-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
c7b6774
commit 4a905e4
Showing
1 changed file
with
29 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,31 @@ | ||
| keycrypt | ||
| ====== | ||
|
|
||
| Generate new SSH key and Encrypt with OpenSSL | ||
| #keycrypt | ||
|
|
||
| One of the main purposes of this script is automating the ideas from [Martin Kleppmann](http://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html) | ||
| _keycrypt_ is a wrapper for generating __SSH Keys__ and then encrypting them with __OpenSSL__. _keycrypt_ offers other features like copying the pubkey from your local machine to a remote host. This can even be done as part of the create step! | ||
|
|
||
| ####Current Features | ||
| - SSH Key Creation | ||
| - SSH Key Encryption with OpenSSL | ||
| - Copying PubKey to Remote Server (similar to [ssh-copy-id](http://linux.die.net/man/1/ssh-copy-id)) | ||
|
|
||
| ####Future Features | ||
| - Improved PubKey Copying | ||
| - Scanning for unencrypted keys and prompting for encryption | ||
|
|
||
| ###Why would I need this? | ||
|
|
||
| The default encryption that ships with SSH isn't the most secure, it comprises of the following: | ||
|
|
||
| > The header tells us the encryption algorithm that was used: AES-128 in CBC mode. The 128-bit hex string in the DEK-Info header is the initialization vector (IV) for the cipher. This is pretty standard stuff; all common crypto libraries can handle it. | ||
| [Martin Kleppmann](http://martin.kleppmann.com) has show below that there are two primary weaknesses in the way SSH encrypts it's keys: | ||
| > - The digest algorithm is hard-coded to be MD5, which means that without changing the format, it’s not possible to upgrade to another hash function (e.g. SHA-1). This could be a problem if MD5 turns out not to be good enough. | ||
| - The hash function is only applied once — there is no stretching. This is a problem because MD5 and AES are both fast to compute, and thus a short passphrase is quite easy to break with brute force. | ||
|
|
||
| From this it was devised that we could get a higher level of security from using [OpenSSL](http://openssl.org). As such I wanted to automate the process of creating an SSH key and then encrypting it with OpenSSL, and _keycrypt_ was born. | ||
|
|
||
|
|
||
| --- | ||
| ###Credits | ||
|
|
||
| This idea was fostered from an article written by [Martin Kleppmann](http://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html) |