Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
To protect my VPS during uploads, I would like to use a Public/Private Key Pair instead of using a password.

I have spent the last few hours researching this topic, including reading the OS-X Man Pages, but that has just left me with more questions!

Questions:

1.) How do I create Keys that are for SSH-2?

2.) What Encryption Scheme is most secure?

3.) I assume I want to use 2048-bits, right?

4.) I saw some tutorials that include a Hostname or Email. Can someone explain how that works?

5.) In general, what do I need to do to provide the most security?

Thanks,


Debbie
 
Last edited:

mfram

Contributor
Jan 23, 2010
1,327
365
San Diego, CA USA
SSH is primarily used by people that use the Unix shell. Is that really what you're using, or did you just hear to 'use SSH' without really understanding what that means? If you are not comfortable with using a Unix shell, you probably shouldn't be thinking about SSH.

Maybe SSH is the correct solution for you. Maybe it's not. There are other alternatives as well. Such as using a VPN to connect to the network you're trying to get to and using other file transfer options.

There are SSH tutorials out there on the Internet. Just Google for them. The fact those tutorials are probably using Linux instead of Mac probably isn't significant. SSH works basically the same on Mac than it does on Linux.

You use the command 'ssh-keygen' to create a private/public key pair for SSH. The default parameters should be fine for you. Then you have to transfer your public key to the target system and set that key to be authorized for your account. The details on that transfer depend on what kind of system you are trying to authenticate to.

If you want security on the SSH connection, I would use 'aes256-ctr' as the stream cipher for the SSH link.

Once ssh is working, you can use rsync to transfer a directory tree from your system to the remote system assuming it's a Unix-based system. rsync operates over ssh by default. Thus, the file transfer would be secure.
 

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
SSH is primarily used by people that use the Unix shell. Is that really what you're using, or did you just hear to 'use SSH' without really understanding what that means? If you are not comfortable with using a Unix shell, you probably shouldn't be thinking about SSH.

Great, discourage a newbie. YES, I am talking about SSH and YES I need to use it to manage my VPS!


You use the command 'ssh-keygen' to create a private/public key pair for SSH. The default parameters should be fine for you.

But I didn't ask about "default" settings in my OP...


If you want security on the SSH connection, I would use 'aes256-ctr' as the stream cipher for the SSH link.

How does that relate to the type?


Once ssh is working, you can use rsync to transfer a directory tree from your system to the remote system assuming it's a Unix-based system. rsync operates over ssh by default. Thus, the file transfer would be secure.

Maybe some day I can learn rsync, but for now I plan on using CyberDuck.


Debbie
 

phrehdd

macrumors 601
Oct 25, 2008
4,377
1,365
Debbie, have you reviewed SFTP with Cyberduck?

I am not sure what you are trying to accomplish -

Secure the connection, secure (encrypt) the files or ... ?

SFTP is not uncommon for file transfers that require some facets of security.
 

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
Debbie, have you reviewed SFTP with Cyberduck?

I am not sure what you are trying to accomplish -

Secure the connection, secure (encrypt) the files or ... ?

SFTP is not uncommon for file transfers that require some facets of security.

I'm trying to *properly* set up SSH Public/Private Keys to authenticate my MBP using CyberDuck with my VPS...

And using the defaults from ssh-keygen is NOT good enough for me!

Sincerely,


Debbie
 

theluggage

macrumors 604
Jul 29, 2011
7,692
7,894
1.) How do I create Keys that are for SSH-2?
Code:
ssh-keygen -t rsa
- as described in every tutorial out there. -t rsa implies SSH v2.
3.) I assume I want to use 2048-bits, right?

It's the default for ssh_keygen.

4.) I saw some tutorials that include a Hostname or Email. Can someone explain how that works?

The user/hostname gets tagged onto the end of the public key - this is just a comment for reference and has no significance.

When you log in via SSH with a public key, it will keep track of the actual hostname and public key in a file .ssh/known_hosts and warn you when connecting to an unknown host or a host who's public key has changed.

5.) In general, what do I need to do to provide the most security?

You can potentially disable Telnet (although that's rarely enabled these days) and regular FTP on the VPS and (once you have a connection established) change sshd_config to only enable public-key logins. Be careful you don't lock yourself out or break your VPS control panel, though! If its a commercial VPS then you might not be able to eliminate password-based logins to the control panel.

And using the defaults from ssh-keygen is NOT good enough for me!

...then hire a security consultant, because the ssh-keygen defaults are unlikely to be the weakest link in your system.
 

