xkcd

[Steax]

So I've never really known much about SSH nor public-key cryptography, although I've meddled with them before and understand the concepts behind them. I eventually figured out how to work them out, but today I need a sanity check. Most of what I know was taught by my mentors and teachers, so I need to get up-to-date.

Goal: Obtain the SSH public key information to send to NearlyFreeSpeech.Net by generating the keys myself.

Here's how I'm currently doing it: (On OSX, but I'd imagine it to be much the same as any linux system)


1. Pull up terminal, do a

Code: Select all

ssh-keygen -t rsa -b 4096

and supply a password. This generates id_rsa and id_rsa.pub.
Issue with this step: NFSN doesn't allow a "debian weak key blacklist" and I'm not sure what exactly that would be. Some poking around reveals "affected keys: anything past 2006, generated by openssl, ssh-keygen, etc." Does this only affect debian systems, meaning I'm unaffected?


2.Typically I'd just append the .pub one to the usual authorized_keys2 file, put the id_rsa one in my .ssh folder, and have at it.
Issue with this step: NFSN asks me for "the key in OpenSSH (one-line) format". What is this, and how do I obtain it? Is it the plaintext of the ssh file? If I open that, I get

Code: Select all

ssh-rsa [base64 data] [my local computer username]

Does that local computer username matter, and can I change it? Am I assuming all this is the "one-line format" NFSN asks me for?

Thanks!

[phlip]

Re part 1: That's only a problem if you're (a) running Debian (or a Debian-derived system, like Ubuntu), and (b) haven't updated your system since mid 2008, when the bug was found and fixed.

Basically, there was a 2 year stretch where Debian shipped with a broken version of OpenSSL that would only generate one of 32767 possible keys (and some of those much often than others) - not very good security. The lists of possible keys are widely distributed, and there are tools to check if your key is one of them. It sounds like NFSN does this automatically, so it'll tell you if your key is bad. It probably won't be.

Re part 2: Yes, the contents of the .pub file is the "one-line format" it's asking for. The user@computer part is just a label - you can change it by passing "-C new_comment" to ssh-keygen - it doesn't have to match your username or anything, all that matters is that it's the same in both the public and private keys (ssh-keygen will ensure this).

[Steax]

Thanks! Looks like the answers were easier than I thought they'd be. And looks like the stuff I learned through kludging tutorials together worked pretty well.