Via Cà Matta 2 - Peschiera Borromeo (MI)
+39 02 00704272
info@synaptica.info

SSH Key Sharing

Digital solution partner

SSH Key Sharing

0

SSH Key Sharing

Introduction

In this article, we explore how to generate and share SSH keys securely and efficiently, comparing RSA 4096-bit and Ed25519 algorithms.

Generating Strong Keys

To create robust keys:

# RSA 4096-bit key
ssh-keygen -t rsa -b 4096 -C "you@example.com"

# Ed25519 (256-bit)
ssh-keygen -t ed25519 -C "you@example.com"
  • RSA 4096: provides maximum compatibility but slower operations.
  • Ed25519: compact keys, modern security, and better performance.

Sharing Your Keys

Copy the public key to the remote server:

ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remote_host

Or manually:

cat ~/.ssh/id_ed25519.pub | ssh user@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Security & Best Practices

  • Protect your private key with a passphrase.
  • Use agent forwarding with caution.
  • Centralize key management with ssh-agent or Ansible Vault.

Conclusion

Well-configured SSH keys ensure encrypted communications and simplify remote access management. RSA remains valuable for legacy environments, while Ed25519 is recommended for modern deployments.

Advanced Security, Key Lifespan and When to Avoid Using SSH Keys

  • Passphrase Protection:
    Always secure your private key with a strong passphrase (at least 12 characters, mix of letters, numbers, symbols). Without it, a stolen key is immediately usable by an attacker.
  • Key Lifespan & Rotation:
    Even strong keys should be rotated periodically. Best practice is to regenerate RSA-4096 every 1–2 years, Ed25519 every 3–5 years, or immediately if compromise is suspected.
  • Usage Restrictions:
    – Don’t use the same key for both critical and non‑critical systems: generate separate pairs (e.g. staging vs. production).
    – Avoid agent forwarding on untrusted servers, as a compromised host can steal your key from the agent.
  • When to Prefer Passwords or Other Methods:
    – If your environment doesn’t support agent forwarding or hardware tokens, a strong password (with 2FA) may be simpler.
    – For one‑off or disposable hosts, consider temporary SSH sessions via OTP (One‑Time Password) or tools like Teleport.
  • Hardware Tokens & HSMs:
    For maximum security, store your private key on an external device (YubiKey, smartcard, or HSM) so it never leaves the secure hardware.
Categorie

Synaptica srl
P.IVA 05830520960

Sede legale Via Carducci 41/C 20098 San Giuliano Milanese (MI) - Capitale sociale € 20.000

© 2025