My personal RSA whoops


There’s been much talk about OpenSSH user enumeration vulnerabilities. This is a more pedestrian post, or stationary one if you were sitting down.

I was bashing my head against a desk for the better part of twenty minutes last week, trying to figure out why my SSH key wasn’t being accepted. I VNC’d into the box — because I use a cloud that can do that — and checked the authorized_keys file for the third time.

Can you see the issue? It took me leaving to get a coffee and coming back to notice immediately.

Screenshot output from VNC showing my authorized_keys file

For those using screen readers, or if you haven’t yet figured it out, the second key starts with sss-rsa ssh-rsa instead of just the latter. Whoops!

I’m still blown away that for all our intelligence, mine notwithstanding, we can be staring at something for so long the obvious becomes opaque.

As an aside, I’ve also been moving to using ed25519 where I can. Despite the name, the keys are much shorter and could almost be committed to memory if one were so inclined. Okay maybe not, but still far shorter than 4096-bit RSA.

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.