Generating SSH key pairs

Despite having had some excitement recently, SSH continues to be both the utility and a protocol that I use heavily every day. I will also have to shout out to mosh which is a must have overlay, if you aren’t using it – stop reading this now and go get mosh.

Not often, but every once in a while I find myself needing to generate a new key pair for use with SSH. GitHub has one of the best articles on doing this, but it’s not quite what I want. I find myself having to re-think the small differences I want to make each time, clearly time to write up what I do so I can just visit this post when I need to generate a key.

Yup, that’s it. In the directory you run this there will be two files generated. The private key is basename, and the public key is basename.pub. I’m also a fan of the .ssh/config file which you may want to adopt, this makes it easy to have different keys for different systems.

Breaking down the creation command. We are generating a key using the Ed25519 algorithm, most modern systems will support this. Next up we see that we are adding a comment, I find this useful to identify what the public key is for. Last is the filename(s) we want the output written to.

You’ll see that comments often have no whitespace in them, if you want to be risk adverse avoid using spaces and use dashes or something.

Cloudflare Managed DNS

Consider this an update to a previous article where I talk about using rebel.ca to manage my DNS records. I still like them as a company, and the support is generally good – I will no longer recommend them. Without getting into the details, I had a DNS management problem with them that was the last straw for me, this resulted in about 36hrs of downtime for this domain.

The good news is that today, there are lots of free managed DNS providers. Really this isn’t a huge technical challenge. You need two nameserver entries in your SOA that is managed by your registrar. Ideally those nameservers are hosted on machines that are on different networks and in different locations for good redundancy. As far as management of the record, having a friendly web UI isn’t a huge problem in 2024. These servers will answer DNS requests for the many DNS servers out there that ask for a name to IP mapping.  Yes, there are real costs to operating one of these – but for an individual personal domain, the number of queries and amount of data is pretty tiny.

I decided to go for Cloudflare, they offer a generous free plan and are pretty central to the operation of the internet as a whole. Hopefully I can trust them to manage my DNS record(s), but I do have some reluctance because the internet is dominated by a few huge tech companies which isn’t great. I believe the internet needs to be built on open standards and we need lots of medium sized companies providing services.

You can sign up for Cloudflare in minutes. Entirely self service, and email confirmation is used to give you full access.

Adding one of my domains to be managed by Cloudflare is easy. I want to click on the ‘Website’ entry on the left navigation bar. Then I pick +Add a site to enter the domain I want them to manage DNS for.

Now we pick the ‘Free’ plan and move to the next step.

Cloudflare does a pretty slick job of sniffing out your existing DNS records (assuming you have some) and populating it’s configuration. Review these and edit as needed. Then we can continue.

As I mentioned above, I really don’t want Cloudflare messing with things much – so I disabled the “Proxy” for all of my records and have it setup as DNS only. If I ever have a problem, I can go in and use some of their free DDoS protection stuff – but let’s start with just the basics.

To enable Cloudflare to be my DNS provider, I need to go change the record with my domain registrar so that it points at the Cloudflare name servers. Cloudflare monitors this and will make my domain ‘active’ in the dashboard, but they’ve already created the DNS records and things are good to go. It was a matter of minutes for my domain to become active once I’d modified the SOA with my registrar.

I did this back a few weeks ago. So far so good, but then again DNS is pretty boring when it’s not breaking the internet.

 

OpenWRT on GL.iNet GL-MT6000 (aka: Flint 2)

I was reading through the OpenWRT forum several months back to see if the TPLink AX23 was still the right upgrade choice for me. I’ve been very happy with the classic TPlink Archer C7 – having 3 of these as my core network (two as dumb AP). I came across this thread on devices for ‘newcomers’ and discovered the GL.iNet GL-MT6000, it looks like a monster bit of hardware at a pretty low price point. My travel router is a GL.iNet device and it’s been great hardware for OpenWRT. Then bonus time at work hit, and I ran out of excuses to buy the GL-MT6000.

While you can buy directly from GL.iNet, just after I pushed the buy now button there I discovered that I was going to be on the hook for import duties and the shipping was via FedEx. I’ve not had good experiences with this path and the administration fees are high. The support process from GL.iNet was amazing – a few emails and my order was cancelled without any fuss.

I ended up buying via Amazon.ca (camelcamelcamel link) because shipping costs were predictable. I see that it’s not currently in stock, but my total including shipping was $248.49 – still a deal for this much hardware.

Speaking of hardware

  • Two 2.5Gb ports
  • 1GB RAM
  • 8GB Flash
  • Quad core 2GHz CPU
  • Wifi6

This may not be enough hardware to handle 1Gb symmetric fibre, but I’m still back on a much slower cable 100/30 plan. It also gets me thinking about upgrading my network switches to 2.5Gb.. but that’s a different post.

The device itself has some heft to it – there is apparently a sizeable heat-sink inside. The power cord is short – about 3′, and there is no power switch, not a problem for me, but I can see why some people felt this was a limitation.

Of course, the very first thing I’m going to do is flash this with OpenWRT. This is as simple as grabbing the sysupgrade.bin file from https://openwrt.org/toh/gl.inet/gl-mt6000 and connecting to the device over a wired connection.

The factory firmware hosts an administration web UI on http://192.168.8.1/ allowing you to do basic setup. I’m prompted to pick a language and set a password.

From this screen we can select Upgrade on the left navigation bar, then local upgrade and upload the sysupgrade.bin file we downloaded

The built in firmware handles the upgrade very nicely, it even detects a kernel change and automatically selects to not keep setting (which is what the OpenWRT wiki advises)

Even during the upgrade the web UI is pretty slick

Once it hits 100% it will automatically reboot. Since the OpenWRT default IP is different, we need to visit a different admin web page http://192.168.1.1

I have to say that the exterior of the device has a matte black finish, and the angular styling appeals deeply to my 80’s stealth bomber admiring inner teen. It reminds me of the USRobotics Courier 56k modems back in the day.

At this point we’ve got OpenWRT installed, and it’s just a matter of working through the configuration steps. I did run into a few problems that were my own tripping over my own feet issues. Linux apparently ‘remembers’ the name of the connection, and the type of connection security. If you change the encryption but not the name it seems you can run into problems. I also messed up one of the passwords with a type-o. Eventually I got it all settled down and things worked great.