op public repos

Blob

Date:: Tue Sep 22 09:29:59 2020 UTC
Message:: noise commit: fix code blocks put the programming language name in every code block. While there, I fixed a typo or two.
Actions:: History | Blame | Raw File
1 For a long time I've been procrastinating on this.  Even though there
2 is no compelling reason (from what I've understood -- I'm not a
3 cryptographer) to upgrade from my current 4096-bit RSA key to a shiny
4 new ed25519 key, today I've just made the first step towards the
5 removal of the "old" RSA key.
6 
7 (A note must be made: not every ssh implementation supports ed25519
8 keys.  Even some keyring may not support it yet.)
9 
10 The thing is that my current ssh public key is in a lot of places:
11 home devices, friends machines, remote servers, and even some web
12 sites... more than I can count and be *absolutely sure* I'm not
13 forgetting something, so a complete switch is not possible.
14 
15 It's possible, however, to start using a new key without deleting the
16 first: as you may already know, in your ssh config you can use
17 `IdentityFile` (see `ssh_config(5)`).  The thing that I didn't knew
18 was that, by default, ssh checks multiple files, not only `id_rsa`
19 when logging.  This seems cool, and in fact it lets you save lines in
20 the configuration.
21 
22 So, to keep it short, what I did was as simple as
23 
24 ```sh
25 ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
26 ```
27 
28 and then adding the new public key to some servers.  You can check
29 with `ssh -v foo@bar` that ssh attempt to use various keys
30 
31 ```sh
32 ; ssh -v foo@bar
33 OpenSSH_8.3, LibreSSL 3.2.0
34 debug1: Reading configuration data /home/op/.ssh/config
35 [...]
36 debug1: Offering public key: /home/op/.ssh/id_rsa RSA SHA256:...
37 debug1: Authentications that can continue: ...
38 debug1: Trying private key: /home/op/.ssh/id_dsa
39 debug1: Trying private key: /home/op/.ssh/id_ecdsa
40 debug1: Trying private key: /home/op/.ssh/id_ecdsa_sk
41 debug1: Offering public key: /home/op/.ssh/id_ed25519 ED25519 SHA256:...
42 debug1: Server accepts key: /home/op/.ssh/id_ed25519 ED25519 SHA256:...
43 debug1: Authentication succeeded (publickey).
44 [...]
45 ```
46 
47 (lines elided to keep them short and readable)
48 
49 In this example, you can see that the ssh client first tries the
50 `id_rsa` key, but it didn't succeeded, then tries the (non existant in
51 my machine) `id_{dsa,ecdsa,ecdsa_sk}` and, finally, the `id_ed5519`
52 key.
53 
54 In the end, the real reason that was keeping me from updating the key
55 was just the assumption that I needed to either replace the key in
56 every place or use the appropriate `IdentityFile` per-host.  Turns
57 out, this assumption is wrong and now I'm quite happy, with the
58 majority of the devices I connect to frequently already switched to
59 use my new ed25519 key, all without touching my local configuration :)