USA ISPs to launch massive copyright spying scheme July 12

[ASmith]

I'm reminded of the trials and tribulations book on the popular encryption mode (Pretty Good Protection) PGP written by the author back in the 1990's before most people realised just how ruthless the police state in America was becoming. The author upon creating and inventing PGP got his visit of a trio of US agent thugs/goons threatening and extorting him like he was Al Capone who had just robbed a federal bank. Such makes for interesting reading however what that author described has since been rein-acted 100's of times upon other software developers, ISP's, major search engine engineers and even noted digital money transfer CEOs.

"On April 10, 1991, shortly after the Gulf War, a message from WHMurray@DOCKMASTER.NCSC.MIL cascaded across the computer nets, warning about one sentence in buried in a massive "anti-terrorism" bill authored by Senators Biden and DeConcini. Their Senate Bill 266 declared, "It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the government to obtain the plain text contents of voice, data, and other communications when appropriately authorised by law. [1] "

Bill Murray, then a computer-security consultant to the NSA, wrote:

The referenced language requires that manufacturers build trap-doors into all cryptographic equipment (including software) and that providers of confidential channels reserve to themselves, their agents, and assigns the ability to read all traffic.[1]

It has all been leading to the new massive NSA facility being built in Utah with enormous server storage capability's. Many 3rd. world countries couldn't even afford to pay the power bill on that single facility much less foot the gigantic costs for the 100 acres of computers AND yet during America's economic collapse with millions on food stamps, unemployed and a large % of homeless citizens, the US Government has the ready cash for building this monument to a East Germany styled police state which in no fashion is representative of what the American people want. Oh but US Senator Orrin Hatch sure looks good with that golden shovel doesn't he? [3]

The NSA Is Building the Country’s (Earths) Biggest (Domestic) Spy Center (during a Recession) http://www.wired.com/threatlevel/2012/0 ... nter/all/1

This short revisit of a single case 20 years ago helps connect the dots to the present computer privacy losses and threats to freedom and liberty. This single case also does well to underscore the dark side of US agencys where their agents smile and tell you that you have nothing to worry about, AND if you have nothing to hide then you must be guilty of terrible crimes to want encryption programs, much less use them. The cough Agents as alleged by Phil Zimmermann threatened to fabricate a false but substantial narcotics charge against him if he didn't agree to their software backdoor demands. Would YOU have the presence of mind to tell them to talk to your attorney and demand they immediately leave?

[1] The Persecution of Phil Zimmermann (author of PGP), American by FBI,NSA agents http://www.contra.org/pgp/PhilZimmerman.html
[2] NSA Can Break PGP Encryption via a Backdoor http://www.austinlinks.com/Crypto/break-pgp.html
[3] NSA’s Spy Program "Stellar Wind" Exposed http://www.thenewamerican.com/tech-main ... r-is-blown
[4] True Crypt, Open Source Non-USA Written Software found UN-crackable recently by team of FBI agents cyber division who spent 12 months trying to gain access to a bankers personal files encrypted with Serpent and/or ThreeFish using TrueCrypt http://www.truecrypt.org/

[monkeyboy]

Its the next scare tactic slated for failure. For as long as I can remember there has been one failed scheme after another to protect digital information. I also suspect there is another can't fail scheme in the pipe for when this current one fails to function as desired too. Fear Not

[ASmith]

Its been confirmed that Utah's US Senator Orrin Hatch successfully lobbied for the creation of the gigantic new domestic US Spying NSA Center in Utah with hundreds of acres of computers specifically designed to intercept, decrypt and store all of US citizens personal information, Internet, device entrys, cell calls and GPS trafficking along with photo and facial recognition with facial biometrics directly tied into millions of US and world CCTV feeds.

How this relates to the Linux Mint community is the further need for encryption of their Internet and Device uses. In Mint users can add mCrypt and TrueCrypt which both support Blowfish, Twofish and Serpent encryption algorithms which appear to have stopped all attempts to crack thus far provided they are over 128bit encryption and have a strong password (full length).

