How To Generate Ed25519 SSH Keys, Install Them, and Configure Secure

Article from video

ssh-keygen -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C “hans@detroityodelingcompany.com

Hey nice video on the basics. I’d be real interested in the “jump-box” video followup as I’ve never done anything like this before.

I ran across a story on Ars Technica the other day talking about ssh exploits: https://arstechnica.com/information-technology/2020/08/new-p2p-botnet-infects-ssh-servers-all-over-the-world/
Many of the comments to this article mentioned setting up 2-Factor Authentication to mitigate risk. I went ahead and set up 2FA using Duo (Google Authenticator is another option) as the 2FA method, which works in conjunction with the PAM authentication module to add the 2FA scheme. Surprisingly this was a lot easier to setup than I thought it would be. My only gripe however with 2FA is that I use ansible scripts to perform a lot of server maintainence functions (which uses ssh to contact the various servers). I haven’t found a way yet that would allow ssh with 2FA for regular users and not use 2FA either for ansible user. Automated scripts don’t work well with 2FA enabled unfortunately. I’d be open to ideas on how this could be performed by any of the people that “do this stuff for a living”.

For systems using Ansible or other automation where 2FA is not practical those system will either not have SSH exposed to the internet or filtered to only allow access from specific IP addresses.

I watched the video, excellent info but have an issue I can’t solve.

I am trying to use an ed25519 ssh key on my CentOS 8 server. No problems uploading the key and using the key with the server, works great, but I when I try to change PasswordAuthentication, ChallengeResponseAuthentication and UsePAM to no I get the error: ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY (code=exited, status=255).

According to RHEL, using the command
update-crypto-policies --show
shows the server is in DEFAULT mode.

They suggest changing the mode to: FUTURE How to customize crypto policies in RHEL 8.2

Policy mode breakdown (there are 4 modes) Chapter 3. Using system-wide cryptographic policies Red Hat Enterprise Linux 8 | Red Hat Customer Portal

I can still log into my server using the ed25519 key, but can’t turn passwords off.

Before I do any damage to my server or lock myself out, has anyone experienced this and if so, how did you remedy it.

I really don’t want to use an rsa key since the newer and more secure ed25519 ssh key does work.