Can you give out best practices or instructions how to generate key pairs with ssh-keygen2? |
User keys are used in public-key authentication to authenticate a user. Generate a user key pair with the following command: $ ssh-keygen2 Provide the passphrase twice. Please choose a passphrase that is difficult to guess - spaces are OK. This will create a public key (.pub) and a private key (no extension) to the $HOME/.ssh2 directory. The default file names are id_dsa_2048_a.pub and id_dsa_2048_a (both assuming you don't change the file names or key size). The default key size is 2048 for SSH Secure Shell 3.2 and above. Host keys Hostkeys are used to identify and authenticate server hosts when establishing connections using Secure Shell. Hostkeys must not be assigned a passphrase. The hostkeys are created during installation. You only need regenerate them if there was a problem during installation or you wish to change your hostkeys.
Note that as an administrator, if you have users other than yourself connecting to your sshd2 daemon, and you are changing the hostkey, you will probably want to notify your users of the change. If you do not do this, your users will receive a warning message "host identification has changed" when next connecting. This is because the hostkey they have saved on their disk for your server does not match the hostkey now being provided by your sshd2 daemon. Your users may not know how to respond to this error. You can run the following to generate a fingerprint for your new public hostkey which you can provide to your users via some un-alterable method (such as digitally signed email): $ ssh-keygen2 -F /etc/ssh2/hostkey.pub When the user connects and receives the error message about the hostkey having changed, they can compare the fingerprint of the new key with the fingerprint you have provided in your email and ensure that they are connecting to the correct sshd2 daemon. Inform your users to notify you if the fingerprints do not match, or if they receive a message that the hostkeys have changed and do not receive a corresponding message from you notifying them of the change. Always adhering to these procedures can help ensure that you do not become the victim of a man-in-the-middle attack, as your users will notify you if the hostkey fingerprints ever do not match up. You will also be aware if the user says the key has changed when you have not regenerated your hostkey pair. |