Wednesday, December 17, 2014

howto: change the ssh encrypted private-key cipher

I was working on a site-security-checklist,  and one of the requirements was to use aes256 encryption.

Will one thing that was flagged on our initial audit,  all local users  ssh-key private-keys where set for  aes128cbc.

So I will show you how you  can use openssl to change the  private-key key encryption cipher that's set on your key. 1st let's create a rsa and dsa  keypair that's  passphrase protected ( encrypted )

As yo can see the  key  has been encrypted with  AES-128-CBC by default for this host.

Okay so now we have the private-key crafted, and encrypted with a passphrase.

Please use a strong passphrase in real life, socpuppets is not a strong passphrase

So to change the encryption to aes256, we need to read the  private-key back in and write it back out and while specifying a new passphrase

and validation;

So that's how you can change the encryption format for your private-key. Keep in mind the passphrase length and format is really the most secure item when it comes to a private-key. You should avoid des and 3des if possible

Pick a good length and mix it up;

bad  ==  socpuppets , 123456, changeme, password
good ==  " Security Is a MVst" , "I'm B88l3t Pr00f & Hack Pr00f!"

Ken Felix
Freelance Network/Security Engineer Mail Security Specialist
kfelix  -----a----t---- socpuppets ---dot---com

     ^    ^
 =( 1  1  )=
      /   \

No comments:

Post a Comment