openssh

ssh keygen RSA versus DSA

While generating ssh keys, I usually use RSA type since it can be used to generate 2048 bits key, while DSA is restricted to exactly 1024 bits.

ssh-keygen -t rsa -b 2048

Verifying SSH Key Fingerprint

If you've been given a public ssh host key and want to verify it before adding it permanently to your ssh known_hosts file:

Get the public ssh key:

$ ssh-keyscan -p 22 -t rsa,dsa {remote_host} > /tmp/ssh_host_rsa_dsa_key.pub

Get the ssh key fingerprint:

$ ssh-keygen -l -f /tmp/ssh_host_rsa_dsa_key.pub

Checking Ubuntu Servers for openssh and openssl vulnerable keys

  1. Update openssh and openssl packages
    # apt-get update
    # apt-get install openssh openssl
  2. Install openssh-blacklist and openssl-blacklist
    # apt-get install openssh-blacklist openssl-blacklist
  3. Check all ssh compromised keys via:
    # ssh-vulnkeys -a
  4. Check all ssl keys and certificates via:
    # openssl-vulnkeys *.key *.pem

    Note: Plesk specific ssl certs are stored at "/opt/psa/var/certificates/"

Comment