Use SSH ed25519 Keys

[simon_lefisch]

Hey everyone,

I know a similar question has been asked, however I dont feel like I found in answer so I will ask my question anyway. Please forgive me for asking the same question. I am a Linux noob and am still getting used to how things work in the Linux world.

I have CentOS 7 installed on my machine and everything is working great. However in an effort to increase security on my machine, I generated new ed25519 SSH keys on my Mac. I placed the private key in ~/.ssh/keys and configured /etc/ssh_ssh_config on my Mac to use that specific key. I also pushed the public key to my server using ssh-copy-id -i ~/.ssh/mykey user@host and copied the key info to ~/.ssh/authorized_keys and restarted sshd. Everything works as far as using the ed25519 keys (when connecting using the new key the server provided an ed25519 fingerprint instead of RSA).

So here's my question....on the server, in the sshd_config file it has HostKey /etc/ssh/ssh_host_ed25519_key in use (un-commented). When I comment out HostKey /etc/ssh/ssh_host_ed25519_key I am unable to connect to the server. What is the point of having that host key if I already created a new key? Is it necessary to have that enabled?

Again I apologize for the noob question but I'm just trying to understand how this works. I have read a few articles about SSH but it never really gave me a clear answer as to what those keys do if I already have new keys created. Go easy on me

[TrevorH]

The host key is not the same thing as your key. The host has to have a key to be able to talk to you using that cipher.

[simon_lefisch]

The host key is not the same thing as your key. The host has to have a key to be able to talk to you using that cipher.

Sorry, I'm still a little confused. Can you break it down a little more?

You're saying the /etc/ssh/ssh_host_ed25519_key and /etc/ssh/ssh_host_ed25519_key.pub is not the same as the keys that I manually generated using the ssh-keygen command (which the private key is stored on my Mac and the public key has been copied to the "authorized_key" file on my server). Are the keys I generated used for identifying who I am, and the ssh_host_key used to determine the type of encryption to be used when connecting to the server?

[TrevorH]

The host has a set of keys that belong to the ssh server so that it can identify itself to you and so that your client can check the server's fingerprint against your local $USER/.ssh/known_hosts to make sure that the thing you are connecting to is really the thing you think it is. The server keys are kept in /etc/ssh/ssh_host* files.

Now each person who connects to that ssh server will have their own personal keys that they use to talk to the server. You have your private key and its associated public key file and you copy the contents of the public key up to the server and place it in $USER/.ssh/authorized_keys. When your client tries to talk to the server, it checks your key against the list in its $HOME/.ssh/authorized_keys and you'll be allowed access if it matches.

Files in /etc/ssh/ssh_host* are not used by the client at all. They belong to the server itself. You keys go in $USER/.ssh/

[simon_lefisch]

The host has a set of keys that belong to the ssh server so that it can identify itself to you and so that your client can check the server's fingerprint against your local $USER/.ssh/known_hosts to make sure that the thing you are connecting to is really the thing you think it is. The server keys are kept in /etc/ssh/ssh_host* files.

Now each person who connects to that ssh server will have their own personal keys that they use to talk to the server. You have your private key and its associated public key file and you copy the contents of the public key up to the server and place it in $USER/.ssh/authorized_keys. When your client tries to talk to the server, it checks your key against the list in its $HOME/.ssh/authorized_keys and you'll be allowed access if it matches.

Files in /etc/ssh/ssh_host* are not used by the client at all. They belong to the server itself. You keys go in $USER/.ssh/

If I understand you correctly, the etc/ssh/ssh_host* keys are used by the server (host) to identify itself to you (client) that the server is the correct server you are trying to connect to, while the keys I generated are used to identify myself (client) to the server (host) that I am an authorized user?

[TrevorH]

Yes. And encryption of course.

[simon_lefisch]

Yes. And encryption of course.

Awesome! Thank you for the explanation. I feel I have a better understanding of SSH, fingerprints, and handling of keys. I am trying to learn as much as I can by reading and doing, but sometimes I cannot find the answers online. Thank you for being patient with me.