Key Management

SSH Key Management

Key Creation

As of December 2015, the most secure key type is ed25519 with 4096-bit:

ssh-keygen -t ed25519 -b 4096 -C my@email.com -f keyfile

Older clients may not support ed25519, but fuck them.

Secure Configuration

Using crypto is only the first step. You need to ensure that the tools you use are locked down to enforce only the protocols that are not known to be weak.

SSL

Use Let’s Encrypt to get free SSL certificates.
Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open. In Public Beta 2015-12-03.

SSH

Server Config

Ciphers

As of 2015-12-04, the best Ciphers setting in /etc/ssh/sshd_config is:

Ciphers aes192-ctr,aes256-ctr,arcfour256,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour

MACs

As of 2015-12-04, the best MACs setting in /etc/ssh/sshd_config is:

Disable anything using MD5
Disable anything using less than 128 bits
Disable anything not using -etm mode

Use the following config file:

MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com

Encryption

Contents

Key Management

SSH Key Management

Key Creation

Secure Configuration

SSL

SSH

Server Config

Ciphers

MACs

Navigation menu

Encryption

Key Management

SSH Key Management

Key Creation

Secure Configuration

SSL

SSH

Server Config

Ciphers

MACs

Navigation menu

Search