Set up root login via key file

  1. When setting up root login via key file, where can I find outputkeyfile?
  2. Other than rsa, which other key type should I select?
    dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk

The Fedora docs I’m referring to is;
https://docs.fedoraproject.org/en-US/fedora-server/sysadmin-postinstall/

sudo ssh-keygen -t rsa -b 4096  -C "root@example.com" -f <outputkeyfile>
2 Likes
  1. It should be directly in your /home folder. If it isn’t there, check inside ~/.ssh.
  2. That is entirely up to you. I personally use Edwards-curve (ed25519), because provides the highest security level compared to key length. It also improves on the insecurities found in ECDSA.

Okay. I executed it on the local desktop.

sudo ssh-keygen -t ed25519 -b 4096 -C “root@ip_address” -f <~/.ssh>

but returned with the following.
bash: syntax error near unexpected token `newline’

What went wrong?

2 Likes

Is it a real filename? I mean, do you write the command in this way?

I thought it was to insert the path where the file exists.

As I check all available SSH keys on my Fedora workstation, there are two rsa files
id_rsa
id_rsa.pub

After a bit of deliberation and trials and errors, I generated a new key by entering;

ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C " root@ip_address "

Generating public/private ed25519 key pair.

Entered a strong passphrase and it seems like the key upgrade to ed25519.

1 Like

I’m sorry for asking, but are you very new to Linux? It seems like you got it sorted out, but when you see something along the lines of </path/to/somewhere>, you should omit the <>. Basically, in your case, the command you are supposed to execute is sudo ssh-keygen -t ed25519 -b 4096 -C “root@ip_address” -f ~/.ssh.

My bad, I should’ve elaborated on the procedure. But I am glad you found out :blush:

1 Like

Much appreciated @telometto , the convention used in < >. Yes, I forgot to say I’m new to the Linux servers and DIY with R Pi.

One thing I found out from your link on ed25519 is the key length is shorter than rsa, as a result, the number after -a (instead of -b 4096) needs to be short, so I set it to 100.

Quite daunting to read through man pages and what each option means and filter what’s relevant.

I’ll just leave this as a reference for anyone visiting this thread in need of help in the future.

Open a terminal and follow the steps (NOTE: no need to run with escalated privileges, i.e. sudo):

export LD_LIBRARY_PATH=/usr/local/lib
gpg2 --expert --full-gen-key

After the second command, you will be presented with a list.

  1. At the first prompt, you press ‘9’ (which is ECC and ECC).
  2. At the second prompt, press ‘1’ (Curve 25519).
  3. You will see a third prompt, which is a warning, but nothing to worry about. Press ‘y’ and hit enter.
  4. It will ask for the expiration of the key. This is up to you, my personal key never expires, so I chose ‘0’ (never expires). Another prompt right after this asks you to confirm your choice, so press ‘y’.
  5. It will ask for your real name, an email address and a comment.
    IMPORTANT: if you are using it for… “questionable” purposes, it goes without saying that you should not enter your real name and email address (or any identifiable information).
  6. A couple of options will be presented to you again (e.g. if you want to change anything). Press ‘o’ if everything looks good to go to the next step.
  7. It will ask you to do something to generate enough entropy (“randomness”), like moving the mouse etc.
  8. A pop-up window will show up and ask you to enter a passphrase for the key. Enter your desired passphrase.
  9. The terminal will present you various information of the key you generated.
    There should be a line that goes pub‎‎‎‎‎‏‏‎‏‏‎ ‎‏‏‎ ‎‏‏‎ ‎ed25519/RANDOM_NUMBER. Copy RANDOM_NUMBER (not the rest) before proceeding to the next step.
    Done with the first part! Now, on to the next: subkeys.
  10. Enter the two commands below:
gpg2 --expert --edit-key RANDOM_NUMBER
gpg> addkey
  1. It will prompt you to select method. Write ‘11’ into the terminal and hit enter.
  2. Next three prompts will be Your selection?. Press ‘a’ on the first.
  3. Press ‘s’ on the second.
  4. Press ‘q’ on the last one.
  5. Again, it will ask you which curve you want. Press ‘1’ (Curve 25519).
  6. If a warning pops up, like gpg: WARNING: Curve25519 is not yet part of the OpenPGP standard. Use this curve anyway? (y/N), you press ‘y’.
  7. It will ask you for the expiration of the key once more. Again, your choice, but mine was ‘0’ (never expires). And it will ask you to confirm this with ‘y’.
  8. Last confirmation: Really create? (y/N). Press ‘y’ if you’re happy with this.
  9. It will ask you, once more, to do something to generate enough entropy.
  10. It will ask you to enter your passphrase again. Enter it.
  11. Last step: gpg> save and hit enter. DONE! :blush:

