diff --git a/core/config.js b/core/config.js index 11f9bcb2..5c1f9c42 100644 --- a/core/config.js +++ b/core/config.js @@ -276,24 +276,26 @@ function getDefaultConfig() { port : 8889, enabled : false, // default to false as PK/pass in config.hjson are required // - // Private Key (PK) in PEM format + // To enable SSH, perform the following steps: // - // Generating your PK: - // 1 - Choose a cipher (3DES, AES128, or AES256) - // 3des : older, most compatible, least secure - // aes128 : newer, widely compatible, fairly secure - // aes256 : newest, least compatible, best security + // 1 - Generate a Private Key (PK): + // Currently ENiGMA 1/2 requires a PKCS#1 PEM formatted PK. + // To generate a secure PK, issue the following command: // - // 2 - Choose a bit strength (2048 or 4096) - // 2048 : most compatible, decent strength - // 4096 : stronger, but some software is completely incompatible + // > openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 \ + // -pkeyopt rsa_keygen_pubexp:65537 | openssl rsa \ + // -out ./config/ssh_private_key.pem -aes128 // - // Sample command: - // openssl genrsa -aes128 -out ./config/ssh_private_key.pem 2048 + // (The above is a more modern equivelant of the following): + // > openssl genrsa -aes128 -out ./config/ssh_private_key.pem 2048 // - // Then, set servers.ssh.privateKeyPass to the password you use above - // in your config.hjson + // 2 - Set 'privateKeyPass' to the password you used in step #1 // + // 3 - Finally, set 'enabled' to 'true' + // + // Additional reading: + // - https://blog.sleeplessbeastie.eu/2017/12/28/how-to-generate-private-key/ + // - https://gist.github.com/briansmith/2ee42439923d8e65a266994d0f70180b // privateKeyPem : paths.join(__dirname, './../config/ssh_private_key.pem'), firstMenu : 'sshConnected', diff --git a/docs/servers/ssh.md b/docs/servers/ssh.md index a71f8250..c576f38e 100644 --- a/docs/servers/ssh.md +++ b/docs/servers/ssh.md @@ -35,8 +35,17 @@ Entries available under `config.loginServers.ssh`: ``` ## Generate a SSH Private Key -To utilize the SSH server, an SSH Private Key will need generated. OpenSSL can be used for this task: +To utilize the SSH server, an SSH Private Key (PK) will need generated. OpenSSL can be used for this task: +### Modern OpenSSL ```bash -openssl genrsa -des3 -out ./config/ssh_private_key.pem 2048 +openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -pkeyopt rsa_keygen_pubexp:65537 | openssl rsa -out ./config/ssh_private_key.pem -aes128 ``` + +### Legacy OpenSSL +```bash +openssl genrsa -aes128 -out ./config/ssh_private_key.pem 2048 +``` + +Note that you may need `-3des` for every old implementations or SSH clients! + diff --git a/misc/config_template.in.hjson b/misc/config_template.in.hjson index 504cd02d..5e523e72 100644 --- a/misc/config_template.in.hjson +++ b/misc/config_template.in.hjson @@ -110,10 +110,26 @@ port: XXXXX // - // To enable SSH: - // 1) Generate a Private Key (PK): - // > openssl genrsa -des3 -out ./config/ssh_private_key.pem 2048 - // 2) Set "privateKeyPass" below + // To enable SSH, perform the following steps: + // + // 1 - Generate a Private Key (PK): + // Currently ENiGMA 1/2 requires a PKCS#1 PEM formatted PK. + // To generate a secure PK, issue the following command: + // + // > openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 \ + // -pkeyopt rsa_keygen_pubexp:65537 | openssl rsa \ + // -out ./config/ssh_private_key.pem -aes128 + // + // (The above is a more modern equivelant of the following): + // > openssl genrsa -aes128 -out ./config/ssh_private_key.pem 2048 + // + // 2 - Set 'privateKeyPass' to the password you used in step #1 + // + // 3 - Finally, set 'enabled' to 'true' + // + // Additional reading: + // - https://blog.sleeplessbeastie.eu/2017/12/28/how-to-generate-private-key/ + // - https://gist.github.com/briansmith/2ee42439923d8e65a266994d0f70180b // enabled: XXXXX