lukasz.bromirski.net

aviate, navigate, communicate

openssh and keys - secure ones

somewhere around 2013 (and precisely - for ‘small’ Santa Claus, so 6th of December), OpenSSH was extended to provide new way of storing keys.

it’s important because the old format - MD5 hash - can be cracked veeeeery quickly. developers decide to use modification of bcrypt, that will slow down GPU-assisted cracking attempts in hashcat from gigahashes per second, to at most kilohashes.

what you need to do to upgrade your defenses? first of all, take care of the keys themselves. i’m using 2048 bit long RSA keys, and because some of the older equipment can’t handle more, i have to stay with that. my private key looks like this today:

moving to new format is easy - and upgrading your password on the way is also good idea:

-a 64 means number of KDF rounds, executed to better protect our key. it will slow down it’s verification as well - but on the modern hardware during normal authentication process it shouldn’t be visible.

key will be written to the same file, but in the better, more hardened format:

and while we’re at it - i highly recommend dropping those lines to your .ssh/config. you’ll have connection keepalives (helpful for those aggresive NAT gateways) and provied you with visual key identification on connection:


Share