#crypto25519

Here's a Mini How-to for openssh with curve25519

Config of /etc/.ssh/ssh_config

Host *    IdentityFile ~/.ssh/id_ed25519     IdentityFile ~/.ssh/id_rsa     PasswordAuthentication no     PubkeyAuthentication yes     KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256     Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr     MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected] # Github needs diffie-hellman-group-exchange-sha1 some of the time but not always. Host github.com     KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

At upper level of /etc/.ssh/sshd_config review HostKey settings:

HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key

And append the following at the end of config of /etc/.ssh/sshd_config

KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256 Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected]

Then generate a RSA server keys on each site as root

  ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null

Restart openssh-Daemon - /etc/init.d/ssh restart

But please leave a ssh clienct connection open to that ssh site, if there's something wrong with the configuration!

User configuration for each user:

Delete RSA (or DSA) fingerprints of site, which you would like to connect primarily with ED25519 elliptic curves:

  ssh-keygen -R hostname

Or just remove all fingerprints:

  rm ~/.ssh/known_hosts

Generate a new curve25519 client key:

  ssh-keygen -t ed25519 -o -a 100

First ssh connection to each site should look like:

$ ssh host

ED25519 key fingerprint is 00:db:08:ab:ca:ff:0e:11:21:93:b2:ad:37:47:b3:c4:df. Are you sure you want to continue connecting (yes/no)? yes Enter passphrase for key '/home/user/.ssh/id_ed25519':