💾 Archived View for rawtext.club › ~samhunter › ssh.gmi captured on 2022-04-29 at 11:37:04. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-03)

➡️ Next capture (2024-08-18)

-=-=-=-=-=-=-

Bigger scheme - sam's capsule: SSH config

                 
           /       \       /
    k --- a         b --- f 
   /       \       /       \
           me --- l         i
   \       /       \       /
    j --- c         d --- e
           \       /
            g --- h

Quick step-by-step instructions

1. If you didn't use SSH keys on your laptop -- remove the ~/.ssh folder

$ rm -rf ~/.ssh

If you *did* already use an SSH key -- why don't you just use your current key for RTC? You might want to skip to Step 3 now...

2. Generate a new key:

$ ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "${USER}@${HOSTNAME}"

You can replace "${USER}@${HOSTNAME}" with anything, but yourname@yoursystem is a reasonable choice.

What do the options do?

Quoting https://medium.com/risan/upgrade-your-ssh-key-to-ed25519-c6e8d60d3c54

-o : Save the private-key using the new OpenSSH format rather than the PEM format. Actually, this option is implied when you specify the key type as ed25519.

-a: It’s the numbers of KDF (Key Derivation Function) rounds. Higher numbers result in slower passphrase verification, increasing the resistance to brute-force password cracking should the private-key be stolen.

-t: Specifies the type of key to create, in our case the Ed25519.

-f: Specify the filename of the generated key file. If you want it to be discovered automatically by the SSH agent, it must be stored in the default `.ssh` directory within your home directory.

-C: An option to specify a comment. It’s purely informational and can be anything. But it’s usually filled with <login>@<hostname> who generated the key.

3. Copy your public key to RTC

Open your fresh ~/.ssh/id_ed25519.pub file in an editor of your choice.

Your public key looks like that:

ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIBRPB42CBF4VCXBFNGMdchT1a3nCYc4qOx17SOne8Bldb50itVg90
yourname@laptop)

-- or that --

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRPB42CBF4VCXBFNGMdchT1a3nCYc4qOx17SOne8Bldb50itVg90 yourname@laptop

Be sure to select it completely, from 'ssh-ed2...' to the end of the line ('...laptop' in the example), copy it.

Paste the cryptic string into your ~/.ssh/authorized_keys file on RTC, save the file

3(a). Alternatively you can use

Type the following command in a terminal window on RTC, then copy and paste your key.

cat >> ~/.ssh/authorized_keys && chmod 0600 ~/.ssh/authorized_keys

Then press Ctrl-D

4. Check your authorized_keys file

$ cat ~/.ssh/authorized_keys

5. Check connectivity before disconnecting!

Try to connect from your new system before dropping the connection on your current system, otherwise you might lock yourself out.

Of course RTC administrator will help you to get back in if you screw it up, but:

1) he has his own life too,

2) avoiding problems is better than solving them,

3) doing it right gives you good karma and...

4) it saves you from looking like a complete dolt ;-)

That's it!

Unless you want to know more... Read on, then:

SSH configuration

More of everything. Locations, files, older (RSA) algorithms...

Local system

$ ssh-keygen -t rsa -b 2048
<just keep pressing Enter>

$HOME/.ssh folder will be created (if not present at the time of invoking)

$ gio tree $HOME/.ssh
file:///home/samhunter/.ssh
|-- authorized_keys
`-- known_hosts

$ ls -ld $HOME/.ssh
drwx------ 2 samhunter samhunter 4096 Jul 20 22:03 /home/samhunter/.ssh

$ ls -l $HOME/.ssh
total 8
-rw------- 1 samhunter samhunter 446 Jun  3 18:27 authorized_keys
-rw-r--r-- 1 samhunter samhunter 185 Jun 18 16:09 known_hosts

$ cat $HOME/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU
GPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3
Pbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA
t3FaoJoAsncM1Q9x5+3V0Ww68/eIFmb1zuUFljQJKprrX88XypNDvjYNby6vw/Pb0rwert/En
mZ+AW4OZPnTPI89ZPmVMLuayrD2cE86Z/il8b+gw3r3+1nKatmIkjn2so1d01QraTlMqVSsbx
NrRFi9wrf+M7Q== me@mylocal.computer

^^^^^ we will mark everything from ssh-rsa... to ...computer for the next step

Remote system

Login using your password.

Then:

$ mkdir $HOME/.ssh
$ chmod 0700 $HOME/.ssh
## type the line, then paste the key selected in the previous step, then type Ctrl-D (^D)
$ cat >> $HOME/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU
GPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3
Pbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA
t3FaoJoAsncM1Q9x5+3V0Ww68/eIFmb1zuUFljQJKprrX88XypNDvjYNby6vw/Pb0rwert/En
mZ+AW4OZPnTPI89ZPmVMLuayrD2cE86Z/il8b+gw3r3+1nKatmIkjn2so1d01QraTlMqVSsbx
NrRFi9wrf+M7Q== me@mylocal.computer
^D
$
$ chmod 0600 $HOME/.ssh/authorized_keys

Return to the local system

ssh me@remotesystem

The fingerprint you accept with 'yes' will be stored in $HOME/.ssh/known_hosts

Make sure it is a file (not a folder!) and is world readable (-rw-r--r--/0644)

-- sam

Credits where credits are due:

@deerbard tested the instructions and provided valuable feedback. Thank you!

Risan's article motivated me to finally upgrade my keys from RSA