| Previous Post | Top | Next Post |
TOC
Here is a memo of me trying to update my SSH setting on Debian 12 (bookworm).
Several articles motivated me to move away from old 2048 RSA key to new ed25519.
ssh-keygen(1) default = 3072 bits as of 2023- Wikipedia: ssh-keygen
- Wikipedia: key size
- stackexchange: SSH key strength
- stackexchange: SSH Key: Ed25519 vs RSA
Generate new ED25519 key
$ ssh-keygen -t ed25519 -C "osamu@goofy"
Generatingublic/private ed25519 keyair.
Enter file in which to save the key (/home/osamu/.ssh/id_ed25519):
$ ssh-keygen -lf id_ed25519.pub
256 SHA256:i*****************************************I osamu@goofy (ED25519)
$ cat id_ed25519.pub
ssh-ed25519 A******************************************************************C osamu@goofy
I uploaded this to my remote hosts
- github.com via web interface - DONE
- salsa.debian.org via web interface - DONE
- rsync.net - DONE over scp
- If my user name is
xx1234, usexx1234@xx1234.rsync.netto access this over ssh. scp ~/.ssh/id_ed25519.pub xx1234@xx1234.rsync.net:.ssh/authorized_keysssh xx1234@xx1234.rsync.net cat .ssh/authorized_keysto check result
- If my user name is
- debian.org
cat .ssh/id_ed25519.pub | gpg --clearsign | mail changes@db.debian.org
SSH public key on github
I realize my public key to access my github account osamuaoki is available at
https://github.com/osamuaoki.keys.
Hmmm… I see my SSH public key is as public as it can be.
$ wget -q -O - https://github.com/osamuaoki.keys
ssh-rsa A**********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************t
ssh-ed25519 A******************************************************************C
ED25519 key string is much smaller.
After removing old SSH key
$ wget -q -O - https://github.com/osamuaoki.keys
ssh-ed25519 A******************************************************************C
If I trust this data and service, I can set SSH-PUBLIC-KEY to a system by running ssh-import-id(1) (package: ssh-import-id) command.
$ ssh-import-id gh:osamuaoki
GnuPG (new key)
Let’s see my old key:
$ gpg --list-keys --fingerprint --keyid-format LONG osamu
pub rsa4096/1E1356881DD8D791 2010-09-23 [SC]
Key fingerprint = 3133 724D 6207 8815 79E9 5D62 1E13 5688 1DD8 D791
uid [ultimate] Osamu Aoki <osamu@debian.org>
sub rsa4096/A04CBCEEF08BEFAD 2010-09-23 [E]
Let’s make a new key with newer algo:
$ gpg --generate-key --default-new-key-algo="ed25519/cert,sign+cv25519/encr"
...
$ gpg --edit-key D89E6B09B42098CEAF081AB16D6D3809215F720D
... add uid
... set expiration
... set primary uid
Now let’s see my keys (I happen to pickup older key of mine by removing .gpg-v21-migrated):
osamu@goofy:~/.gnupg/private-keys-v1.d 21:22:48
$ gpg --list-keys --with-subkey --with-keygrip --keyid-format long osamu
pub rsa4096/1E1356881DD8D791 2010-09-23 [SC]
3133724D6207881579E95D621E1356881DD8D791
Keygrip = B20FCDB27DF54AFD0177AA666DD743F876A737D5
uid [ultimate] Osamu Aoki <osamu@debian.org>
sub rsa4096/A04CBCEEF08BEFAD 2010-09-23 [E]
FDCAD8AB29E281A0E004B510A04CBCEEF08BEFAD
Keygrip = B94F91E2FC0B861EAB1144DE3FDAC204347F66EB
pub ed25519/6D6D3809215F720D 2024-01-07 [SC]
D89E6B09B42098CEAF081AB16D6D3809215F720D
Keygrip = FB290BFC4B3A02AA471B4AB6FFE506D55A0BC1FB
uid [ultimate] Osamu Aoki <osamu@debian.org>
uid [ultimate] Osamu Aoki <osamu.aoki@gmail.com>
sub cv25519/15021D9E0E61D985 2024-01-07 [E]
F2B600DA9D34FA48B346EFED15021D9E0E61D985
Keygrip = F3F6241DB23FBF9A676EAEE4D3B37749B11157A6
pub dsa1024/E80FC4C1A8061F32 2002-05-07 [SC]
253A40766A3BCCE2A426DEF5E80FC4C1A8061F32
Keygrip = 644078C16C0A81049F0C0526AD1EDB894357223D
uid [ unknown] Osamu Aoki <osamu@debian.org>
uid [ unknown] Osamu Aoki <debian@aokiconsulting.com>
sub elg1024/7DD3826901A117C2 2002-05-07 [E]
A811884929A5E4011B4D07A77DD3826901A117C2
Keygrip = 9B6B38725ABB160D45A201CD10B8D8D8CC2107D0
Here, keygrip is the name used for the filename in
~/.gnupg//private-keys-v1.d/.
