# ssh private key password



## Phishfry (Aug 6, 2018)

I am new to ssh public-private keys so I followed instructions on the web.
https://www.funzi.org/2015/03/01/basic-freebsd-hardening/

When I created my keys I was asked if I wanted to create a passphrase for the private key. I picked yes.
https://www.digitalocean.com/commun...-key-based-authentication-on-a-freebsd-server

So I see this 'passphrase' is an extra layer of security baked in. Is this a feature that everyone uses or is there specific use cases?
I used: `ssh-keygen -t ed25519`


What is this art used for? To share my public key?

```
The key's randomart image is:

+--[ED25519 256]--+

{SNIP}

+----[SHA256]-----+
```

Do I really need to create RSA keys too or is ed25519 alone fine? It is the only key I am using.


----------



## ShelLuser (Aug 6, 2018)

Phishfry said:


> I am new to ssh public-private keys so I followed instructions on the web.
> https://www.funzi.org/2015/03/01/basic-freebsd-hardening/


Interesting article. The only thing which seems a bit outdated to me is the advice to use security/denyhosts; depending on the services you're using you might get better results with blacklistd (which is also part of the base system).



Phishfry said:


> So I see this is an extra layer of security baked in. Is this a feature that everyone uses or is there specific use cases?


Depends. I definitely use passwords on my general private keys because it will disallow someone from "just" using my key to gain entry. However, I also use public key authentication for backup user(s) and then I usually don't use a password because it only hinders what I'm trying to do. The main idea is basically to keep the SSH server secured, and keys can achieve that _much_ better than passwords.



Phishfry said:


> What is this art used for? To share my public key?


Nah, you'll find your public key in ~/.ssh. Not sure about the artwork from mind, I never paid it much attention   If it has any specific meaning then I'm sure the ssh-keygen(1) page would say so.


----------



## Phishfry (Aug 6, 2018)

What is a reasonable timeframe for re-keying your keys? Monthly, Yearly, Never?

I am guessing you can push out the keychanges with `ssh-copy-id -p xxxxx` user@<keysites>
I started manually, I like this tool though.


----------



## Phishfry (Aug 6, 2018)

ShelLuser said:


> The only thing which seems a bit outdated to me is the advice to use security/denyhosts;


I actually went with security/sshguard (already using it locally).
Will look at blacklistd.
Thanks.


----------



## ShelLuser (Aug 6, 2018)

Phishfry said:


> What is a reasonable timeframe for re-keying your keys? Monthly, Yearly, Never?


It depends on the situation.

Just with computer security in general there really is no "one size fits all" procedure here. Everything should be picked up within context. Is your server under constant attacks? Then it might be a good idea to rekey within not too long timespans. Of course more important would be to keep that server secure. Maybe it's more interesting to check which account got targeted in the first place and do something about that.

Same applies to regular passwords. And then we need to take into consideration that a key is usually much longer (and more complex) than a password is.

I usually don't bother that much, but it heavily depends on the situation.


----------



## SirDice (Aug 6, 2018)

Phishfry said:


> What is this art used for?


It's a visual representation of the key's signature. It's easier for a human to compare two pictures than it is to compare two, long, strings of hexadecimal numbers.


----------



## Phishfry (Aug 6, 2018)

SirDice said:


> It's a visual representation of the key's signature.


Thanks, I don't use current smart phones but I thought maybe it was a VR thingy you scan. Just some ASCii art then.


----------



## SirDice (Aug 6, 2018)

It does look a bit like QR Code


----------



## Phishfry (Aug 6, 2018)

So I was thinking about my stolen laptop.
If I had setup the ssh keys without a password that could be a security disaster.(If I was deliberately targeted)
I guess that comes back to securing your keys on the local end too.

So just for my understanding, When I connect to my server over ssh now it asks for the passphrase.
I have traded a SSH login password for a ssh key passphrase.

Is unlocking the passhrase'ed key only available to the client machine with the key?
No random outsiders should get this far and get to try and guess right?
This is just part of they keychain validation between ssh/sshd parties if I understand right.
aka: Private Key will not give up its key unless passphrase is met.


----------



## SirDice (Aug 7, 2018)

Yes, the private key is the part that's protected by the passphrase. So in order to use that key someone needs to have access to both the private key and the passphrase. 

If you use Windows and PuTTY you can load the private key into Pageant. Pageant is the PuTTY SSH agent. The agent will ask for the passphrase when the key is loaded. Then all connections will automatically use the stored key through the agent. This way you'll only have to enter the passphrase once, when it's loaded into the agent.


----------