To Properly Prepare for the NSA/FBI obtaining all the log records on your personal computer/device habits via your USA ISP's, it's vitally important to begin becoming familiar with Internet and Network Encryption Tunnels.

Many realise HTTP protocol sends plain text into the massive Internet which is easily captured and scanned. Everything you type in to a form, social media frame etc. in HTTP protocol is exposed as plain text from your computer, device to that website or server. If that same website supports HTTPS protocol, that enables the user to deploy encryption levels and kinds based on what that server and website supports, sending encrypted information instead of plain text to anything sniffing and snooping the packets coming from your internet IP. A nifty free add-on for Firefox users is HTTPS Anywhere, which tries to determine if that website supports HTTPS (encrypted) sessions constantly or not and if so then to switch over to it.

Many websites and servers however do not give their users full time HTTPS support either thru not wanting that CPU load (encryption slightly increases bandwidth needed) or do not have sufficient HTTPS ports for it's total traffic to utilise. Given the present Police State atmosphere, non-HTTPS websites are really behind the times and open their users and themselves open to attackers as well as NSA/FBI crackers, and snooping.

SSL Tunneling using Https protocol is the most widely used and common in that is built into browsers to automatically create and encrypt/decrypt data to and from HTTPS websites. This has also been widely accepted in the early days of the Police State clamping down on file sharing as Wikileaks began exposing various Government cables and files to the public and began actively going after logging all FTP file sharing websites and their filenames being sent out. This gave rise to the now wider acceptance of FTPS (FTP w/SSL Automatic Encryption/Decryption protocol) to help add a layer of encryption regarding to what files were being sent via a FTPS server to a client, with a standard FTP protocol like HTTP what is being sent can be easily seen or captured.

The advantages of SSL (Secure Socket Layers) Tunneling is largely it's automatic usage and hence it's wide spread acceptance.

Setting up the Fire Fox browser to only use the strongest encryption ciphers possible
https://calomel.org/firefox_ssh_proxy.html

For moderate Linux users, SSH Tunneling (Secure Shell) is often employed for a encrypted, secure connection to a specific server or website. SSH Tunnels are relatively easy to setup for a client and not that difficult for a host (server) to setup. The distinct advantages is that EVERYTHING going into the SSH Tunnel is encrypted, which means going in from either end (client data to the server, website data to the client) and all your ISP or a NSA/FBI, Hacker/Cracker Snoop would see is a encrypted data stream from a server or proxy going to your machine. Many POP3 (Email), and Websites including File Sharing services still existing do not offer full time HTTPS (SSL) encryption protection. However once the Mint user is connected to a SSH server (OpenSSH) they can easily with a Forward Direct Port sequence extend the SSH tunnel to proxy for each of your devices individually setting up your IRC,Email Handler,Browser etc. individually to accept the SSH tunnel in a proxy setting. SSH Shell accounts can be found on the Internet in a Free Unix offering and OpenSSH (a popular SSH Client, Server) is freeware to those that wish to build their own (recommended) SSH server.

A very unique setup is to run OpenSSH server on your Mint user computer and the OpenSSH client locally on your Mint user computer AT THE SAME TIME. I might walk the Mint community thru this unique application if I find enough interested and have the time to do so. [ See Following Follow-Up Reply with step by step details ]

For more advance Linux users, VPN Tunneling (Virtual Private Network) is widely used to extend a entire encrypted sub-network communication to include all other common forms of Internet devices system wide. The slightly more complicated setup is simply relating to multiple forms of VPN Tunneling and each of their options must be exactly matched to the VPN server to operate correctly. Invariably VPN servers are mostly pay to use. The very few free public VPN's that exist are rare and often a Gov. agency or their proxy's perform a brief spam campaign on a free VPN public server to get them shut-down after only a few months use. Linux's OpenVPN is freeware and very popular for advanced Linux users to setup their own VPN server. Generally in the VPN pay to use servers, their IT staff will provide it's users precise steps in which options you must choose for the VPN network connection, once those are set it is mostly Click ON and Click OFF reliable and secure.