If you feel like there’s something you’ve missed, please see my latest answer to your post, as I made a guide for people to use in the future :nerd_face:

As far as the man pages go, better get used to it :laughing:

Thanks for the guide on GNU Privacy Guard (GnuPG) @telometto . I stepped through it and it went okay.

Can’t find the authorized_keys when I checked the ~/.ssh

$ ls ~/.ssh
id_ed25519 id_ed25519.pub id_rsa id_rsa.pub known_hosts @

$ sftp <user>@<host>

INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: ERROR: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
ERROR: @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
ERROR: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

ERROR: It is also possible that a host key has just been changed.
ERROR: The fingerprint for the ED25519 key sent by the remote host is
ERROR: SHA256:.
ERROR: Please contact your system administrator.
ERROR: Add correct host key in /var/home/username/.ssh/known_hosts to get rid of this message.
ERROR: Offending ED25519 key in /var/home/username/.ssh/known_hosts:1
ERROR: Host key for has changed and you have requested strict checking.
ERROR: Host key verification failed.

$ cat ~/.ssh/id_ed25519.pub
ssh-ed25519 <REALLY LONG STRING OF RANDOM CHARACTERS> user@host
2 Likes

Hi,

If I’m not wrong for your case, you have 2 different machine. Let’s say Workstation and Server.

You generate the ssh key on your Workstation and get the folder ~/.ssh which is containing two files id_ed25519 and id_ed25519.pub.

After that, you want to make a copy of id_ed25519.pub from your current Workstation to your Server on ~/.ssh server directory via sftp but you failed to access your Server and got the messages above.

If this the case, the problem I believe is on your server. May be the server already have ssh key for remote connection.

1 Like

There are several steps to make this work:

  1. Open up a terminal and enter ssh-keygen -R hostname (this will remove the entry from the known_hosts file).
  2. SSH into the host (ssh IP_ADDRESS). It will prompt you if you want to continue connecting - enter ‘yes’.
  3. Once you’ve managed to enter, press Ctrl+D to disconnect from the host.
  4. Now, to add the key to the target, you enter ssh-copy-id -i $HOME/.ssh/YOUR_KEY_NAME.pub IP_ADDRESS.
  5. It will ask you for the password. Enter it.
  6. Disconnect by pressing Ctrl+D again.
    [OPTIONAL STEPS BELOW]
  7. Check if the ssh-agent is running in the background by using eval $(ssh-agent). You should get an output like Agent pid NUMBER
  8. If the agent is running in the background (which it most likely is) you can use ssh-add to cache the passphrase to connect to the remote; it will ask you for the passphrase once, after which, you can just type ssh IP_ADDRESS and it will launch you directly into the remote without asking for a password. This is not persistent, though: it will only last as long as you have the terminal window open.

As for creating an SSH-key, the steps are as follows:

  1. Open a terminal and enter ssh-keygen -t ed25519 -C "COMMENT TO IDENTIFY KEY" (COMMENT TO IDENTIFY KEY should obviously be substituted with something you enter but the " " should be left there).
  2. It will ask you in which file to enter the key. NOTE: you can press enter and it will store the key in the path between the parentheses, with that filename. If you already have a key with the same name in that directory, it will overwrite the key unless you enter the whole path! E.g. /home/YOURUSER/.ssh/YOUR_PREFERRED_FILENAME.
  3. It will ask you to enter a custom password.
  4. You can verify if the key was successfully created, or check which keys you have, by using the command ls -la $HOME/.ssh. It will appear as YOUR_KEY_NAME and YOUR_KEY_NAME.pub.
1 Like