Will one thing that was flagged on our initial audit, all local users ssh-key private-keys where set for aes128cbc.
So I will show you how you can use openssl to change the private-key key encryption cipher that's set on your key. 1st let's create a rsa and dsa keypair that's passphrase protected ( encrypted )
As yo can see the key has been encrypted with AES-128-CBC by default for this host.
Okay so now we have the private-key crafted, and encrypted with a passphrase.
Please use a strong passphrase in real life, socpuppets is not a strong passphrase
So to change the encryption to aes256, we need to read the private-key back in and write it back out and while specifying a new passphrase
and validation;
So that's how you can change the encryption format for your private-key. Keep in mind the passphrase length and format is really the most secure item when it comes to a private-key. You should avoid des and 3des if possible
Pick a good length and mix it up;
bad == socpuppets , 123456, changeme, password
good == " Security Is a MVst" , "I'm B88l3t Pr00f & Hack Pr00f!"
Ken Felix
Freelance Network/Security Engineer Mail Security Specialist
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( 1 1 )=
@
/ \
No comments:
Post a Comment