How to use ECDSA and ECDH with openssh on Red Hat Enterprise Linux 6?
Environment
- Red Hat Enterprise Linux 6
- openssh-5.3p1-95.el6_5 or later
Issue
How do I configure openssh server and client to use ECDSA keys or ECDH key exchange methods?
Resolution
-
sshd server
-
Using ECDSA host keys
-
Generate sshd host keys and add to the system the appropriate SELinux context for them:
# ssh-keygen -t ecdsa -b 384 -f /etc/ssh/ssh_host_ecdsa_key # semanage fcontext -a -f -- -t sshd_key_t /etc/ssh/ssh_host_ecdsa_key # semanage fcontext -a -f -- -t sshd_key_t /etc/ssh/ssh_host_ecdsa_key.pubNote: ssh-keygen will produce the keys with the correct context, so there will be no need to apply it via
restorecon -rvn /etc/ssh/ -
Edit
/etc/ssh/sshd_configand set the following value:HostKey /etc/ssh/ssh_host_ecdsa_key -
Restart the sshd server
# service sshd restart
-
-
Using the ECDH key exchange algorithms
-
Edit
/etc/ssh/sshd_configand set the following value:KexAlgorithms ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -
Restart the sshd server
# service sshd restart
-
-
-
ssh clients
-
Using ECDSA keys
-
Generate ECDSA ssh private and public key
$ ssh-keygen -t ecdsa -b 384 -
Use them
$ ssh -i ~/.ssh/id_ecdsa hostname
-
-
Using the ECDH key exchange algorithms
$ ssh -o 'KexAlgorithms ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1' hostname -
Adjust an ssh client configuration to accept ECDSA host keys
# cat >> /etc/ssh/ssh_config <<EOF HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ssh-rsa,ssh-dss EOF
-
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.