Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Secure the password encryption of ssh key #182
I found your guide on generating SSH keys (https://www.fullstackpython.com/blog/ssh-keys-ubuntu-linux.html) after looking at the top 20 Google results for 'how do I generate an ssh key', and it looks like your default suggestions for using ssh-keygen are insecure.
I highly recommend you add this to your guide's ssh-keygen arguments:
This will ensure the key is password-encrypted properly.
From the ssh-keygen manual:
The problem is described in this blog post: https://latacora.singles/2018/08/03/the-default-openssh.html
By making these changes to your guide, you will be making the internet safer. If the keys used to access servers are secure by default, then both the servers, and all the users who visit websites on those servers, will be more secure.
Here is some background on the problem:
Thank you very much for your consideration and help in this matter.
wow, @peterwwillis this is a spectacular pull request. thank you so much. I didn't realize standard Ubuntu was so insecure. I typically use the macOS version of ssh-keygen, which from my initial digging doesn't look like it suffers from the same insecure-by-default issue. Is that your understanding as well?
I'm going to merge this and likely add a bit more of my own context to elaborate on why
Thanks very much for accepting the change!
I'm not aware of the MacOS version used, but this option was introduced in version 6.5 of OpenSSH (https://www.openssh.com/txt/release-6.5). If you're using version 6.5 or later, the option should be available (I use