References:

SSH Tunneling - Poor Techie's VPN, Linux Journal
http://www.linuxjournal.com/content/ssh ... echies-vpn

How to Set Up a Secure Web Tunnel
http://www.pcworld.com/businesscenter/a ... unnel.html

SSH Tunneling for Secure Web Surfing
http://parabing.com/2011/04/01/ssh-tunn ... b-surfing/

How to do a SSH connection through a Web Proxy
http://sun.hasenbraten.de/~frank/docs/proxytunnel.html

[xenopeek]

A very unique setup is to run OpenSSH server on your Mint user computer and the OpenSSH client locally on your Mint user computer AT THE SAME
TIME. I might walk the Mint community thru this unique application if I find enough interested and have the time to do so.

I'd be interested in that.

[ASmith]

Setting up, creating and testing a SSH Encrypted Tunnel

A unique way to freely create and test the creation and use of a SSH Encrypted Tunnel on your Linux Mint Computer uses the freeware OpenSSH Server and Client software.

*Optional softwre, to visually show the Mint user that all of your data is encrypted and being sent from your local Mint driven machine into the SSH tunnel to the application (Browser, Email, XChat) easily, I'll be using the Firestarter IPtables GUI front-end for illustration purposes. Such could be seen as optional however it must be pointed out that ANYTIME a user runs a tunnelling connection (SSL,VPN,SSH) you should keep an eye on port connections via a firewall graphics utility interface such as Firestarter to make certain there are no unauthorised connections. Yes, Linux Mint IPtables rules are adequate with proper settings however I urge Mint users to have a graphic interface to occasionally keep an eye on in real time also.

*Optional softwre, Gstm is a optional GUI SSH Tunnel manager which allows the Mint user to quickly and easily setup their SSH accounts, ports and then simply activate, minimise while in use then simply choose 'Stop' and 'Quit' to close the SSH tunnel when it's no longer wanted or being used.

*Optional softwre, EtherApe is a optional GUI visual port packet interface which shows the user the SSH,HTTPS and Plain-Jane WWW transfers at a colorful glance as well as which IP's those protocols are being addressed too.

Let's start with installing the SSH software
Via Linux Mint Terminal Mode:
sudo apt-get install openssh-server openssh-client

* OPTIONAL SOFTWARE BUT RECOMMENDED:
sudo apt-get install firestarter
sudo apt-get install gstm
sudo apt-get install etherape

OK, once ssh is installed, you will need to modify the configuration file (/etc/ssh/sshd_config). First using the Mint user terminal (Alt-Cntl-T) enter this command to make a back-up copy of your sshd_config file in case you need the original unedited copy:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
then:
sudo gedit /etc/ssh/sshd_config

You will need to check/change/add the following lines:

# What ports, IPs and protocols we listen for
Port 22
# Port 443 <- Use Port 443 if you need to bypass user blocks on Port 22 and use standard SSL Port 443
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
#ServerKeyBits 768 <----Lame Weak Default!
#ServerKeyBits 2048 <--Recommended 2 years ago.
#ServerKeyBits 4096
ServerKeyBits 8192

# Authentication:
LoginGraceTime 30
StrictModes yes
MaxAuthTries 3
PermitRootLogin no
PermitTunnel yes
#AllowUsers tom jerry bill
#AllowGroup groupsshaccess <--Uncomment and use if you want to add another layer of protection via groups.

Now restart your SSH server with the following command, and run it with root privileges in the Mint users terminal mode:

sudo /etc/init.d/ssh restart
OR
sudo service ssh stop
Followed by:
sudo service ssh start

Now that you've restarted the SSH server with the new settings, you should be able to now log in to your SSH server on port 22 following the example below using either the Mint terminal CLI mode or gSTM GUI.

