ssh key related explanations

c3dee912 · Goik Martin · 23559905 · c3dee912
Commit c3dee912 authored 1 year ago by Goik Martin
--- a/Doc/Sdi/GettingStarted/gettingStarted.xml
+++ b/Doc/Sdi/GettingStarted/gettingStarted.xml
 <?xml version="1.0" encoding="UTF-8"?>
-<chapter version="5.1" annotations="slide" xml:id="sdiGettingStarted"
+<chapter annotations="slide" version="5.1" xml:id="sdiGettingStarted"
         xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xila="http://www.w3.org/2001/XInclude/local-attributes"
@@ -25,6 +25,53 @@
    inappropriate file permissions of and inside your ~/.ssh directory:</para>
    <figure xml:id="sdi_getStartedSshKeygen">
+      <title><command>ssh-keygen</command> generating an elliptic key </title>
+      <screen>$ <link xlink:href="https://linux.die.net/man/1/ssh-keygen">ssh-keygen</link>  -a 256 <emphasis
+          role="red">-t ed25519</emphasis> <co
+          linkends="sdi_getStartedSshKeygen-1"
+          xml:id="sdi_getStartedSshKeygen-1-co"/> -C "$(hostname)-$(date +'%d-%m-%Y')"
+Generating public/private ed25519 key pair.
+Enter file in which to save the key (/home/foo/.ssh/id_ed25519): 
+Created directory '/home/foo/.ssh'.
+Enter passphrase (empty for no passphrase): <co
+          linkends="sdi_getStartedSshKeygen-2"
+          xml:id="sdi_getStartedSshKeygen-2-co"/>
+Enter same passphrase again: 
+Your identification has been saved in <emphasis role="red">/home/foo/.ssh/id_ed25519</emphasis> <co
+          linkends="sdi_getStartedSshKeygen-3"
+          xml:id="sdi_getStartedSshKeygen-3-co"/>
+Your public key has been saved in <emphasis role="red">/home/foo/.ssh/id_ed25519.pub</emphasis> <co
+          linkends="sdi_getStartedSshKeygen-4"
+          xml:id="sdi_getStartedSshKeygen-4-co"/>
+...</screen>
+      <calloutlist role="slideExclude">
+        <callout arearefs="sdi_getStartedSshKeygen-1-co"
+                 xml:id="sdi_getStartedSshKeygen-1">
+          <para>Elliptic key type from {<code>dsa</code>| <code>ecdsa</code>|
+          <code>ecdsa-sk</code>| <code>ed25519</code>|
+          <code>rsa</code>}.</para>
+        </callout>
+        <callout arearefs="sdi_getStartedSshKeygen-2-co"
+                 xml:id="sdi_getStartedSshKeygen-2">
+          <para>Private key passphrase theft protection.</para>
+        </callout>
+        <callout arearefs="sdi_getStartedSshKeygen-3-co"
+                 xml:id="sdi_getStartedSshKeygen-3">
+          <para>Generated private key: DO NOT CHANGE ITS NAME!</para>
+        </callout>
+        <callout arearefs="sdi_getStartedSshKeygen-4-co"
+                 xml:id="sdi_getStartedSshKeygen-4">
+          <para>Corresponding public key.</para>
+        </callout>
+      </calloutlist>
+    </figure>
+    <figure xml:id="sdi_getStartedSshKeygenResult">
      <title>Result of <command>ssh-keygen</command> execution</title>
      <informaltable border="0">
@@ -33,26 +80,24 @@
        <col width="25%"/>
        <tr>
-          <td valign="top"><screen>~/.ssh$ pwd
+          <td valign="top"><screen>~/.ssh$ cd ~/.ssh
-/stud/student/.ssh
+/home/foo/.ssh cp <emphasis role="red">id_ed25519.pub</emphasis> <emphasis
+                role="red">authorized_keys</emphasis>
 mistudent@w10m:~/.ssh$ ls -al
 total 24
 drwxrwx---+  2 student mi    0 Okt 17 17:45 .
 drwx------+ 32 student mi    0 Okt 17 17:44 ..
