Skip to content

Commit

Permalink
Update docs to reference creating an ED25519 key instead of RSA (#8013)
Browse files Browse the repository at this point in the history
  • Loading branch information
@cannikin @jtoar
cannikin authored and jtoar committed Apr 5, 2023
1 parent f4bbdf9 commit 567a8bc
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 52 deletions.
52 changes: 26 additions & 26 deletions docs/docs/intro-to-servers.md
View file
Expand Up @@ -222,7 +222,7 @@ You can have multiple public keys from multiple development machines on the serv

### Public/Private Keypairs

You may already have a public/private keypair! Check in `~/.ssh` and look for two files with the same name before the extension, one with `.pub` on the end (`id_rsa` and `id_rsa.pub`, for example). If you don't remember actually putting these files in the directory, then they were probably generated by a program like `ssh-keygen`, and SSH is already using them!
You may already have a public/private keypair! Check in `~/.ssh` and look for two files with the same name before the extension, one with `.pub` on the end (`id_ed25519` and `id_ed25519.pub`, for example). If you don't remember actually putting these files in the directory, then they were probably generated by a program like `ssh-keygen`, and SSH is already using them!

To see which of your keys SSH is already aware of, you can run this command to list them:

Expand All @@ -233,49 +233,49 @@ ssh-add -L
You should get zero or more lines containing public SSH keys, something like this:

```
ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB<REDACTED>3Edk1OE6BU6hK2EZchm= rob@computer.local
ssh-ed25519 AAAAB3NzaC1yc2EAAAADAQAB<REDACTED>CU90x/khqD1sDW= rob@computer.local
```

If I compare that to the content of my `~/.ssh/id_rsa.pub` file I can see that they match! Great, so SSH is already using our public key when it tries to connect. But what if you don't have a public/private keypair?
If I compare that to the content of my `~/.ssh/id_ed25519.pub` file I can see that they match! Great, so SSH is already using our public key when it tries to connect. But what if you don't have a public/private keypair?

### Generating a Public/Private Keypair

There's a simple command to generate a new keypair:

```
ssh-keygen -t rsa -r 4096
ssh-keygen -t ed25519
```

This tells the program to generate a key using the RSA algorithm and to make it 4096 bytes long. There are [newer algorithms](https://goteleport.com/blog/comparing-ssh-keys/) available, but not all of them are supported everywhere. The linked article goes into depth into the various algorithms and their pros and cons.
This tells the program to generate a key using the ED25519 algorithm. There are [many algorithms](https://goteleport.com/blog/comparing-ssh-keys/) available, but not all of them are supported everywhere. The linked article goes into depth into the various algorithms and their pros and cons.

You will be prompted for a couple of questions:

```
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/rob/.ssh/id_rsa):
Generating public/private ed25519 key pair.
Enter file in which to save the key (/Users/rob/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
```

If you don't have any keys, go ahead and use the default name (`id_rsa`) by just hitting ENTER.
If you don't have any keys, go ahead and use the default name `id_ed25519` by just hitting ENTER.

A Passphrase is an additional line of security on your key. However, it also adds some inconvenience around using your public key: you'll need to enter the passpharse each time your private key is accessed. Which is great for security, but kind of defeats the purpose of sharing your public key with the server to make access easier. As long as you protect your private key, you shouldn't need to worry about adding a passphrase. Press ENTER (twice) to create your keypair without a passphrase.

```
Your identification has been saved in id_rsa
Your public key has been saved in id_rsa.pub
Your identification has been saved in id_ed25519
Your public key has been saved in id_ed25519.pub
The key fingerprint is:
SHA256:g9tcaULSzcMLEoRREugBXEFotYdCicFZ4beRZRcTeMw rob@trion.local
SHA256:6Qg7RQRGp1AtfVIOucEt1HtZWkYMU1LZYBVwBsXwTWQ rob@computer.local
The key's randomart image is:
+---[RSA 4096]----+
|*+OO**+o+=o |
|oB+ +.++.E. |
|.o = =o = = |
| o o o= . + |
| .. S = |
| + = |
| . o |
| |
+--[ED25519 256]--+
| .B&@O+ .E +==|
| o=*= .** . o .o|
| . o . . . .|
| .o o . o ..|
| o . A * + .|
| = + = + |
| o . * . |
| . o |
| |
+----[SHA256]-----+
```
Expand All @@ -286,7 +286,7 @@ From this [Super User answer](https://superuser.com/a/22541):

> Validation is normally done by a comparison of meaningless strings (i.e. the hexadecimal representation of the key fingerprint), which humans are pretty slow and inaccurate at comparing. Randomart replaces this with structured images that are faster and easier to compare.
I suppose the idea is that if humans ever needed to compare public keys they could use the randomart version and know pretty quickly whether they're the same (instead of comparing 4096 bytes by eye!)
I suppose the idea is that if humans ever needed to compare public keys they could use the randomart version and know pretty quickly whether they're the same (instead of comparing a bunch of random number and letters by eye!)