Then, I signed this with my old RSA4096 key (keyid=1E1356881DD8D791).
$ gpg --list-sigs D89E6B09B42098CEAF081AB16D6D3809215F720D
pub ed25519 2024-01-07 [SC]
D89E6B09B42098CEAF081AB16D6D3809215F720D
uid [ultimate] Osamu Aoki <osamu@debian.org>
sig 3 6D6D3809215F720D 2024-01-07 Osamu Aoki <osamu@debian.org>
sig 2 1E1356881DD8D791 2024-01-07 Osamu Aoki <osamu@debian.org>
uid [ultimate] Osamu Aoki <osamu.aoki@gmail.com>
sig 3 6D6D3809215F720D 2024-01-07 Osamu Aoki <osamu@debian.org>
sig 1E1356881DD8D791 2024-01-07 Osamu Aoki <osamu@debian.org>
sub cv25519 2024-01-07 [E]
sig 6D6D3809215F720D 2024-01-07 Osamu Aoki <osamu@debian.org>
Now I can publish public key in ASCII format as:
$ gpg -a --export D89E6B09B42098CEAF081AB16D6D3809215F720D
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZZpSFhYJKwYBBAHaRw8BAQdA9T6mXRx7Zc64kQC+dKB2RgxNHK0+KFlCT8b/
JtFAWRu0HU9zYW11IEFva2kgPG9zYW11QGRlYmlhbi5vcmc+iJIEExYIADsCGwMF
CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTYnmsJtCCYzq8IGrFtbTgJIV9yDQUC
ZZpXMAIZAQAKCRBtbTgJIV9yDc+YAQDhuq/q76qobfHKi8C2MT83u1qZkg2eCpEF
UkyvrE59fwD4+d+IbCls19F3MCRuEmyvYQr+sghC82lnUiFOxUq/DYkCSgQQAQoA
NBYhBDEzck1iB4gVeeldYh4TVogd2NeRBQJlmls3AwUCeBKGPFtePl0rW0AuXW5v
bmU+JAAACgkQHhNWiB3Y15HUUg//cxqb7DPcJ02uJUl+/xHQQFITpurAGZo5kpvN
/a7OlWWcnmuuP3wpkXFVyZzD698THWbgULDtggYRks9JzKuJM9nP86/GlWHYT+nA
KIzbQPEmqyO6kTtLm4TojskVVnxO8ahtDXha7CoXpdfdi4OJDTClphr2QmonvrC6
+AcL4SHXEJm8gcH2kIvcL9c4ux1p7JoRZkOFjusOTPRAWZIALLj+aHE6hiYKXDZM
ATMKyaJ0mA/OjVkcNgQtTpaDWo4LI9kdh8Sz1VSsa8wwOjkz/dbmIa7aocQODMFA
/K84PH3PdoT3AxoZfHkhTeqNa5CpB9C6QE7A3i+9eQ9r46HU6MF4nVs696KlC1yP
83+c/PVn202nIIq9HWe7GfpI5tbjQD6lMfH0nXw4okZ0pVmrzlw2j6EyQ279JYP+
dNi9YU8F07vjSABj4gCGfSr3xwZre/tzNuhHoglB3ZLnxbCKoZdO7NcbwdF1Gjl3
1QhsYg4rqIhnp24DEWXyOW2qP3bOfkiccFToHowIvN+H6gsLIACXnBc8LNMGZCHY
nNU4qU7EHQT2s9am6wYP86bheTxCsRiAca8wXTj8iYvUA7GEs5U0L1uJjPc9JT5E
UnmiPl10sO/pqvhqa6grNXsGiuUDi6Jr0d+3YbHkrv30l3O95GbeQRUjZuiXDgYq
DlWevW60IU9zYW11IEFva2kgPG9zYW11LmFva2lAZ21haWwuY29tPoiQBBMWCAA4
FiEE2J5rCbQgmM6vCBqxbW04CSFfcg0FAmWaVVUCGwMFCwkIBwIGFQoJCAsCBBYC
AwECHgECF4AACgkQbW04CSFfcg3oVgD/ZRvA1AcFD5dJAk3s0CLTsUHw14CdC8ob
/Hb+AdYlsY4BAPGAb4AoAxm8vqUJkV/0kzO37uSxutu/OaCI9ex7jGkBiQIzBBAB
