Achims Tech Blog @jattmp - Tumblr Blog

There's a solution to preserve agent forwarding for in-screen sessions by fine-tuning your configuration within three config files:

~/.bashrc alias scr='~/bin/rc; screen -D -R'

~/bin/rc#!/bin/bash # http://techblog.appnexus.com/2011/managing-ssh-sockets-in-gnu-screen/ if test "$SSH_AUTH_SOCK" ; then ln -sfv $SSH_AUTH_SOCK ~/.ssh/ssh_auth_sock fi

~/.screenrc # Fix SSH auth socket location so agent forwarding works with screen. # http://techblog.appnexus.com/2011/managing-ssh-sockets-in-gnu-screen/ setenv SSH_AUTH_SOCK $HOME/.ssh/ssh_auth_sock

Now you can connect with "ssh -A host" (-A = agent forwarding) without re-typing your pass-phrase from within your screen sessions, even if you've been offline in between.

#ssh #screen

Here's a Mini How-to for openssh with curve25519

Config of /etc/.ssh/ssh_config

Host * IdentityFile ~/.ssh/id_ed25519 IdentityFile ~/.ssh/id_rsa PasswordAuthentication no PubkeyAuthentication yes KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256 Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected] # Github needs diffie-hellman-group-exchange-sha1 some of the time but not always. Host github.com KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

At upper level of /etc/.ssh/sshd_config review HostKey settings:

HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key

And append the following at the end of config of /etc/.ssh/sshd_config

KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256 Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected]

Then generate a RSA server keys on each site as root

ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null

Restart openssh-Daemon - /etc/init.d/ssh restart

But please leave a ssh clienct connection open to that ssh site, if there's something wrong with the configuration!

User configuration for each user:

Delete RSA (or DSA) fingerprints of site, which you would like to connect primarily with ED25519 elliptic curves:

ssh-keygen -R hostname

Or just remove all fingerprints:

rm ~/.ssh/known_hosts

Generate a new curve25519 client key:

ssh-keygen -t ed25519 -o -a 100

First ssh connection to each site should look like:

$ ssh host

ED25519 key fingerprint is 00:db:08:ab:ca:ff:0e:11:21:93:b2:ad:37:47:b3:c4:df. Are you sure you want to continue connecting (yes/no)? yes Enter passphrase for key '/home/user/.ssh/id_ed25519':

If all of this doesn't work, maybe you didn't set the appropriate HostKey order: ssh_host_ed25519_key should be at first position at sshd_config!

#ssh #ed25519 #crypto25519 #crypto

Trending Blogs

Recently Viewed Blogs

Achims Tech Blog