:::

Expand All @@ -301,7 +301,7 @@ ssh-add -L
Do you see your new public key listed? If not, we just have to let `ssh-agent` know where it is and to start using it (note that you give the path to the private key):

```
ssh-add ~/.ssh/id_rsa
ssh-add ~/.ssh/id_ed25519
```

Now running `ssh-add -L` should list our key.
Expand All @@ -311,7 +311,7 @@ Now running `ssh-add -L` should list our key.
I've had cases where my key was unknown to `ssh-agent` after a computer restart. I added the following to the `~/.zshrc` file on my computer (not the server) so that the key is added every time I start a new terminal session:

```
ssh-add ~/.ssh/id_rsa
ssh-add ~/.ssh/id_ed25519
```

:::
Expand All @@ -321,15 +321,15 @@ ssh-add ~/.ssh/id_rsa
So SSH is now presenting the key to the server, but the server doesn't know what to do with it. We'll now copy our *public* key to the server so that it allows connections from it. Write your public key to the terminal so that you can copy it:

```
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_ed25519.pub
```

:::info

On MacOS you can copy the key into your clipboard with this two-part command:

```
cat ~/.ssh/id_rsa.pub | pbcopy
cat ~/.ssh/id_ed25519.pub | pbcopy
```

:::
Expand All @@ -344,7 +344,7 @@ Now just paste your key into this file on a new line. It helps to add a comment

```
# Rob Cameron (optimus-prime)
ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB<REDACTED>3Edk1OE6BU6hK2EZchm= rob@computer.local
ssh-ed25519 AAAAB3NzaC1yc2EAAAADAQAB<REDACTED>CU90x/khqD1sDW= rob@computer.local
```

Save the file and exit. Now, disconnect from the SSH session with `exit` and reconnect, but this time you shouldn't need a password or private key (if you were using `-i` you can leave that off) and simply connect with:
Expand Down
52 changes: 26 additions & 26 deletions docs/versioned_docs/version-4.0/intro-to-servers.md
View file
Expand Up @@ -222,7 +222,7 @@ You can have multiple public keys from multiple development machines on the serv

### Public/Private Keypairs

You may already have a public/private keypair! Check in `~/.ssh` and look for two files with the same name before the extension, one with `.pub` on the end (`id_rsa` and `id_rsa.pub`, for example). If you don't remember actually putting these files in the directory, then they were probably generated by a program like `ssh-keygen`, and SSH is already using them!
You may already have a public/private keypair! Check in `~/.ssh` and look for two files with the same name before the extension, one with `.pub` on the end (`id_ed25519` and `id_ed25519.pub`, for example). If you don't remember actually putting these files in the directory, then they were probably generated by a program like `ssh-keygen`, and SSH is already using them!

To see which of your keys SSH is already aware of, you can run this command to list them:

Expand All @@ -233,49 +233,49 @@ ssh-add -L
You should get zero or more lines containing public SSH keys, something like this:

```
ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB<REDACTED>3Edk1OE6BU6hK2EZchm= rob@computer.local
ssh-ed25519 AAAAB3NzaC1yc2EAAAADAQAB<REDACTED>CU90x/khqD1sDW= rob@computer.local
```

If I compare that to the content of my `~/.ssh/id_rsa.pub` file I can see that they match! Great, so SSH is already using our public key when it tries to connect. But what if you don't have a public/private keypair?
If I compare that to the content of my `~/.ssh/id_ed25519.pub` file I can see that they match! Great, so SSH is already using our public key when it tries to connect. But what if you don't have a public/private keypair?

### Generating a Public/Private Keypair

There's a simple command to generate a new keypair:

```
ssh-keygen -t rsa -r 4096
ssh-keygen -t ed25519
```

This tells the program to generate a key using the RSA algorithm and to make it 4096 bytes long. There are [newer algorithms](https://goteleport.com/blog/comparing-ssh-keys/) available, but not all of them are supported everywhere. The linked article goes into depth into the various algorithms and their pros and cons.
This tells the program to generate a key using the ED25519 algorithm. There are [many algorithms](https://goteleport.com/blog/comparing-ssh-keys/) available, but not all of them are supported everywhere. The linked article goes into depth into the various algorithms and their pros and cons.

