Collaborate Disseminate
I have some machines whose primes in /etc/ssh/moduli are now considered too weak because they are less than 2048 bits. There are a couple questions on this site concerning the consequences of updating /etc/ssh/moduli:
Does changing /etc/s… Continue reading How can ssh-keygen be used to update /etc/ssh/moduli?
I have some machines whose primes in /etc/ssh/moduli are now considered too weak because they are less than 2048 bits. There are a couple questions on this site concerning the consequences of updating /etc/ssh/moduli:
Does changing /etc/s… Continue reading How can ssh-keygen be used to update /etc/ssh/moduli?
Useful quantum computers might not actually be possible. But what if they are? And what if they arrive, say, tomorrow? Continue reading OpenSSH goes Post-Quantum, switches to qubit-busting crypto by default
The OpenSSH developers have written in a description of the "agent restrictions" feature that FIDO2 tokens are vulnerable to phishing attacks: https://www.openssh.com/agent-restrict.html
FIDO keys that require user-presence conf… Continue reading Why are FIDO2 protected SSH keys affected by phishing attacks?
In an openssh-server login to a GNU/Linux machine
to use a private ssh key encrypted with an N-characters passphrase, then sshd_config:
PasswordAuthentication no
PubkeyAuthentication yes
is it equivalent to use a login with a password tha… Continue reading ssh server encrypted key vs password login [duplicate]
I run a server on a hosting. I want to harden it, but ssh access is giving me a bit of concerns.
I usually access from home most of the times. I have a provider subscription with the usual DHCP setup which assigns some IP address to my hom… Continue reading Best practices for securing SSH access? Is certificate-based VPN server a good solution?
The (old) Secure Secure Shell guide suggests (re)creating /etc/ssh/moduli so sshd has safe prime numbers to use for Diffie-Hellman key agreement.
I’ve generated a 4096-bit moduli file with ssh-keygen -G -b 4096, and then filtered them with… Continue reading OpenSSH Primes – can there be such a thing as "too few" primes available?
I’m trying to restrict ssh access. I only want users in the ssh group to access the servers over ssh using their private keys and I want one fallback user to be able to log in using a password.
I created a config file in /etc/ssh/sshd_conf… Continue reading sshd issue parsing config in /etc/sshd_config.d/ [migrated]
Let’s say I make an id of type ed25519-sk and have it reside on my yubikey. OpenSSH makes two files, id_ed25519_sk, a stub private key, and id_ed25519_sk.pub the corresponding public key.
If I lose these, can I regenerate them with just th… Continue reading Is it possible to regenerate the stub private key from just the physical key in OpenSSH?
After generating an OpenSSH EC key on a hardware security key:
$ ssh-keygen -t ed25519-sk -C comment
Is it possible to use this key with Google Chrome SSH applet or Mosh, in particular on non-Linux machines where there is no ssh command a… Continue reading Is it possible to use an ed25519 security key with Google Chrome SSH applets?