CgAdFiEEMTNyTWIHiBV56V1iHhNWiB3Y15EFAmWaVmEACgkQHhNWiB3Y15GchA/9
GVtn4TpgjQzM577+fxItAc/EagyJpUcGyb7M/zM3bbnOonYQFsYeXxvsur4mjQk3
i1QAr+r3DCPX6eLnZcLDD/2gK7zIJg6AJVjnesv0emyPeWz1shxBYVNiliSi87K6
TCbi0QMg1XmRk9z7cawgMZpZiB8csX47xs3ZJh8nCBwNGN3I0+XvaE4B8SM2gFl1
zjNPTUXCvdrdMsDUa9Ob/VTQ07OBbLH1c6jCskHkNTZFlvdfqylub4Rt+aKtNRrT
Z0XGURNNrjcCc5D93pidh8HQdsn83UXaBDvzzXUON+Vte05YneU+aZCILi6RXjtK
ND4MmzdCAGUxKmjtiYi6L0Gmk5vQcXCTmujpvUZlWar7Vqa2IUPHXPgFErFiQP64
nlasrMoJMxMyYtp9uyLOoHnjj3H9mC4L9XZ16bEgBU533NjoStpJm8VFibSZslLI
U/WIaolWv3/ZHk0vI8MZz7+/0JPPNyjo6xagB2AcxHeIii/feRyDf5Dj/vaiMHF+
1Ti13yHAtf7+udDyWujMTr73/yNo69ccjz+3fPquXptNq5m9e0MKnUODe4loodJT
D+0CIkGGBPdvCK8LI3SbQACyu3GWgaqxAziveb6Fn5wOekOzj7h7BW36R/Q+5joQ
Coo05T5AYtkOybrQ2fpf58Au+fHufGT2+3qcNGdSfgu4OARlmlIWEgorBgEEAZdV
AQUBAQdA+q2tgbmHC7MQv5bTHyawYrITRw7Gdg7M0p0+oSRtzS8DAQgHiHgEGBYI
ACACGwwWIQTYnmsJtCCYzq8IGrFtbTgJIV9yDQUCZZpU3QAKCRBtbTgJIV9yDdz6
AQC8yC8mQnwkj9D2x84oSdEpAckJ/e47kLDN3y/HIOwXbAD/ZCv2Ek1Exh/7SrxN
L65JipPuCsH1vTsxbEE14mEs2Ag=
=7Kpk
-----END PGP PUBLIC KEY BLOCK-----
For export, smaller public key can be made as:
$ gpg -a --export --export-options export-minimal D89E6B09B42098CEAF081AB16D6D3809215F720D
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZZpSFhYJKwYBBAHaRw8BAQdA9T6mXRx7Zc64kQC+dKB2RgxNHK0+KFlCT8b/
JtFAWRu0HU9zYW11IEFva2kgPG9zYW11QGRlYmlhbi5vcmc+iJIEExYIADsCGwMF
CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQTYnmsJtCCYzq8IGrFtbTgJIV9yDQUC
ZZpXMAIZAQAKCRBtbTgJIV9yDc+YAQDhuq/q76qobfHKi8C2MT83u1qZkg2eCpEF
UkyvrE59fwD4+d+IbCls19F3MCRuEmyvYQr+sghC82lnUiFOxUq/DbQhT3NhbXUg
QW9raSA8b3NhbXUuYW9raUBnbWFpbC5jb20+iJAEExYIADgWIQTYnmsJtCCYzq8I
GrFtbTgJIV9yDQUCZZpVVQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBt
bTgJIV9yDehWAP9lG8DUBwUPl0kCTezQItOxQfDXgJ0Lyhv8dv4B1iWxjgEA8YBv
gCgDGby+pQmRX/STM7fu5LG62785oIj17HuMaQG4OARlmlIWEgorBgEEAZdVAQUB
AQdA+q2tgbmHC7MQv5bTHyawYrITRw7Gdg7M0p0+oSRtzS8DAQgHiHgEGBYIACAC
GwwWIQTYnmsJtCCYzq8IGrFtbTgJIV9yDQUCZZpU3QAKCRBtbTgJIV9yDdz6AQC8
yC8mQnwkj9D2x84oSdEpAckJ/e47kLDN3y/HIOwXbAD/ZCv2Ek1Exh/7SrxNL65J
ipPuCsH1vTsxbEE14mEs2Ag=
=IDSM
-----END PGP PUBLIC KEY BLOCK-----
See Personal DEB package repository how this can be used.
| Previous Post | Top | Next Post |