You will be prompted for a couple of questions:

```
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/rob/.ssh/id_rsa):
Generating public/private ed25519 key pair.
Enter file in which to save the key (/Users/rob/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
```

If you don't have any keys, go ahead and use the default name (`id_rsa`) by just hitting ENTER.
If you don't have any keys, go ahead and use the default name `id_ed25519` by just hitting ENTER.

A Passphrase is an additional line of security on your key. However, it also adds some inconvenience around using your public key: you'll need to enter the passpharse each time your private key is accessed. Which is great for security, but kind of defeats the purpose of sharing your public key with the server to make access easier. As long as you protect your private key, you shouldn't need to worry about adding a passphrase. Press ENTER (twice) to create your keypair without a passphrase.

```
Your identification has been saved in id_rsa
Your public key has been saved in id_rsa.pub
Your identification has been saved in id_ed25519
Your public key has been saved in id_ed25519.pub
The key fingerprint is:
SHA256:g9tcaULSzcMLEoRREugBXEFotYdCicFZ4beRZRcTeMw rob@trion.local
SHA256:6Qg7RQRGp1AtfVIOucEt1HtZWkYMU1LZYBVwBsXwTWQ rob@computer.local
The key's randomart image is:
+---[RSA 4096]----+
|*+OO**+o+=o |
|oB+ +.++.E. |
|.o = =o = = |
| o o o= . + |
| .. S = |
| + = |
| . o |
| |
+--[ED25519 256]--+
| .B&@O+ .E +==|
| o=*= .** . o .o|
| . o . . . .|
| .o o . o ..|
| o . A * + .|
| = + = + |
| o . * . |
| . o |
| |
+----[SHA256]-----+
```
Expand All @@ -286,7 +286,7 @@ From this [Super User answer](https://superuser.com/a/22541):

> Validation is normally done by a comparison of meaningless strings (i.e. the hexadecimal representation of the key fingerprint), which humans are pretty slow and inaccurate at comparing. Randomart replaces this with structured images that are faster and easier to compare.
I suppose the idea is that if humans ever needed to compare public keys they could use the randomart version and know pretty quickly whether they're the same (instead of comparing 4096 bytes by eye!)
I suppose the idea is that if humans ever needed to compare public keys they could use the randomart version and know pretty quickly whether they're the same (instead of comparing a bunch of random number and letters by eye!)

:::

Expand All @@ -301,7 +301,7 @@ ssh-add -L
Do you see your new public key listed? If not, we just have to let `ssh-agent` know where it is and to start using it (note that you give the path to the private key):

```
ssh-add ~/.ssh/id_rsa
ssh-add ~/.ssh/id_ed25519
```

Now running `ssh-add -L` should list our key.
Expand All @@ -311,7 +311,7 @@ Now running `ssh-add -L` should list our key.
I've had cases where my key was unknown to `ssh-agent` after a computer restart. I added the following to the `~/.zshrc` file on my computer (not the server) so that the key is added every time I start a new terminal session:

```
ssh-add ~/.ssh/id_rsa
ssh-add ~/.ssh/id_ed25519
```

:::
Expand All @@ -321,15 +321,15 @@ ssh-add ~/.ssh/id_rsa
So SSH is now presenting the key to the server, but the server doesn't know what to do with it. We'll now copy our *public* key to the server so that it allows connections from it. Write your public key to the terminal so that you can copy it:

```
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_ed25519.pub
```

:::info

On MacOS you can copy the key into your clipboard with this two-part command:

```
cat ~/.ssh/id_rsa.pub | pbcopy
cat ~/.ssh/id_ed25519.pub | pbcopy
```

:::
Expand All @@ -344,7 +344,7 @@ Now just paste your key into this file on a new line. It helps to add a comment

```
# Rob Cameron (optimus-prime)
ssh-rsa AAAAB3NzaC1yc2EAAAADAQAB<REDACTED>3Edk1OE6BU6hK2EZchm= rob@computer.local
ssh-ed25519 AAAAB3NzaC1yc2EAAAADAQAB<REDACTED>CU90x/khqD1sDW= rob@computer.local
```

Save the file and exit. Now, disconnect from the SSH session with `exit` and reconnect, but this time you shouldn't need a password or private key (if you were using `-i` you can leave that off) and simply connect with:
Expand Down

0 comments on commit 567a8bc

Please sign in to comment.