somewhere around 2013 (and precisely - for ‘small’ Santa Claus, so 6th of December), OpenSSH was extended to provide new way of storing keys.
it’s important because the old format - MD5 hash - can be cracked veeeeery quickly. developers decide to use modification of bcrypt, that will slow down GPU-assisted cracking attempts in hashcat from gigahashes per second, to at most kilohashes.
what you need to do to upgrade your defenses? first of all, take care of the keys themselves. i’m using 2048 bit long RSA keys, and because some of the older equipment can’t handle more, i have to stay with that. my private key looks like this today:
me@mac:~/.ssh$ more id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,0cc175b9c0f1b6a831c399e269772661 FlXcooESd57Gh39IyP2n8vvsxWqxPUs7WHjCzhCrmVz583d7ar6dEzUE7Ey2jCvd v1/VB17mCNG3nm+IEd+FcBnXe6zUu6y174oB1EWOavoYsXJc4XfVdJuhUDlSONW1 [....] Yfxn6111NRH+vndRADSrT+/BaAdpspkqBov/XxFGitFSZSxM4s/TqOq/j8ofS0X9 -----END RSA PRIVATE KEY-----
moving to new format is easy - and upgrading your password on the way is also good idea:
me@mac:~$ ssh-keygen -o -p -f id_rsa -a 64 Enter old passphrase: here-goes-the-old-password Enter new passphrase (empty for no passphrase): here-goes-the-NEW-password Enter same passphrase again: and-here-goes-again-the-NEW-better-password Your identification has been saved with the new passphrase.
-a 64 means number of KDF rounds, executed to better protect our key. it will slow down it’s verification as well - but on the modern hardware during normal authentication process it shouldn’t be visible.
key will be written to the same file, but in the better, more hardened format:
me@mac:~/.ssh$ more id_rsa -----BEGIN OPENSSH PRIVATE KEY----- JrgJWuW/Ow0KaZKPzMoD5L7/RwXJF74ts61ONcC1wsZZXV8hxarat0Uw6fim5naPkfEonZ DXYm8GSuJlGqMJxTHmG2UYxaqQctuWGicz8TAu+wK1kcNCjImuCBMPFvx9AEcBDr9ahJvB [...] PqT2crQeHPC3IZsrFyoQ8YHQiElISCKCcGL/miZjlTuS6aA2nexGghmqjLGMrlGpg2gXMV -----END OPENSSH PRIVATE KEY-----
and while we’re at it - i highly recommend dropping those lines to your
.ssh/config. you’ll have connection keepalives (helpful for those aggresive NAT gateways) and provied you with visual key identification on connection:
me@mac:~$ more .ssh/config VisualHostKey=yes ServerAliveInterval 30 ServerAliveCountMax 5