A security researcher discovered a sophisticated backdoor within the xz/liblzma
library’s tarballs, affecting versions 5.6.0 and 5.6.1. This backdoor, injected into the build process under specific conditions, primarily targets x86-64 Linux systems built with gcc and the GNU linker, part of debian or RPM package builds. It’s capable of compromising SSH servers, notably slowing down SSH logins and implicating a potential compromise of the openssh
server through patched dependencies. The issue, which includes manipulated execution paths within the library, was meticulously obfuscated, challenging detection and analysis. For detailed insights and the researcher’s analysis, refer to the original post on Openwall’s OSS security mailing list here.
In the realm of secure remote server management, SSH keys reign supreme, offering a more secure alternative to password-based logins. Among these keys, Ed25519, a public-key algorithm, is particularly noted for its performance and security benefits. This article walks you through the process of generating a password-protected Ed25519 SSH key and deploying it across Windows, Linux, and macOS for SSH access.
Generating a Password-Protected Ed25519 SSH Key
Common Steps for All Operating Systems
-
Open a Terminal or Command Prompt: On Linux or macOS, open your terminal. Windows users should open Command Prompt or PowerShell.
-
Generate the Key: Run the following command in your terminal or command prompt:
ssh-keygen -t ed25519 -C "[email protected]"
Replace
[email protected]
with your email address. This email is simply a label that helps identify the key. -
Set a Secure Password: When prompted to “Enter passphrase (empty for no passphrase)”, enter a secure password. This passphrase encrypts your private key. You’ll need to enter it whenever you use the key, enhancing its security.
-
Locate Your Keys: The process generates two files in your
~/.ssh
directory (or\Users\<YourUserName>\.ssh\
on Windows):id_ed25519
(private key) andid_ed25519.pub
(public key). It’s crucial to keep your private key secure and never share it.
Deploying Your SSH Key
On Linux and macOS
-
Copy the Public Key to Your Server: Use the
ssh-copy-id
utility to copy your public key to the remote server. Replaceyour_username
with your actual username on the server andserver_ip_address
with the server’s IP address:ssh-copy-id -i ~/.ssh/id_ed25519.pub your_username@server_ip_address
-
Log In Using Your SSH Key: Now, you can log in to the server using your SSH key:
ssh your_username@server_ip_address
When prompted, enter the passphrase you created during the key generation process.
On Windows
Windows users can use PuTTY, a free SSH client, to manage SSH keys and connect to remote servers.
-
Convert Your SSH Key for PuTTY: PuTTY uses its own format for SSH keys (PPK). You can use PuTTYgen (included in the PuTTY download package) to convert your Ed25519 key to this format.
-
Load Your Private Key in PuTTYgen: Open PuTTYgen, click “Load”, and select your private key file (
id_ed25519
). Enter your passphrase when prompted and then save the private key in PPK format by clicking “Save private key”. -
Use PuTTY to Connect to Your Server: Open PuTTY, and under “Connection > SSH > Auth”, browse and select your PPK file. Enter your server’s IP address and username under “Session”, and click “Open” to initiate the connection. Enter your passphrase when prompted.
Sharing Your Public Key Manually
If ssh-copy-id
is not available, or you’re facing issues with automatic copying, you can manually add your public key to the server:
-
Access Your Server: Log in to your server using your current authentication method.
-
Edit the
~/.ssh/authorized_keys
File: Append your public key (content ofid_ed25519.pub
) to the~/.ssh/authorized_keys
file on your server. Ensure it’s on a single line. -
Set Correct Permissions: On the server, set the correct permissions for your
.ssh
directory and theauthorized_keys
file:chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
-
Test Your SSH Key: Log out and try logging back in with your SSH key to ensure everything is set up correctly.
Bonus: ssh Authentication Agent
ssh-add
is a powerful command that adds your SSH private keys to the SSH authentication agent, streamlining the login process to servers without the need to enter your passphrase each time you use the key. This can significantly enhance your workflow efficiency, especially if you frequently access multiple servers. Let’s delve into how to use ssh-add
on Linux, macOS, and even Windows (with some additional considerations).
Using ssh-add
on Linux and macOS
-
Start the SSH Agent: Before using
ssh-add
, ensure the SSH agent is running. You can start the agent by running:eval "$(ssh-agent -s)"
This command starts the agent and sets the necessary environment variables for the current session.
-
Add Your SSH Key: With the agent running, you can add your SSH key by executing:
ssh-add ~/.ssh/id_ed25519
You’ll be prompted to enter the passphrase for your private key. Once entered correctly, your key is added to the agent, and you won’t need to enter the passphrase again for subsequent SSH connections during the session.
-
Automating
ssh-agent
Startup: To avoid manually starting the SSH agent each time you open a terminal, you can add theeval "$(ssh-agent -s)"
command to your shell’s startup file, such as.bashrc
,.bash_profile
, or.zshrc
, depending on your shell and operating system.
Using ssh-add
on Windows
Windows users can leverage ssh-add
through the Windows Subsystem for Linux (WSL) or by using Git Bash, which includes an SSH client. Here’s how to use it with Git Bash:
-
Open Git Bash: Start Git Bash, which comes with Git for Windows.
-
Start the SSH Agent: In Git Bash, you can start the SSH agent by running:
eval $(ssh-agent -s)
-
Add Your SSH Key: Add your SSH key to the agent as you would on Linux or macOS:
ssh-add ~/.ssh/id_ed25519
For users with WSL, the process is similar to that on Linux. Start your WSL environment, ensure the SSH agent is running, and use ssh-add
as described above.
Key Management with ssh-add
-
Listing Added Keys: To see which keys are currently managed by the SSH agent, you can use:
ssh-add -l
-
Removing Keys: If you need to remove keys from the agent, use:
ssh-add -d /path/to/key
For removing all keys, you can use
ssh-add -D
. -
Automatic Key Loading: For convenience, you can add your
ssh-add
command to your shell’s startup script (like.bash_profile
or.zshrc
), so your keys are automatically added to the SSH agent when you open a terminal. Note that you’ll be prompted for your passphrase unless you use a key management tool or the SSH agent itself to store it securely.
ssh-add
is a crucial tool for managing SSH keys securely and conveniently, reducing the friction of entering passphrases multiple times. By integrating ssh-add
into your workflow on Linux, macOS, or Windows, you enhance both your productivity and the security of your remote server interactions.
Conclusion
Securing your SSH keys with passwords adds an extra layer of security, ensuring that even if your keys are compromised, they remain useless without the passphrase. The Ed25519 algorithm provides a secure, efficient method for authentication, and by following the steps outlined above, you can enhance your remote server management’s security across Windows, Linux, and macOS. Remember, the strength of your security also depends on your passphrase’s complexity, so choose wisely!