So What’s So Important About Your OpenSSH Keys?

If it wasn’t for public key encryption the Internet would be an almost untrusted place. Basically, it secures the key generation for the…

So What’s So Important About Your OpenSSH Keys?

If it wasn’t for public key encryption the Internet would be an almost untrusted place. Basically, it secures the key generation for the creation of a secure tunnel (with ECDH), it checks the identity of the Web sites we connect to (using RSA and ECDSA signatures), and it allows us to digitally sign things for our identity.

In Figure 1, we see that Bob wants to log into Alice’s server. For this, he generates an OpenSSH key pair and puts his public key onto the server. When he wants to log in, he initiates an SSH connection. Alice then sends back a message, which he signs with his private key, and sends it to Alice. Alice then checks the signature with Bob’s public key. If the signature is correct, Bob will be able to log in. We can set up restrictions on the public key, such as locking it down to a given range of IP addresses.

The main signatures are RSA, Ed25519, DSA and ECDSA, but DSA is now not recommended. We generate Ed25519 with:

$ ssh-keygen -t  ed25519 -C "[email protected]"

and for 4K RSA with:

$ ssh-keygen -t  -b 4096 rsa -C "[email protected]"

and for ECDSA with:

$ ssh-keygen -t  -b 256 ecdsa -C "[email protected]"

The system then puts the private key into the default folder (~/.ssh):

% cd ~/.ssh
.ssh % ls
config  id_ecdsa.pub id_rsa.pub known_hosts.old
id_ecdsa id_rsa  known_hosts ssh_config
.ssh %

The private key files can be id_rsa, id_ecdsa, id_ecdsa_sk, id_ed25519, or id_ed25519_sk, and with an associated public key with the .pub extension. An intruder may thus search for these files on a system in order to reveal the secret logins. You will find your public key in ~/.ssh or in Windows in c:\users\<username>\.ssh:

C:\Users\Administrator\.ssh>dir
 Volume in drive C has no label.
 Volume Serial Number is 06E5-D224

 Directory of C:\Users\Administrator\.ssh

12/27/2022  01:51 PM    <DIR>          .
12/27/2022  01:51 PM    <DIR>          ..
12/27/2022  01:46 PM             1,679 id_rsa
12/27/2022  01:46 PM               407 id_rsa.pub
12/27/2022  01:51 PM               656 known_hosts
12/27/2022  01:40 PM               393 known_hosts.old

The private key is typically in a PEM format, such as:

and the associated OpenSSH public key is [here]:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQDPEHI1zmQKtU68e7s2o0
B7DNTK9DGbo8052VGxJl/gtnoGt+pCZNjMgGMaBfKrIOStBcCRPkJJrtxonPEypLxZ

For Ed25519, an example of the public key is [here]:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6IfyaPjFZKP5gS+VshYyGjb
tqtmuEsuZjftVUJORjm

and for ECDSA we can use the curves of SECP256R1 (256-bit private key, but with 128-bit equivalent security), SECP384R1 (384 bit private key), and SECP521R1 (521-bit security key, and 256-bit equivalent security) [here]:

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdH
AyNTYAAABBBIM+RxYODWoa0aLzi8tbkbjtYSUm27399iPaZYruuqPM0r8RGWQL
0W6tRQd0s9s3Lc2XPTpy6HKkz+t7x/F4Ym0=

These public keys are loaded onto the server, and then restrictions are then set on the usage of the public key. This can lock down the IP address of the hosts that can log in.

Conclusions

If you use GitHub, you will probably know how powerful these keys are, and how important they are for your security … so protect your private keys. If you allow them to be copied, someone could get access to all of your cloud instances and your private GitHubs!