From c3dee9126abe6151c63e3274f79cd167cd77e4b2 Mon Sep 17 00:00:00 2001
From: Martin Goik <goik@hdm-stuttgart.de>
Date: Sun, 2 Apr 2023 15:14:04 +0200
Subject: [PATCH] ssh key related explanations
---
Doc/Sdi/GettingStarted/gettingStarted.xml | 97 ++++++++++++++++-------
1 file changed, 69 insertions(+), 28 deletions(-)
diff --git a/Doc/Sdi/GettingStarted/gettingStarted.xml b/Doc/Sdi/GettingStarted/gettingStarted.xml
index 9080dcbbf..02c26ef68 100644
--- a/Doc/Sdi/GettingStarted/gettingStarted.xml
+++ b/Doc/Sdi/GettingStarted/gettingStarted.xml
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
-<chapter version="5.1" annotations="slide" xml:id="sdiGettingStarted"
+<chapter annotations="slide" version="5.1" xml:id="sdiGettingStarted"
xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xila="http://www.w3.org/2001/XInclude/local-attributes"
@@ -25,6 +25,53 @@
inappropriate file permissions of and inside your ~/.ssh directory:</para>
<figure xml:id="sdi_getStartedSshKeygen">
+ <title><command>ssh-keygen</command> generating an elliptic key </title>
+
+ <screen>$ <link xlink:href="https://linux.die.net/man/1/ssh-keygen">ssh-keygen</link> -a 256 <emphasis
+ role="red">-t ed25519</emphasis> <co
+ linkends="sdi_getStartedSshKeygen-1"
+ xml:id="sdi_getStartedSshKeygen-1-co"/> -C "$(hostname)-$(date +'%d-%m-%Y')"
+Generating public/private ed25519 key pair.
+Enter file in which to save the key (/home/foo/.ssh/id_ed25519):
+Created directory '/home/foo/.ssh'.
+Enter passphrase (empty for no passphrase): <co
+ linkends="sdi_getStartedSshKeygen-2"
+ xml:id="sdi_getStartedSshKeygen-2-co"/>
+Enter same passphrase again:
+Your identification has been saved in <emphasis role="red">/home/foo/.ssh/id_ed25519</emphasis> <co
+ linkends="sdi_getStartedSshKeygen-3"
+ xml:id="sdi_getStartedSshKeygen-3-co"/>
+Your public key has been saved in <emphasis role="red">/home/foo/.ssh/id_ed25519.pub</emphasis> <co
+ linkends="sdi_getStartedSshKeygen-4"
+ xml:id="sdi_getStartedSshKeygen-4-co"/>
+...</screen>
+
+ <calloutlist role="slideExclude">
+ <callout arearefs="sdi_getStartedSshKeygen-1-co"
+ xml:id="sdi_getStartedSshKeygen-1">
+ <para>Elliptic key type from {<code>dsa</code>| <code>ecdsa</code>|
+ <code>ecdsa-sk</code>| <code>ed25519</code>|
+ <code>rsa</code>}.</para>
+ </callout>
+
+ <callout arearefs="sdi_getStartedSshKeygen-2-co"
+ xml:id="sdi_getStartedSshKeygen-2">
+ <para>Private key passphrase theft protection.</para>
+ </callout>
+
+ <callout arearefs="sdi_getStartedSshKeygen-3-co"
+ xml:id="sdi_getStartedSshKeygen-3">
+ <para>Generated private key: DO NOT CHANGE ITS NAME!</para>
+ </callout>
+
+ <callout arearefs="sdi_getStartedSshKeygen-4-co"
+ xml:id="sdi_getStartedSshKeygen-4">
+ <para>Corresponding public key.</para>
+ </callout>
+ </calloutlist>
+ </figure>
+
+ <figure xml:id="sdi_getStartedSshKeygenResult">
<title>Result of <command>ssh-keygen</command> execution</title>
<informaltable border="0">
@@ -33,26 +80,24 @@
<col width="25%"/>
<tr>
- <td valign="top"><screen>~/.ssh$ pwd
-/stud/student/.ssh
-
+ <td valign="top"><screen>~/.ssh$ cd ~/.ssh
+/home/foo/.ssh cp <emphasis role="red">id_ed25519.pub</emphasis> <emphasis
+ role="red">authorized_keys</emphasis>
mistudent@w10m:~/.ssh$ ls -al
total 24
drwxrwx---+ 2 student mi 0 Okt 17 17:45 .
drwx------+ 32 student mi 0 Okt 17 17:44 ..
