I want to force all users to use only ed25519 type keys when logging in via SSH / SFTP to a Linux server which is running a recent version* of OpenSSH.
The reasons include:
In many cases, SSH keys have been completely overlooked in identity and access management planning, implementation, and audits. Users have been able to create and install keys without oversight and controls. This has led to violations of corporate access policies and dangerous backdoors.
Information security starts from controlling who is given access to systems and data. If there is no control over access, there is no security, no confidentiality, no integrity, and no guarantees of continued operation
However, I do not wish to remove the ability for a user to manage their own SSH keys (including adding, removing, changing the keys). My only objective is to mandate that the key used is of type ed25519.
How can this be accomplished while maintaining the above user privileges and while maintaining this setting?
The main (non-default) sshd_config settings I’m using on this server include:
The only host key enabled: HostKey /etc/ssh/ssh_host_ed25519_key PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no UsePAM yes AuthorizedKeysFile .ssh/authorized_keys KexAlgorithms email@example.com MACs firstname.lastname@example.org Ciphers email@example.com AllowUsers user@host ...
However, with those settings a user can still select an older user identity key type and use it to log in. My only objective now is to stop a user from getting access except via an ed25519 user identity key. How?
*Actually running: OpenSSH_8.1p1, OpenSSL 1.1.1d