0

Hello I'm working on switching all my keys to ed25519. I've ran this command:

ssh-keygen -t ed25519 -C "user on server"

now it generates a private key and a public key. I copy the public key into the authorized_keys on the HOST (server) and then I was doing these permissions (on the server of course):

HostKey /etc/ssh/ssh_host_ed25519_key
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

My login seems fine, I can login without password and it doesn't allow me to login with a password. On my client I have id_ed25519 and id_ed25519.pub.

One major question I have is why can I edit and change id_ed25519 (the private key) and change some letters in it without having login issues? It isn't until I've edited several letters that I get an error.

My other question is how would I generate a new key for a different server? I want separate keys for separate servers as some computers have access to these servers and others do not. as a security measure if a private / pub key got stolen I'd like to know that machine is compromised but the keys that weren't on that machine were not compromised.

Thanks.

Improve this question
5
  • I suggest you split your question into two questions. Generating keys for each server is perfectly valid approach, you just need to name each key differently.
    – djsmiley2kStaysInside
    Commented May 29, 2018 at 7:33
  • For the first question: this is how public-key cryptography works. I won't go into the details, but changing some values in the private key won't affect logging in (modulus is close enough).
    – Aulis Ronkainen
    Commented May 29, 2018 at 7:33
  • Alright thanks Aulis. Just wanted to make sure it wasn't something wrong with my side.
    – someguy
    Commented May 29, 2018 at 7:37
  • Not sure how to mark as answered it just says I'm not allowed to do anything. but that's all I was really looking for... that answer doesn't seem to be anywhere on the internet
    – someguy
    Commented May 29, 2018 at 7:39
  • @someguy You have to have an answer to mark it as accepted. Regardless of Aulis Ronkainen (and whether or not they intend to write up an answer), you can always write an answer to your own question and mark it as accepted.
    – Anaksunaman
    Commented May 29, 2018 at 13:02

1 Answer 1

Reset to default
0

I can provide the answers.

  1. "One major question I have is why can I edit and change id_ed25519 (the private key) and change some letters in it without having login issues? It isn't until I've edited several letters that I get an error."

You can in fact change some characters from your keys without getting an error. This is how public-key cryptography works. If you only change just a few characters the key will allow to login. This is because the implementation of checking the multiplication is still close enough to the correct one. It doesn't have to be an absolute match.

  1. "My other question is how would I generate a new key for a different server? I want separate keys for separate servers as some computers have access to these servers and others do not. as a security measure if a private / pub key got stolen I'd like to know that machine is compromised but the keys that weren't on that machine were not compromised."

I believe you can do that. Separate keys for separate servers can be configured to sshd. I'm not not quite sure what you are asking here. Could you please specify this? I mean, how else you would approach this?

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .