An exercise in futility

Generating and Using a Password-Protected Ed25519 SSH Key

30 Mar 2024
tutorials ssh keys

A security researcher discovered a sophisticated backdoor within the xz/liblzma library’s tarballs, affecting versions 5.6.0 and 5.6.1. This backdoor, injected into the build process under specific conditions, primarily targets x86-64 Linux systems built with gcc and the GNU linker, part of debian or RPM package builds. It’s capable of compromising SSH servers, notably slowing down SSH logins and implicating a potential compromise of the openssh server through patched dependencies. The issue, which includes manipulated execution paths within the library, was meticulously obfuscated, challenging detection and analysis. For detailed insights and the researcher’s analysis, refer to the original post on Openwall’s OSS security mailing list here.

In the realm of secure remote server management, SSH keys reign supreme, offering a more secure alternative to password-based logins. Among these keys, Ed25519, a public-key algorithm, is particularly noted for its performance and security benefits. This article walks you through the process of generating a password-protected Ed25519 SSH key and deploying it across Windows, Linux, and macOS for SSH access.

Generating a Password-Protected Ed25519 SSH Key

Common Steps for All Operating Systems

  1. Open a Terminal or Command Prompt: On Linux or macOS, open your terminal. Windows users should open Command Prompt or PowerShell.

  2. Generate the Key: Run the following command in your terminal or command prompt:

    ssh-keygen -t ed25519 -C "[email protected]"

    Replace [email protected] with your email address. This email is simply a label that helps identify the key.

  3. Set a Secure Password: When prompted to “Enter passphrase (empty for no passphrase)”, enter a secure password. This passphrase encrypts your private key. You’ll need to enter it whenever you use the key, enhancing its security.

  4. Locate Your Keys: The process generates two files in your ~/.ssh directory (or \Users\<YourUserName>\.ssh\ on Windows): id_ed25519 (private key) and id_ed25519.pub (public key). It’s crucial to keep your private key secure and never share it.

Deploying Your SSH Key

On Linux and macOS

  1. Copy the Public Key to Your Server: Use the ssh-copy-id utility to copy your public key to the remote server. Replace your_username with your actual username on the server and server_ip_address with the server’s IP address:

    ssh-copy-id -i ~/.ssh/id_ed25519.pub your_username@server_ip_address

  2. Log In Using Your SSH Key: Now, you can log in to the server using your SSH key:

    ssh your_username@server_ip_address

    When prompted, enter the passphrase you created during the key generation process.

On Windows

Windows users can use PuTTY, a free SSH client, to manage SSH keys and connect to remote servers.

  1. Convert Your SSH Key for PuTTY: PuTTY uses its own format for SSH keys (PPK). You can use PuTTYgen (included in the PuTTY download package) to convert your Ed25519 key to this format.

  2. Load Your Private Key in PuTTYgen: Open PuTTYgen, click “Load”, and select your private key file (id_ed25519). Enter your passphrase when prompted and then save the private key in PPK format by clicking “Save private key”.

  3. Use PuTTY to Connect to Your Server: Open PuTTY, and under “Connection > SSH > Auth”, browse and select your PPK file. Enter your server’s IP address and username under “Session”, and click “Open” to initiate the connection. Enter your passphrase when prompted.

Sharing Your Public Key Manually

If ssh-copy-id is not available, or you’re facing issues with automatic copying, you can manually add your public key to the server:

  1. Access Your Server: Log in to your server using your current authentication method.

  2. Edit the ~/.ssh/authorized_keys File: Append your public key (content of id_ed25519.pub) to the ~/.ssh/authorized_keys file on your server. Ensure it’s on a single line.

  3. Set Correct Permissions: On the server, set the correct permissions for your .ssh directory and the authorized_keys file:

    chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

  4. Test Your SSH Key: Log out and try logging back in with your SSH key to ensure everything is set up correctly.

Bonus: ssh Authentication Agent

ssh-add is a powerful command that adds your SSH private keys to the SSH authentication agent, streamlining the login process to servers without the need to enter your passphrase each time you use the key. This can significantly enhance your workflow efficiency, especially if you frequently access multiple servers. Let’s delve into how to use ssh-add on Linux, macOS, and even Windows (with some additional considerations).

Using ssh-add on Linux and macOS

  1. Start the SSH Agent: Before using ssh-add, ensure the SSH agent is running. You can start the agent by running:

    eval "$(ssh-agent -s)"

    This command starts the agent and sets the necessary environment variables for the current session.

  2. Add Your SSH Key: With the agent running, you can add your SSH key by executing:

    ssh-add ~/.ssh/id_ed25519

    You’ll be prompted to enter the passphrase for your private key. Once entered correctly, your key is added to the agent, and you won’t need to enter the passphrase again for subsequent SSH connections during the session.

  3. Automating ssh-agent Startup: To avoid manually starting the SSH agent each time you open a terminal, you can add the eval "$(ssh-agent -s)" command to your shell’s startup file, such as .bashrc, .bash_profile, or .zshrc, depending on your shell and operating system.

Using ssh-add on Windows

Windows users can leverage ssh-add through the Windows Subsystem for Linux (WSL) or by using Git Bash, which includes an SSH client. Here’s how to use it with Git Bash:

  1. Open Git Bash: Start Git Bash, which comes with Git for Windows.

  2. Start the SSH Agent: In Git Bash, you can start the SSH agent by running:

    eval $(ssh-agent -s)

  3. Add Your SSH Key: Add your SSH key to the agent as you would on Linux or macOS:

    ssh-add ~/.ssh/id_ed25519

For users with WSL, the process is similar to that on Linux. Start your WSL environment, ensure the SSH agent is running, and use ssh-add as described above.

Key Management with ssh-add

  • Listing Added Keys: To see which keys are currently managed by the SSH agent, you can use:

    ssh-add -l

  • Removing Keys: If you need to remove keys from the agent, use:

    ssh-add -d /path/to/key

    For removing all keys, you can use ssh-add -D.

  • Automatic Key Loading: For convenience, you can add your ssh-add command to your shell’s startup script (like .bash_profile or .zshrc), so your keys are automatically added to the SSH agent when you open a terminal. Note that you’ll be prompted for your passphrase unless you use a key management tool or the SSH agent itself to store it securely.

ssh-add is a crucial tool for managing SSH keys securely and conveniently, reducing the friction of entering passphrases multiple times. By integrating ssh-add into your workflow on Linux, macOS, or Windows, you enhance both your productivity and the security of your remote server interactions.

Conclusion

Securing your SSH keys with passwords adds an extra layer of security, ensuring that even if your keys are compromised, they remain useless without the passphrase. The Ed25519 algorithm provides a secure, efficient method for authentication, and by following the steps outlined above, you can enhance your remote server management’s security across Windows, Linux, and macOS. Remember, the strength of your security also depends on your passphrase’s complexity, so choose wisely!