SSH Generation and commands.

Generating a secure SSH Key and commands

ssh-keygen
	-t ed25519 - for greatest security (bits are a fixed size and -b flag will be ignored)
	-t rsa  - for greatest portability (key needs to be greater than 4096 bits)
	-t ecdsa - faster than RSA or DSA  (bits can only be 256, 284, or 521)
	-t dsa  - DEEMED INSECURE - DSA limted to 1024 bit key as specified by FIPS 186-2, No longer allowed by default in OpenSSH 7.0+
	-t rsa1 - DEEMED INSECURE - has weaknesses and shouldn't be used (used in protocol 1)

	-b 4096 bit size
	-a 500 rounds (should be no smaller than 64, result in slower passphrase verification and increased resistance to brute-force password cracking)
	-C "[email protected]" comment..
	-o Saves key in new ED25519 format rather than more compatible PEM Format. New format increases resistance to brute-force password cracking but not support by OpenSSH prior to 6.5


Example usage (in order of preference - security):
  ssh-keygen -o -a 500 -C "[email protected]"
  ssh-keygen -t ecdsa -a 500 -b 521 -C "[email protected]"
  ssh-keygen -t rsa -a 500 -b 4096 -C "[email protected]"

Example usage (in order of preference - usability):
  ssh-keygen -t rsa -a 500 -b 4096 -C "[email protected]"
  ssh-keygen -t ecdsa -a 500 -b 521 -C "[email protected]"
  ssh-keygen -o -a 500 -C "[email protected]"

To verify:
  ssh-keygen -l -f ssh/id_ed25519
  Output: 
    256   SHA256:2..............w [email protected] (ED25519)
    ^^^   ^^^^^^^^^^^^^^^^^       ^^^^^^^^^^                  ^^^
     |__ Size    |__ Fingerprint      |__ Comment             |__ Type


To copy public key:
  Using ssh-copy-id:
    ssh-copy-id username@remote_host
  Manually, one-line:
    cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
  Manually, copying public string into auth keys:
    echo public_key_string >> ~/.ssh/authorized_keys


Key Type Reference
OS                            OpenSSH	         Type
Ubuntu 12.04	                5.9	      dsa, rsa,ecdsa
Ubuntu 14.04                    6.6	      dsa, rsa,ecdsa,ed25519
Ubuntu 16.04                    7.2	      dsa*,rsa,ecdsa,ed25519
Ubuntu 18.04                    7.6           dsa*, rsa**, ecdsa, ed25519
Fedora 23                       7.1           dsa*,rsa,ecdsa,ed25519
CentOS 7                        6.4           dsa, rsa,ecdsa
Mac OS X 10.11 (El Capitan)     6.9	      dsa, rsa,ecdsa,ed25519
macOS 10.12 (Sierra DP)	        7.2           dsa*,rsa,ecdsa,ed25519
Cmder	                        7.1           dsa*,rsa,ecdsa,ed25519
Window 10 (14342)               6.6.1         dsa, rsa,ecdsa,ed25519
PuTTY	                        N/A           dsa, rsa,ecdsa[1],ed25519[1]
* - disabled by default for sshd 
** - Refuse RSA keys <1024 bits in length, default size is 2048
[1] - PuTTY stable only supports dsa and rsa but the latest development snapshots support ecdsa and ed25519.
Source: https://chealion.ca/2016/06/20/ssh-key-types-and-cryptography-the-short-notes/


To skip the prompt to ask for passphrase, add: -N ""

Physical Setup:
- localhost can SSH to Host1 & Host2
- Host1 & Host2 cannot SSH to each other.

**Copying files from one server to another with keys on local server:**
scp -3 user1@host1:/path/to/file user2@host2:/path/to/destination

**Copying files and subfolders recursively from one server to another with keys on local server:**
scp -3rp user1@host1:/path/to/file user2@host2:/path/to/destination

**Generating public key from private key**
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

*Resources:*
https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/
https://chealion.ca/2016/06/20/ssh-key-types-and-cryptography-the-short-notes/
https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process
https://superuser.com/questions/686394/scp-between-two-remote-hosts-from-my-third-pc
https://securitytrails.com/blog/mitigating-ssh-based-attacks-top-15-best-security-practices