pub file as well that is your public key.
Upload this to your configuration management tool that populates your SSH
authorized_keys file on your remote targets. Just like normal. You should
now be able to SSH to the remote targets with the new key. Validate with:
$ ssh -v [email protected]
Sometimes, I want to make sure only one specific SSH key is used with a
special host. This can be done with the following bit in
Host super-secure HostName <IP Address> User me IdentityFile ~/.ssh/key-file IdentitiesOnly yes
Or, for targets that should not be presented with an SSH key at all!
Host super-secure-version-2 HostName <IP Address> User me PreferredAuthentications keyboard-interactive,password
I’ve found that for even more “secure” applications I would get the following message when trying to connect via SSH before my authentication was refused.
debug1: Skipping ssh-ed25519 key [email protected] - not in PubkeyAcceptedKeyTypes.
In this case, the SSH client needs to be instructed not to skip the ED25519 key types. Simple enough with this configuration:
Host * PubkeyAcceptedKeyTypes +ssh-ed25519