Hardened security and passwordless login with ed25519 SSH keys

Подписаться 115 тыс.

Просмотров 10 тыс.

50% 1

ed25519 SSH keys are finally here and Druvis will show you how to make use of them.
Note: Private key import functionality is still in development and the custom OpenSSH key format (used by ssh-keygen) might not get implemented for the ed25519 key type.
help.mikrotik.com/docs/displa...
0:00 Intro
0:48 Host key explained
02:00 ed25519 host key
02:19 strong-crypto explained
03:09 ed25519 user key
04:16 Outro

Наука

Опубликовано:

28 июн 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 30

@YoS2i 4 месяца назад

When will Ed25519-sk keys be able to be used? Combined with Yubikey, this provides even greater security

@AlexanderNecheff 4 месяца назад

25519 uses a fixed key size so the `-b` argument to `ssh-keygen` will be ignored, FYI.

@mikrotik 3 месяца назад

Thank you for pointing that out.

@BattousaiHBr 3 месяца назад

i was thinking that. also 2048 is massive for ECC.

@markdudov2508 4 месяца назад

More and more you raise the status of the video. Well done!

@Andre-jj6xs 4 месяца назад

I'd love to see a better error reporting for failed (key) imports. It took me a while to see why import of my public key (and CA intermediate certificates) failed without an error message. My file was (windows) encoded instead of (linux)

@pavelsmarhels8868 4 месяца назад

When winbox will support passwordless auth?

@mikrotik 4 месяца назад

Currently not in the plans, but it would be a neat feature though.

@user-nj9mp6ko3w 4 месяца назад

When will the support for ed25519 be available for generating certificates and IKEv2?

@samerkabalan8571 4 месяца назад

What about more care about url filtering , dns filtering , DPI

@user-he1fr1ck6u 2 месяца назад

hello, is there any resource on hoe to sign a message using ed25519 keys in cpp?

@gg-gn3re 4 месяца назад

amazing, been using these exclusively for 10 years, never knew people were so insanely slow they didn't actually have it available already.

@user-th6cd7we3e 4 месяца назад

We need support for 25519 for certificates and IKEv2

@JoseMedina-ir6zi 4 месяца назад

Are any plans in the future for a native linux Winbox app?

@mikrotik 4 месяца назад

Being developed RN, but we can't give any ETA :)

@ryandekock2608 4 месяца назад

Well i think the real question is, how do you do this on +-2000 routers and add remove users public keys on staff rotation/key compromised etc. These videos are awesome, but doing things for 1 user and 1 router is not the same as managing a fleet or routers and a staff base

@ArneeTeachesTech 4 месяца назад

Try ansible

@stevebot 4 месяца назад

I don’t know how to do it with Ansible yet, but it’s super easy to do with ssh and a simple bash script. You now have two ways to do it, one is portable to other IT areas and the other says you’re an old ignorant hack like me.

@ArneeTeachesTech 3 месяца назад

@@stevebotansible is just an automation tool. For basic tasks its pretty easy. It has also mikrotik library available. Look it up and you will thank me later :)

@javierhorrillo7343 4 месяца назад

when exporting host key, only private part is exported as PEM format, when using ed25519 host key type at /ip/ssh configuration. Is this intentional? How can I import public key then in another router, for allowing a main router to act as a password-less client for a different router? (as explained in your first video regarding ssh keys)

@mikrotik 4 месяца назад

That is only a temporary behavior, it will be possible to export both keys soon.

@tim_the_grim 4 месяца назад

@@mikrotik I'm guessing this relates to my question, about how to verify host keys from an external ssh client (eg from Ubuntu)

@tim_the_grim 4 месяца назад

Mr Druvis - great video overall, but you left out a very important step. How do you verify host key fingerprint from RouterOS? When connecting via an external SSH client, it says: "The authenticity of host ... can't be established. The fingerprint is ..." No, it is not just the paranoid that should be checking this. We should be recommending good security practises.

@mikrotik 4 месяца назад

Currently, that is not possible, I am afraid. For maximum security, abstain from the built-in SSH client.

@tim_the_grim 4 месяца назад

@@mikrotik Is it possible using a SSH client from say Linux Ubuntu?

@feicodeboer 2 месяца назад

"If you're paranoid, you check it ..." Anyone ever did that?

@Graham_Rule 4 месяца назад

Before I do all that, can you tell me how I get back in when I've screwed up and locked myself out? Not saying that I'm going to do that but I'm the sort of person who saws a branch of a tree while standing on it. 😂

@sikedipuuhja7376 4 месяца назад

If you have the default config, and add a public key to your user, you won’t be able to log in via ssh if you don’t have the private key. Always-allow-password-login is disabled by default. But you still can log in using password with mactelnet

@AlexanderNecheff 4 месяца назад

Create a second admin account without a SSH key, test you can log in with the second account, create and install the SSH key on your primary admin account, test you can log in with the primary account, disable/delete secondary admin account.