Remember you will be using the exact Mint Login Name you used and will be prompted for that exact password also. When the SSH public key exchange prompt comes up you answer the word yes and your new SSH public key will be added to your client keyring designating you as OK to access the SSH server. Afterwards you'll simply be asked to supply your password given the following directions and CLI Terminal Commands or thru the gSTM GUI Interface.

Again, Since this is the first time you're connecting to this server, there will be displayed an alert and prompt you to confirm the host's fingerprint. (This should happen only once; thereafter, your SSH client will confirm that the SSH server encrypted fingerprint hasn't changed. If it does change, that could indicate that your connection has been tampered with.) You'll see text similar to the following:

The authenticity of host ‘Your IP in this example or the SSH Server Address' can't be established. RSA key fingerprint is 11:22:33:44:55.

Are you sure you want to continue connecting? Yes

Once you confirm the fingerprint, you'll be prompted to enter your password, because you provided the username on the command line already.

Login via your Client side SSH Encrypted Tunnel

Via the Mint CLI Terminal:

Run the following command to create an SSH tunnel. In this testing example the SSH Server is listening at Port 22 and you are Dynamically Forwarding the SSH Tunnel via Port 9001. You can however change the Dynamically Forwarded Tunnel Port to any Port 1025 thru 65000 as you desire and is not in conflict with another running service.

ssh -D 9001 -C YourMintLoginName@YourIP -p 22

--> example: ssh -D 9001 -C asmith@124.216.250.178 -p 22
--> If you don't know what your IP exactly is: http://www.whatismyip.com/

Then minimise this terminal window while using your SSH encrypted Tunnel and remember to close it when you wish to close your SSH encrypted Tunnel and finish your SSH sessions.

* Security Step when not using the OpenSSH server setup on your local machine*
sudo /etc/init.d/ssh stop OR sudo service ssh stop

The optional '-C' SSH switch option option just adds compression to the SSH encrypted tunnel connection. Once you've successfully connected using the above command then you're ready to set your browsers proxy configuration. You can repeat this with Local port forwarding (see further SSH switch examples later) for non-browser network applications (such as POP3,IMAP,IRCD) if they allow you to manually set a proxy connection. Above all, these examples are given as a learning and testing tutorial to help YOU learn how to setup, use and deploy a SSH encrypted Tunnel.

*Optional Software, gSTM GUI SSH client Tunnel Manager, to first setup then login using the gSTM GUI SSH Tunnel Management Interface and use the gSTM GUI front-end to create your client side SSH Encrypted Tunnel connected to the SSH Server:

Run the gSTM GUI Utility via the Mint Menu Internet > gSTM

Add your Mint login name
Chose Properties:
Tunnel properties > Tunnel configuration
Name: Mint Login Name
Login:Mint Login Name
Host:YOUR IP Address example 191.144.147.198
Port:22 example 443 if you are bypassing user blocks
Port redirection
Type Port To host
dynamic 9001 n/a
Chose OK

To activate via gSTM highlight your name,select Start,supply your password at the prompt, then minimise the gSTM window as long as you want the SSH Tunnel active.

Next, Configuring your browser applications to use the SSH encrypted Tunnel Proxy

Configuring the Firefox, Opera Internet web browsers to use the Proxy

In Firefox, go to Edit>Preferences>Advanced>Network>Settings
Select "Manual Proxy Configuration"
For "SOCKS Host:" enter "localhost" and for "Port:" enter "9001"
Choose "SOCKS v5"
Click "OK"

In Opera, go to Settings>Preferences>Advanced>Network>Settings
Select 'Proxy Servers'
Check 'SOCKS': "enter 127.0.0.1 and for Port: " enter "9001"
Click "OK"

***Point your web browser to whatismyip.com to find out if your IP address is being reported as the same as the IP address of the computer running your SSH server. If it's the same, then everything works. In the above creation and test of a local SSH Server and Client you'll simply be shown your local IP however connecting to a remote SSH server should indicate the IP address of the remote SSH Server.