 -rwxrwx---+  1 student mi  396 Okt 17 17:45 <emphasis role="red">authorized_keys</emphasis> <co
                linkends="sdi_getStarted-1" xml:id="sdi_getStarted-1-co"/>
-rwxrwx---+  1 student mi 1675 Okt 17 17:38 <emphasis role="red">id_rsa</emphasis> <co
+-rwxrwx---+  1 student mi 1675 Okt 17 17:38 <emphasis role="red">id_ed25519</emphasis> <co
                linkends="sdi_getStarted-2" xml:id="sdi_getStarted-2-co"/>
-rwxrwx---+  1 student mi  396 Okt 17 17:38 <emphasis role="red">id_rsa.pub</emphasis> <co
+-rwxrwx---+  1 student mi  396 Okt 17 17:38 <emphasis role="red">id_ed25519.pub</emphasis> <co
                linkends="sdi_getStarted-3" xml:id="sdi_getStarted-3-co"/></screen></td>
          <td valign="top"><calloutlist>
              <callout arearefs="sdi_getStarted-1-co"
                       xml:id="sdi_getStarted-1">
-                <para>Allowed keys to log on to current machine. May contain
+                <para>Allowed keys to log on to current machine.</para>
-                <abbrev>e.g.</abbrev> the content of
-                <filename>id_rsa.pub</filename>.</para>
              </callout>
              <callout arearefs="sdi_getStarted-2-co"
@@ -98,19 +143,19 @@ other::---</screen>
    <figure xml:id="sdi_getStartedRevokePermissions">
      <title>Revoking permissions using <command>setfacl</command></title>
-      <screen>mistudent@w10m:~/.ssh$ setfacl -m user:mistudent:--- authorized_keys
+      <screen>foo@w10m:~/.ssh$ setfacl -m user:foo:--- authorized_keys
-mistudent@w10m:~/.ssh$ setfacl -m user::rw- authorized_keys
+foo@w10m:~/.ssh$ setfacl -m user::rw- authorized_keys
-mistudent@w10m:~/.ssh$ getfacl authorized_keys
+foo@w10m:~/.ssh$ getfacl authorized_keys
   ...
 user::rw-
-user:mistudent:---
+user:foo:---
 group::---
 group:users:---
 mask::---
 other::---
-mistudent@w10m:~/ssh$ ls -al authorized_keys
+foo@w10m:~/ssh$ ls -al authorized_keys
-rw-------+ 1 mistudent mi 396 Okt 17 17:45 authorized_keys</screen>
+-rw-------+ 1 foo mi 396 Okt 17 17:45 authorized_keys</screen>
    </figure>
    <para>Addressing each file and the directory itself in a similar fashion
@@ -119,13 +164,13 @@ mistudent@w10m:~/ssh$ ls -al authorized_keys
    <figure xml:id="sdi_getStartedCorrectedPermissions">
      <title>Corrected permissions</title>
-      <screen>mistudent@w10m:~/.ssh$ ls -al
+      <screen>foo@w10m:~/.ssh$ ls -al
 total 32
 drwx------+  2 mistudent mi    0 Okt 17 17:44 .
 drwx------+ 32 mistudent mi    0 Okt 17 17:44 ..
 -rw-------+  1 mistudent mi 1132 Okt 17 17:40 authorized_keys
-rw-------+  1 mistudent mi 1679 Okt 11 14:46 id_rsa
+-rw-------+  1 mistudent mi 1679 Okt 11 14:46 id_ed25519
-rw-r--r--+  1 mistudent mi  396 Okt 11 14:46 id_rsa.pub
+-rw-r--r--+  1 mistudent mi  396 Okt 11 14:46 id_ed25519.pub
 -rw-------+  1 mistudent mi  442 Okt 11 14:49 known_hosts</screen>
    </figure>
@@ -134,16 +179,12 @@ drwx------+ 32 mistudent mi    0 Okt 17 17:44 ..
    <figure xml:id="sdi_getStartedLoggingIn">
      <title>Logging in</title>
-      <screen>&gt; ssh root@sdi9a.mi.hdm-stuttgart.de
+      <screen>ssh  root@sdi14a.mi.hdm-stuttgart.de
-Linux sdi9a 4.15.18-18-pve #1 SMP PVE 4.15.18-44 (Wed, 03 Jul 2019 11:19:13 +0200) x86_64
+<emphasis role="red">The authenticity of host 'sdi14a.mi.hdm-stuttgart.de (141.62.75.114)' can't be established.</emphasis>
+ED25519 key fingerprint is SHA256:sEagSHefcv9OkiFibKIZFlPL/4FxbO+9kvJnwkV7ltU.
-The programs included with the Debian GNU/Linux system are free software;
+This key is not known by any other names
-the exact distribution terms for each program are described in the
+<emphasis role="red">Are you sure you want to continue connecting (yes/no/[fingerprint])? yes</emphasis>
-individual files in /usr/share/doc/*/copyright.
+Warning: <emphasis role="red">Permanently added 'sdi14a.mi.hdm-stuttgart.de' (ED25519) to the list of known hosts.</emphasis></screen>
-Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
-permitted by applicable law.
-Last login: Sun May  3 11:53:57 2020 from 192.168.223.34</screen>
    </figure>
  </section>