HOWTO
Generate Secure and Future-Proof SSH Keys
As a Cardano Stake Pool Operator (SPO) you are responsible for the health and security of the Cardano network. As a first step, access to your node or relay must be protected with at least two factor authentication (2FA), based on something you know (like a passphrase) and something you have (like a certificate on your laptop).
The most common tool used to remotely administer a Linux server is SSH. It is by default installed on Linux workstations or servers, and recent versions of Windows 10 include it as an optional component.
SSH comes with a bewildering number of options. How to create the most secure key pair to securely connect to your Cardano node or relay (or any Linux server)?
Relax, we got you covered, read on!
Generic Recommendations
Four (4) things you must follow:
- Generate the SSH keys on your Linux or Windows workstation, not on the (cloud) server. You don’t want anyone to be able to access your private key.
- Update your Linux or Windows operating system before generating keys. Software can contain bugs, better make certain that you are running the last version.
- Protect the private key with a long passphrase. In case someone gets access to the keyfile, your passphrase is the only thing left protecting it.
- Choose the best future-proof crypto possible, currently this is Ed25519, a form of elliptical curve cryptography. No worries, just follow the next steps.
Linux SSH Key Creation
Just a reminder, this needs to be done on your workstation.
First of all, very important if you run Linux (we prefer Ubuntu 20.04 LTS) in a container or virtual machine, ensure that there is enough entropy in the system. This is necessary to encsure cryptographic fucntions run as designed.
sudo apt install -y haveged
Open a terminal and do the following (modify the [email protected] to your email address or any identifier that you want):
ssh-keygen -t ed25519 -C "[email protected]"
This gives a similar output like below. Remember to use a long passphrase.
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/nobody/.ssh/id_ed25519):
Created directory '/home/nobody/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/nobody/.ssh/id_ed25519
Your public key has been saved in /home/nobody/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:GvjyRBp3XFluApaMWFuxbe7FDQ+SG+DyYRc2ei0qpXY [email protected]
The key's randomart image is:
+--[ED25519 256]--+
| 0.o*o+ . |
| . .=oB O |
| o B & * |
| . B O O = |
| E B S o o o |
| B * . . |
| = + . |
| + |
| . |
+----[SHA256]-----+
Windows SSH Installation and Key Creation
Install OpenSSH
OpenSSH client is an installable feature of recent version of Windows 10. To install OpenSSH:
- Start *Settings"
- Go to Apps > Apps and Features > Manage Optional Features
- Locate OpenSSH Client, then click Install.
Create a SSH Key
This process is exactly the same as a Linux key creation. Open a Powershell and do the following (modify the [email protected] to your email address or any identifier that you want):
ssh-keygen -t ed25519 -C "[email protected]"
This gives the following output. Remember to use a long passphrase.
Generating public/private ed25519 key pair.
Enter file in which to save the key (C:\Users\nobod/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\nobod/.ssh/id_ed25519.
Your public key has been saved in C:\Users\nobod/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:KNaw/EdgE350THLYW1ymjvrB6XYAH3t5Tn1Cwu3eDfg nobody@example.com
The key's randomart image is:
+--[ED25519 256]--+
| . +=+. .o |
| . o.+o Eo |
| . = . *. |
| . = =. =+o . |
| o o So.+.* . |
| . o . o+.+ * o|
| . o +o = o.|
| . o... + |
| .o. . |
+----[SHA256]-----+
Conclusion
We now have a secure and future proof SSH keypair. Remember to keep the private key safe, and to install the public key on every host you need to connect to or deliver it to the system administrators who can give you the needed access.