SSH

SSH Overview

Generate a secure SSH key

ED25519 requires OpenSSH v6.5

ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519_admin -C "{my-email@domain.tld}"

You might need a second RSA key because ED25519 uses the OpenSSH format to save the private key. This new format is supported from OpenSSH v6.5.

ssh-keygen -t rsa -b 4096 -a 100 -f ~/.ssh/id_rsa_admin -C "{my-email@domain.tld}"

Information

Read a private key and output the public key (e.g. to validate the password) :

ssh-keygen -y -f ~/.ssh/id_ed25519_admin

SSH-Agent Configuration with KeepassXC

GNOME

Gnome keyring is used by default.

# Check the status of the service
systemctl --user status gnome-keyring-daemon.s*

Disable it if you want to use the ssh-agent service.

KDE Plasma

Use the ssh-agent service offered with openssh.

# Enable the service
systemctl --user enable ssh-agent.service
# Configure env var for user session
mkdir -p ~/.config/environment.d
cat << EOF > ~/.config/environment.d/ssh_auth_socket.conf
SSH_AUTH_SOCK="\${XDG_RUNTIME_DIR}/ssh-agent.socket"
EOF
# Stop and disable the GNome Keyring Daemon if enabled
systemctl stop gnome-keyring-daemon.socket gnome-keyring-daemon.service
sudo systemctl --global disable gnome-keyring-daemon.socket

[https://wiki.archlinux.org/title/SSH_keys#Start_ssh-agent_with_systemd_user]
[https://devopstales.github.io/linux/ssh-credential-in-keepassxc/]

Ressources

https://risanb.com/code/upgrade-ssh-key-to-ed25519/
https://wiki.archlinux.org/title/SSH_keys
https://dancroak.com/ssh-ed25519
https://tutox.fr/2020/04/16/generer-des-cles-ssh-qui-tiennent-la-route/
https://homputersecurity.com/2017/04/21/authentication-en-deux-etapes-sur-un-serveur-ssh-cle-publique-code-totp/