How To Manage SSH Host Key Management
SSH HOST KEY MANAGEMENT
Algorithms
rsa
ecdsa
ed25519
• rsa - an old algorithm based on the difficulty of factoring large numbers. A key size of at least 2048 bits is recommended for RSA; 4096 bits is better. RSA is getting old and significant advances are being made in factoring. Choosing a different algorithm may be advisable. It is quite possible the RSA algorithm will become practically breakable in the foreseeable future. All SSH clients support this algorithm.
• ecdsa - a new Digital Signature Algorithm standarized by the US government, using elliptic curves. This is probably a good algorithm for current applications. Only three key sizes are supported: 256, 384, and 521 (sic!) bits. We would recommend always using it with 521 bits, since the keys are still small and probably more secure than the smaller keys (even though they should be safe as well). Most SSH clients now support this algorithm.
• ed25519 - this is a new algorithm added in OpenSSH. Support for it in clients is not yet universal. Thus its use in general purpose applications may not yet be advisable.
This tutorial explains the management of SSH Host KEY
Process
Enter into the ssh directory
[root@localhost ~]# cd /etc/ssh
List out all file
[root@localhost ssh]# ls -la
total 620
drwxr-xr-x. 2 root root 4096 Oct 29 05:13 .
drwxr-xr-x. 138 root root 12288 Nov 9 15:29 ..
-rw-r--r--. 1 root root 581843 Apr 11 2018 moduli
-rw-r--r--. 1 root root 2276 Apr 11 2018 ssh_config
-rw-------. 1 root root 3907 Apr 11 2018 sshd_config
-rw-r-----. 1 root ssh_keys 227 Oct 29 05:13 ssh_host_ecdsa_key
-rw-r--r--. 1 root root 162 Oct 29 05:13 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys 387 Oct 29 05:13 ssh_host_ed25519_key
-rw-r--r--. 1 root root 82 Oct 29 05:13 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 1675 Oct 29 05:13 ssh_host_rsa_key
-rw-r--r--. 1 root root 382 Oct 29 05:13 ssh_host_rsa_key.pub
To generate the ssh key for rsa using 4096 bits
[root@localhost ssh]# ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:jc7VXc7lP16ZYcWTKAXTUuqf9SMmhi8aI/X9mWRm36g root@localhost.localdomain
The key's randomart image is:
+---[RSA 4096]----+
| o+o |
| .+....|
| o.. o=|
| o.... =+|
| .S o.. .++|
| .o..o . + *|
| . ooo + X =+|
| . o.o O *.=|
| .. ..E=.o.|
+----[SHA256]-----+
To generate the key for ecdsa using bits
[root@localhost ssh]# ssh-keygen -t ecdsa -b 521
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:+pOwY5X+8RIZ5jTyRsYhA5XjvgCZl9CGvllkvi4XVsA root@localhost.localdomain
The key's randomart image is:
+---[ECDSA 521]---+
| +.o.. |
| o E = . |
| . O + = . |
| = = + O |
| * +SX + |
| o *.+ * |
| o.B +.. |
| . *.= .o |
| + ..o... |
+----[SHA256]-----+
To generate the key for ed25519
[root@localhost ssh]# ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ed25519.
Your public key has been saved in /root/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:Sd26p+e3bfYluQ/MlgahkPLdVQE/XZdf/hw7GIqvjbY root@localhost.localdomain
The key's randomart image is:
+--[ED25519 256]--+
| ...*|
| o . .o=|
| . + . o .++|
| + + + + .+|
| S = + o.+|
| . o = =o|
| o . X o|
| .o+.o.=+|
| .E++..o==|
+----[SHA256]-----+
[root@localhost ssh]# cd
Go to another terminal and take ssh while taking ssh you can see the ecdsa key is genrarting btween the server
[root@localhost ~]# ssh root@192.168.7.238
The authenticity of host '192.168.7.238 (192.168.7.238)' can't be established.
ECDSA key fingerprint is SHA256:liG+KRtG4h/2UF720mpOk0S1EWgXB3uMVRsdks+h1lc.
ECDSA key fingerprint is MD5:f6:ac:65:9e:10:bf:7b:03:1b:ff:d1:20:48:44:36:f9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.7.238' (ECDSA) to the list of known hosts.
root@192.168.7.238's password:
Last login: Sat Nov 9 10:26:11 2019 from 192.168.7.105
Now you can go to .ssh directory
[root@localhost ~]# cd .ssh/
List out the file
[root@localhost .ssh]# ll
total 28
-rw------- 1 root root 365 Nov 9 15:57 id_ecdsa
-rw-r--r-- 1 root root 280 Nov 9 15:57 id_ecdsa.pub
-rw------- 1 root root 419 Nov 9 15:59 id_ed25519
-rw-r--r-- 1 root root 108 Nov 9 15:59 id_ed25519.pub
-rw------- 1 root root 3243 Nov 9 15:54 id_rsa
-rw-r--r-- 1 root root 752 Nov 9 15:54 id_rsa.pub
-rw-r--r-- 1 root root 175 Nov 9 16:00 known_hosts
You can see the ecdsa encrypted key of the server here once the key is generated I will automatically enter to the server
[root@localhost .ssh]# vim known_hosts
192.168.7.238 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGrOEj/+MCQvfmZxOpRUgzjLDjtwNkllOi/UJkCNf504ofsSMsHhpEFQBLe8hDBVoQTsgcC/5CTvfvYPOtxknOA=
Now logout and try to login again
[root@localhost ~]# logout
Connection to 192.168.7.238 closed.
Now it will ask only the password for server
[root@localhost ~]# ssh root@192.168.7.238
root@192.168.7.238's password:
Last login: Sat Nov 9 11:02:00 2019 from 192.168.7.228
With this,Management of SSH Host Key tutorial comes to an end
Comments ( 0 )
No comments available