Tuesday, December 10, 2013

How To: Create a new RSA keyfile for SSH

When you consider creating a new RSA or DSA keyfile, you do it with the knowledge that it will provide increased security when logging into a server using SSH. Requiring a RSA key as a security credential in the SSH authentication process is a more secure access management policy. Properly managing your credentials to maintain access and security can prevent problems, and increase profitability. 

There are at least three potential security related problems with traditional SSHD configuration.

1. Credential loss/theft
2. Potential Bruteforcing
3. Out of date access

We also discussed some solutions for eliminating and minimizing the risk of these problems.

1. Encrypted credentials (PGP encrypted username, password, key file)
2. Requiring a key, as well as a username and password
3. Rotating keys, audits

For those of you who are new to ssh keys, you can create a create a new key easily using the ssh-keygen command. This command allows the generation, management, and conversion of authentication keys. You only need to enter the ssh-keygen command to create an RSA keyfile, where the -t flag is used to specify the type of key to be generated, e.g.

ssh-keygen -t rsa
ssh-keygen -t rsa -f ~/.ssh/id_rsa         (default location)

When creating a new RSA key you can choose to leave the passphrase blank; press enter when asked to put in a passphrase. This will allow you to log into an SSH server without entering a passphrase. For stronger security add a second factor of authentication on the private keyfile and choose a passphrase.