The OpenBSD BASED Challenge Day 5
By Root BSD
Today I generated a secure ssh key pair using ssh-keygen(1)!
I do own a bare metal server running OpenBSD 7.0 -stable that is stored at a private location. It's been up for a couple months now. Root ssh logins are disabled, but my user is only using a password login. Let's use ssh-keygen(1) to generate a private and public key to exchange between the two machines.
ssh-keygen(1) uses a mathematical process called the Diffie-Hellman key exchange, this comprises of both public variables and private variables. Variables from both keys are mixed with the public key, then exchanged to either side to be finally mixed with the local keys. The final product is a shared secret, whereas an attacker who can only see the public information can't extract necessary data from either side of the private variables to break the key exchange (i.e. my laptop to my server).
First, after a cursory glance at the ssh-keygen manpage, I thought it would be prudent to generate groups for use in Diffie-Hellman group exchange. This is called MODULI GENERATION (per the manpage),
“Generating these groups is a two-step process: first, candidate primes are generated using a fast, but memory intensive process. These candidate primes are then tested for suitability (a CPU-intensive process).”
# ssh-keygen -M generate -O bits=2048 moduli-2048.candidates
Then we screen the prime candidates for suitability,
# ssh-keygen -M screen -f moduli-2048.candidates moduli-2048
Then install the candidates to /etc/moduli. Now it wasn't specific on how I should do this, so I backed up the original moduli file just in case
doas cp -v /etc/moduli /etc/moduli.bak
doas cp -v moduli-2048.candidates /etc/moduli
Alright, I hope I did that right.
Now we generate our keys. Using the -t option we have the choice of, “dsa”, “ecdsa”, “ecdsa-sk”, “ed25519”, “ed25519-sk”, or “rsa”. I chose ed25519 because I've heard it is a very strong cipher. Potentially overkill for my use case, but that's ok!
ssh-keygen -t ed25519
I entered a strong, super secret passphrase,
Your identification has been saved in /home/glitch/.ssh/id_ed25519
Your public key has been saved in /home/glitch/.ssh/id_ed25519.pub
The key fingerprint is: REDACTED
I can't show you that output, that's the private bit I don't want the attackers to see!
Now we need to copy over the public key to the server. This part was a bit of fun because OpenBSD does have the popular tool, ssh-copy-id. So it's time to properly use the most misunderstood tool in the UNIX toolbox, cat(1), which is short for concatenate. Concatenate means to connect or link in a series or chain, in this case the standard input of the public key is linked to ssh to write to a “authorized_keys” file.
cat /home/glitch/.ssh/id_ed25519.pub | ssh user@remotelogin "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Now I'm all good to go!
Enter passphrase for key '/home/user/.ssh/id_ed25519':
Perfect! I made sure to run doas syspatch(8) to apply the latest security patches and fw_update(8) for firmware updates to my server. We owe a lot of gratitude to the OpenBSD project for OpenSSH, for they originally created it. It feels good that smarter people than me figured out these clever ways for people to login and communicate with machines over the network in a secure and private manner.
That was a pretty fun exercise, I learned something and I hope you did too. As always, happy hacking in OpenBSD.