That's about all you have to do to surf through a private SSH tunnel with Firefox,Opera and any browser that simply allows you to manually add a SOCK5 proxy and using your own Linux OpenSSH server.

View of Success with the Client Use of a SSH Encryption Tunnel

*Optional Software, If you are running the optional Firestarter GUI Firewall Interface you'll see in your active connections the proxy'd browser will now have:

Source Destination Port Service Program
YourIP YourIP 22 SSH ssh
127.0.0.1 127.0.0.1 9001 Unknown
YourIP BrowsertargetIP 80 HTTP sshd:login name
YourIP BrowsertargetIP 443 HTTPS sshd:login name

Each of your Internet Browser Connected Proxy applications connected to your SSH Encrypted Tunnel will be prefaced in your active connections listing as sshd:login name (OpenSSH Daemon and your login name). This shows you those applications are being piggy-backed thru the SSH encrypted Tunnel.

NOTE: Today I was able to use the system wide Network Proxy Application (gnome-network-properties) on a box running Mint 11 Standard set to 'Manual Proxy Configuration' Socks Host: 127.0.0.1 Port 9001 which then automatically shifted email browser and XChat under the SSH encrypted Tunnel protocol as well. In the above Firestarter example using the Gnome Network Proxy for a system wide connection, under Firestarter's category Program is now the number 1 on all of the Internet applications. I doubt that however means Tun1 (Tunnel 1).

The Firestarter information illustrated above shows you are connected to the OpenSSH server via Port 22. Your dynamic forwarding port is 9001 to your machines IP. The browser in this example is tunnelling both regular port HTTP 80 traffic as well as SSL encrypted traffic HTTPS port 443 thru the encrypted SSH Tunnel.

Normal Browser Remote Connection via your local SSH client and a remote SSH server operation via the Mint users terminal CLI command: (You could optionally add the -C compression switch)

$ ssh -ND 9001 username@server.websitewelcome.com

The username in this example (again using Dynamic Port 9001 Forwarding would be either your Mint login username OR what that server administrator has assigned as your username and to the ICANN website URL. The 'N' option tells the SSH client that you do not want an interactive session (a command prompt), because you just want to set up a tunnel.

Another example of testing your local machine SSH Server using your Mint terminal, if it is working properly you'll be prompted for your local machine password (the RSA fingerprint transfer will have already occurred in the aforementioned setup) unless this is the first time you are accessing your local machines SSH Server:

$ ssh username@localhost

With your SSH Server, Client up and running, browser or other network application properly proxyed thru a Dynamic or Local Port forwarding:
*Optional Software, Run the optional EtherApe application to visually see the SSH, HTTPS and HTTP-ALT packets distributed to their select servers.

Additional SSH switches and examples to use for tunnelling POP3 services and other applications of SSH tunneling:

All right, lets get into switches. No no, not the switches your 'pa made you pull off the tree branch when you broke ma's favorite vase, SSH switches.

A typical SSH tunnel (without tunneling X) looks like this:

ssh -N -p 22 bob@mylinuxserver.xxx -L 2110:localhost:110

Where:
-N
= Do not execute a remote command
-p 22
= External SSH port 22. I tend to use other external SSH ports to keep intruders from hitting my home SSH server
bob@mylinuxserver.xxx
= username@hostname(or ip address)
-L 2110/localhost/110
= Bind information. Broken down as such: client-port:hostname:hostport - In this example your binding POP3 on the server to your localhost port 2110

So how about some examples?

Forward pop3 and smtp through SSH:

ssh -N -p 2022 bob@mylinuxserver.xxx -L 2110:localhost:110 -L 2025:localhost:25

Forward google Talk through SSH:
(-g Allows remote hosts to connect to local forwarding ports)

ssh -g -p 2022 -N bob@mylinuxserver.xxx 5223:talk.google.com:5223

Basically anything that is sent in plain-text can be secured via SSH tunneling. Once you have established the tunnel, on the client-side you would configure your settings for the hostname as localhost and the port as your 'client-port', be it 2110,2020,5223, or any other port that you have selected to forward through.