2984839

Cancelled
Apr 19, 2014
2,114
2,240
ssh-keygen's default is 2048 bit RSA (version 2), so you don't need to do anything if you want 2048 bit keys. If you want larger keys, invoking ssh-keygen with the -b flag followed by the keysize will give you what you want. The -t flag will give you a different asymmetric cipher, such as ECDSA.

SSH will look for its config file in ~/.ssh/config. If there is no such file, it will read the system wide config file at /etc/ssh/ssh_config to get the symmetric cipher preferences, then attempt a connection using those ciphers in order. The default symmetric cipher order begins with aes-128-ctr, aes-192-ctr, aes-256-ctr (with many others following those). This is secure and fast enough for just about all uses. If you are trying to improve security by changing the symmetric cipher, you are attacking the wrong problem.


The most important thing you should do for security when using public key authentication is defend your private keys. That means securing the rest of your system so that nobody can steal them, and securing your machine when you are not physically present at it so that nobody can walk up to it and connect to your remote SSH server.
 

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
ssh-keygen's default is 2048 bit RSA (version 2), so you don't need to do anything if you want 2048 bit keys. If you want larger keys, invoking ssh-keygen with the -b flag followed by the keysize will give you what you want.

Okay, I wasn't sure on that when I originally posted.



The -t flag will give you a different asymmetric cipher, such as ECDSA.

From what I have read, "rsa" would be the most secure.


SSH will look for its config file in ~/.ssh/config. If there is no such file, it will read the system wide config file at /etc/ssh/ssh_config to get the symmetric cipher preferences, then attempt a connection using those ciphers in order. The default symmetric cipher order begins with aes-128-ctr, aes-192-ctr, aes-256-ctr (with many others following those). This is secure and fast enough for just about all uses. If you are trying to improve security by changing the symmetric cipher, you are attacking the wrong problem.

You lost me on this one...

I thought the switch -t specified the "type" (e.g. dsa, rsa, ecdsa)?

The Apple Developer Man Pages say...
-t type
Specifies the type of key to create. The possible values are ``rsa1'' for protocol version 1
and ``dsa'', ``ecdsa'' or ``rsa'' for protocol version 2.


So what is all of this stuff...
aes-128-ctr, aes-192-ctr, aes-256-ctr



The most important thing you should do for security when using public key authentication is defend your private keys. That means securing the rest of your system so that nobody can steal them, and securing your machine when you are not physically present at it so that nobody can walk up to it and connect to your remote SSH server.

I followed nearlly all of the advice on hardening a Mac when I bought my MBP two years ago, so I think I am covered there.

Plus, with SSH Public Key Authentication I can protect the Private Key with a secure passphrase - as opposed to those fools at FileZilla that put your credentials out in the open!! :rolleyes:

Thanks,


Debbie
 

mfram

Contributor
Jan 23, 2010
1,327
365
San Diego, CA USA
The public-key part of SSH is only used for authentication so that the server knows you are allowed to connect. I don't know what a "VPS" is, so I can't tell you how to configure it to allow your key. You create the private/public key pair for authentication and copy your public key to the system you want to authenticate to. The private key stays on your computer. It is your 'identity' and the file is called that.

Once you authenticate to the server, the SSH protocol does a key exchange to create the key used during your session to protect your data. After that, steam protocols like AES take over. That is the algorithm that actually protects your data. Protocol 'aes256-ctr' is probably the safest algorithm to use among the choices in the sense that it is the most studied protocol and is considered secure.

The system crypto design in SSH is a different design that public/private key systems like PGP. The designs are different because they have different assumptions about how they are being used.
 

doubledee

macrumors 6502
Original poster
May 14, 2012
496
0
Arizona
The public-key part of SSH is only used for authentication so that the server knows you are allowed to connect. I don't know what a "VPS" is, so I can't tell you how to configure it to allow your key. You create the private/public key pair for authentication and copy your public key to the system you want to authenticate to. The private key stays on your computer. It is your 'identity' and the file is called that.

Virtual Private Server...


Once you authenticate to the server, the SSH protocol does a key exchange to create the key used during your session to protect your data. After that, steam protocols like AES take over. That is the algorithm that actually protects your data. Protocol 'aes256-ctr' is probably the safest algorithm to use among the choices in the sense that it is the most studied protocol and is considered secure.

The system crypto design in SSH is a different design that public/private key systems like PGP. The designs are different because they have different assumptions about how they are being used.

So what would be the syntax to use "rsa (SSH-2)" and "aes256-ctr"??

This is the syntax I have settled on so far...
Code:
ssh-keygen -t rsa -b 4096

Sincerely,


Debbie
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.