-rwxrwx---+ 1 student mi 396 Okt 17 17:45 <emphasis role="red">authorized_keys</emphasis> <co
linkends="sdi_getStarted-1" xml:id="sdi_getStarted-1-co"/>
--rwxrwx---+ 1 student mi 1675 Okt 17 17:38 <emphasis role="red">id_rsa</emphasis> <co
+-rwxrwx---+ 1 student mi 1675 Okt 17 17:38 <emphasis role="red">id_ed25519</emphasis> <co
linkends="sdi_getStarted-2" xml:id="sdi_getStarted-2-co"/>
--rwxrwx---+ 1 student mi 396 Okt 17 17:38 <emphasis role="red">id_rsa.pub</emphasis> <co
+-rwxrwx---+ 1 student mi 396 Okt 17 17:38 <emphasis role="red">id_ed25519.pub</emphasis> <co
linkends="sdi_getStarted-3" xml:id="sdi_getStarted-3-co"/></screen></td>
<td valign="top"><calloutlist>
<callout arearefs="sdi_getStarted-1-co"
xml:id="sdi_getStarted-1">
- <para>Allowed keys to log on to current machine. May contain
- <abbrev>e.g.</abbrev> the content of
- <filename>id_rsa.pub</filename>.</para>
+ <para>Allowed keys to log on to current machine.</para>
</callout>
<callout arearefs="sdi_getStarted-2-co"
@@ -98,19 +143,19 @@ other::---</screen>
<figure xml:id="sdi_getStartedRevokePermissions">
<title>Revoking permissions using <command>setfacl</command></title>
- <screen>mistudent@w10m:~/.ssh$ setfacl -m user:mistudent:--- authorized_keys
-mistudent@w10m:~/.ssh$ setfacl -m user::rw- authorized_keys
-mistudent@w10m:~/.ssh$ getfacl authorized_keys
+ <screen>foo@w10m:~/.ssh$ setfacl -m user:foo:--- authorized_keys
+foo@w10m:~/.ssh$ setfacl -m user::rw- authorized_keys
+foo@w10m:~/.ssh$ getfacl authorized_keys
...
user::rw-
-user:mistudent:---
+user:foo:---
group::---
group:users:---
mask::---
other::---
-mistudent@w10m:~/ssh$ ls -al authorized_keys
--rw-------+ 1 mistudent mi 396 Okt 17 17:45 authorized_keys</screen>
+foo@w10m:~/ssh$ ls -al authorized_keys
+-rw-------+ 1 foo mi 396 Okt 17 17:45 authorized_keys</screen>
</figure>
<para>Addressing each file and the directory itself in a similar fashion
@@ -119,13 +164,13 @@ mistudent@w10m:~/ssh$ ls -al authorized_keys
<figure xml:id="sdi_getStartedCorrectedPermissions">
<title>Corrected permissions</title>
- <screen>mistudent@w10m:~/.ssh$ ls -al
+ <screen>foo@w10m:~/.ssh$ ls -al
total 32
drwx------+ 2 mistudent mi 0 Okt 17 17:44 .
drwx------+ 32 mistudent mi 0 Okt 17 17:44 ..
-rw-------+ 1 mistudent mi 1132 Okt 17 17:40 authorized_keys
--rw-------+ 1 mistudent mi 1679 Okt 11 14:46 id_rsa
--rw-r--r--+ 1 mistudent mi 396 Okt 11 14:46 id_rsa.pub
+-rw-------+ 1 mistudent mi 1679 Okt 11 14:46 id_ed25519
+-rw-r--r--+ 1 mistudent mi 396 Okt 11 14:46 id_ed25519.pub
-rw-------+ 1 mistudent mi 442 Okt 11 14:49 known_hosts</screen>
</figure>
@@ -134,16 +179,12 @@ drwx------+ 32 mistudent mi 0 Okt 17 17:44 ..
<figure xml:id="sdi_getStartedLoggingIn">
<title>Logging in</title>
- <screen>> ssh root@sdi9a.mi.hdm-stuttgart.de
-Linux sdi9a 4.15.18-18-pve #1 SMP PVE 4.15.18-44 (Wed, 03 Jul 2019 11:19:13 +0200) x86_64
-
-The programs included with the Debian GNU/Linux system are free software;
-the exact distribution terms for each program are described in the
-individual files in /usr/share/doc/*/copyright.
-
-Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
-permitted by applicable law.
-Last login: Sun May 3 11:53:57 2020 from 192.168.223.34</screen>
+ <screen>ssh root@sdi14a.mi.hdm-stuttgart.de
+<emphasis role="red">The authenticity of host 'sdi14a.mi.hdm-stuttgart.de (141.62.75.114)' can't be established.</emphasis>
+ED25519 key fingerprint is SHA256:sEagSHefcv9OkiFibKIZFlPL/4FxbO+9kvJnwkV7ltU.
+This key is not known by any other names
+<emphasis role="red">Are you sure you want to continue connecting (yes/no/[fingerprint])? yes</emphasis>
+Warning: <emphasis role="red">Permanently added 'sdi14a.mi.hdm-stuttgart.de' (ED25519) to the list of known hosts.</emphasis></screen>
</figure>
</section>
--
GitLab