17 January 2019

New SSH implementation

New SSH implementation

SSH keys are rightly considered the more secure method of authentication as compared to traditional user/password method. To maintain the high-security level of our service, we have upgraded the SSH library in Buddy to support the Ed25519 format.

Along with these changes, we have performed an internal audit resulting in moving the whole infrastructure to the more secure SSH standard.

If you’re not sure why you should use Ed25519 over other standards have a look at this article.

  1. From now on you’re able to authenticate with the Ed25519 and OpenSSH keys in SSH and SFTP actions. Both actions are often used together by our customers: after successful SFTP deployment they execute the needed command on the server via SSH.

    • Adding support for that key forced us to reimplement authorization mechanisms in these actions. First of all, we changed the SSH library from JSch to Apache SSHD. To ensure that this change won’t affect the already defined actions we did not change the library in them — they still use the old implementation.
    • If you want to update your existing SSH key to the more secure solution, you should replace the old action with a new one
    Setting a private SSH key
    Setting a private SSH key
  2. If you’re using Buddy Git Hosting you can now use Ed25519 ket to authorize to our Git server. In order to do so you have to add this key here: https://app.buddy.works/ssh-keys/add

  3. Since the RSA keys are still the most popular ones and many servers don’t support Ed25519 at that moment, we haven’t changed the key format of Buddy Key—as for now it’s still going to be generated in the RSA format.

    RSA key
    RSA key