Engineering Software, Linux, and Observability. The website of Jack Neely.    

Twisted Edwards Curve SSH Keys

If you use SSH keys and haven’t migrated to the newer ED25519 Twisted Edwards curve key pairs – well you should. It is presently the most recommended key type. Faster and possibly more secure than RSA key types. Even though this type has been supported by OpenSSH for a number of years now, there are still some tricks to have up your sleeve.

Create a new SSH Key:

$ ssh-keygen -a 100 -t ed25519 -f ~/.ssh/key-file -C "[email protected]"

Don’t forget to add the key to your SSH Agent.

$ ssh-add ~/.ssh/key-file

This should have created a file as well that is your public key. Upload this to your configuration management tool that populates your SSH authorized_keys file on your remote targets. Just like normal. You should now be able to SSH to the remote targets with the new key. Validate with:

$ ssh -v [email protected]

Sometimes, I want to make sure only one specific SSH key is used with a special host. This can be done with the following bit in ~/.ssg/config for that host.

Host super-secure
  HostName <IP Address>
  User me
  IdentityFile ~/.ssh/key-file
  IdentitiesOnly yes

Or, for targets that should not be presented with an SSH key at all!

Host super-secure-version-2
  HostName <IP Address>
  User me
  PreferredAuthentications keyboard-interactive,password

I’ve found that for even more “secure” applications I would get the following message when trying to connect via SSH before my authentication was refused.

debug1: Skipping ssh-ed25519 key [email protected] - not in PubkeyAcceptedKeyTypes.

In this case, the SSH client needs to be instructed not to skip the ED25519 key types. Simple enough with this configuration:

Host *
  PubkeyAcceptedKeyTypes +ssh-ed25519

 Previous  Up  Next

comments powered by Disqus