GnuPG – RSA key-pair mini-Howto with stronger digests

(Note: This was originally posted on my previous blog, but I’ve noticed that it’s being linked to, so I’ve reposted it here)

I’m not a mathematician (or a cryptographer) so I’m happy to take this post‘s word for it about a recent attack against SHA-1 (short PDF here). The post goes into detail about changing the preferred digests on a key, and is well worth a read.

The post also talks about using 2048-bit RSA keys, instead of the DSA/Elgamal default (which has a maximum size of 1024 bits). It goes into detail about how to migrate to an RSA key – if you’re going to migrate, I definitely recommend reading it.

However, I thought it would be nice to write a (very) quick guide on generating RSA private keys with GnuPG, as there are a few extra steps involved – but nothing complicated!
→ Continue reading ‘GnuPG – RSA key-pair mini-Howto with stronger digests’…

OpenSSH and OpenSC for Debian and Ubuntu

I’m using OpenSC at the moment so that I can repurpose an otherwise unused Aladdin eToken to hold SSH keys. I could go through the process involved in setting up the token, but as this chap has already done a thorough job, I won’t go into detail.

Unfortunately, the openssh-client package from Debian (and Ubuntu) doesn’t enable OpenSC support. It’s trivial to rebuild the package with OpenSC support, but for those who don’t want to or can’t for some reason, I’ve put my rebuilt, OpenSC-enabled packages here.

Once installed, if your token is set up correctly, you should be able to get your SSH public key from the card with:-

ssh-keygen -D <card>

…which should give you something like:-

ssh-rsa AAAA .. .. .. t8/Q==
1024 65537 14233 .. .. .. 70941

You can then add your private key to a running SSH agent with:-

ssh-add -s <card>

Pop in your PIN, and ssh should function as if you were using a normally-generated key.