ssh-keys management

[ItsOnlyMe]

Hi,

Related to https://docs.directadmin.com/changelog/version-1.55.0.html#ssh-keys-management-skins . When a user wants to add a ssh-key via :2222/evo/user/ssh-keys/authorized they run into an error:

invalid RSA comment

This was when trying to add the following key:

ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAC97nKdNYcrBYyjefNgiF80v18GPpNTDJ82nvQCKt3d2CiH34gQ9CmweJgtsXc3osDQ3Ls8pKUHc7q6tOTO+Qi57gGByzA477mUX3UPlWpLi9nIh7CKcL9RuTMyyjzWx4BGwUVR6eNmBmj9mjKQ+nAxLq3RBgnpz++eHJXpckHiJIcMjw== [email protected]

However, when adding this key: it works

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnx2+lFQxiDSP4HeXV4YMzYXSqlUayj/DQgc8fe89b/inkRa8r7VjjQFjEb4qjyECQIx6g8qg+lk3LGkX4KNs681YuK2+6cMf8IbOGbcNYg41c+t4GfAaALDWmpD0bKqWvSNU2pMXLfQYqg1w2OYykOTH3Vma+/h3PouJqQ4cgGJpDaqywwMV8z0DhZ4Pc1RRyCoCJD9B5yJ5GR46VXv4nLvWwFKZ8Zl8HrEPO1WarJiOb1Wp6xZ7qwYVipx+ldkHB6+U4YSZ+NpyVEfAHXu6difg2X0cN+R3B7azrWJY1lsue4rJJqKi7wBjxTfvnX1HY8ullvhNFl+RW12uCxeZ [email protected]

I know the ECDSA key is correct since i also use this for my other day to day login on all other servers. How come we can not add the newer type of keys to the server via directadmin as a user?

Can this "module" be updated to we can add newer keys to the system?

 

[sysdev]

What could go wrong if you post your ssh-key you use for all of your logins.... Just wondering...

 

[zEitEr]

What could go wrong if you post your ssh-key you use for all of your logins.... Just wondering...

Can you create a private key from a public one?

 

[ItsOnlyMe]

Can you create a private key from a public one?

You can't

 

[zEitEr]

Can this "module" be updated to we can add newer keys to the system?

I can confirm the issue. A validator of DirectAdmin allows the following types of a key:

- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384

but does not allow ecdsa-sha2-nistp521

 

[sysdev]

Can you create a private key from a public one?

No, that would be 'fun' (well, maybe with willow), but I just wouldn't use a single ssh key on a macbook to access all my servers because hackers don't need keys if they can snatch/compromise/malware the macbook with them on it.

There's a huge difference between how to deal with ssh access from a management point of view compared to a users pov.
It's way too off-topic for now, I think, so sorry in advance.

Ssh-keys are safe, but also easy. Use them safe, not easy, simply because you don't want to remember a password.
If you use them 'easy', all 1 piece of malware in a " .sh, cool prog, nice pdf" is required to cat your history file, grep the ssh logins and awk them to a scp-copy-id to add their own ssh key to all your servers.

Just a reminder that a single compromised user is bad.... but for that user only and likely their own responsibility too. A compromised infra is often harder to explain.

 

[Richard G]

Ssh-keys are safe, but also easy. Use them safe, not easy, simply because you don't want to remember a password.

Exactly the reason I have a password on mine. If they get stolen it might be able to compromise servers. If they now get stolen, they still have to find out the password, which is by the way also not the easiest one.

 

[DrWizzle]

Exactly the reason I have a password on mine. If they get stolen it might be able to compromise servers. If they now get stolen, they still have to find out the password, which is by the way also not the easiest one.

Same here. There's a saying, "A hat on a hat" which I like, but unlike that, these sort of SSH keys for the server are to me "A password on a password" with a passworded key. Nothing's infallible, but I love the fact you can password protect your private keys. Very smart move.

 

[ItsOnlyMe]

Just a reminder that a single compromised user is bad.... but for that user only and likely their own responsibility too. A compromised infra is often harder to explain.

Sure thing, I'll let you in on a little secret then here, These keys where my old ones. I have already rotated them a coupe years back and I'm not using a MacBook anymore so. there's that , ( offc you can set any comment you want / like but I'd like mine to show where they are created on ).

but I love the fact you can password protect your private keys. Very smart move.

Exactly the reason I have a password on mine.

Oh yes, having your private keys password secured is a thing I require from everyone that is working under me. Something to do with, if it gets stolen they also need to crack ur password to even get anywhere with said key.

Thanks anyways I hope this feature gets updated soon. For now we work around it by manually adding it to the authorized_keys file for said customer that has this kind of key.