Encrypt your HTTP Traffic

This is another one that goes without saying. If you work for a company that has an 'IT Acceptable Use Policy' check before you do this. This is one that I use whenever I'm out of town or in a place that I don't trust the wifi. On an android I'll use my SSHTunnel app, but if I'm on my laptop I use the following SSH command
ssh -D 5222 bob@mylinuxserver.xxx -N

After you make a connection, then set your browser of choice (or any application that allows proxy) to localhost:5222. This will create a dynamic port forward and tunnel all the application traffic through your SSH server, both encrypting your data and bypassing content filters.
Tunneling X and VNC Sessions

Remember when you added 'X11Forwarding yes' to your sshd_config? This is where tunneling X comes in.
ssh -X -p 2022 bob@mylinuxserver.xxx

You guessed it, -X tunnels X. Remember though, this will tunnel X apps from your remote machine to your client machine running Linux. If you somehow find you're on a Microsoft Windows machine and want to tunnel, just install Cygwin/X (http://x.cygwin.com/) on your guest OS. I haven't personally tried this but from what I understand it gives you an X windowing system that should allow you to run your remote X apps in Windows.

When it comes to tunneling VNC sessions, you have to be careful. If the client you're tunneling from has a vnc server running on say 5900, make sure you don't decide to put your local forwarding port at 5900 or you will just connect right back to yourself. Connecting via VNC is as straight forward as any of the other services:
ssh -p 2022 bob@mylinuxserver.xxx -L 5900:localhost:5900

In this example your connecting to ssh external port 2022 as user bob to mylinuxserver.com. Your local forwarding port is 5900, the port you want to forward is mylinxuserver.com's 5900 vnc. Once you setup the forward you can open up your vnc client of choice and type: localhost:0 at which point you should be connected via vnc to your remote desktop. If you used 5901, then it would be localhost:1, and so on and so forth.[1]

Here is the variant I use which adds compression, and not logging into your server (aka, only forwarding ports). The command also prints out information about what is connecting. I love to see the output that shows all this working which the -vv option provides:

ssh -vv -CND 1080 username@hostname.com

[2]

Further References:

[1] SSH Tunneling - Poor Techie's VPN http://www.linuxjournal.com/content/ssh ... echies-vpn
[2] SSH TUnnel Proxy http://www.netdip.com/ssh-tunnel-proxy- ... or-mac-i4/
[3] Bypass almost any firewall with an SSH tunnel on port 443 http://www.netdip.com/bypass-almost-any ... rt-443-i6/
[4] Guide to Setting UP a Secure SSH Tunnel http://www.netdip.com/ssh-tunnel-proxy- ... or-mac-i4/
[5] Configure SSH tunneling with Ubuntu and surf Privately http://www.netdip.com/configure-ssh-tun ... vately-i0/

[ASmith]

Generating pairs of strong Public and Private RSA encrypted key-pairs for your SSH Server/Client

While 2048bit RSA encryption is the minimum, given the police state atmosphere in America, UK and now across Europe, this example entirely uses the much more robust 4096bit and 8192bit RSA based Public/Private key sets.

Via the Mint User Terminal (Ctrl-Alt-T) enter this command:

$ ssh-keygen -t rsa -b 4096
After your 4096bit keys are generated then
$ ssh-keygen -t rsa -b 8192
Generate your 8192bit public/private rsa encrypted key-pairs. Be patient with generating your 8192
bit keys as some machines may take a while to generate them.
While your output will slightly differ the following examples will guide you and provide you input on what is asked, output and expected.

# Generating public-private rsa key

Enter file in which to save the key (/home/asmith/.ssh/id_rsa): ASmith12272012
Enter pass-phrase (empty for no pass-phrase):
Enter same pass-phrase again:
Your identification has been saved in ASmith12272012.
Your public key has been saved in ASmith12272012.pub.

The key fingerprint is:
65:83:71:19:91:4c:eb:37:d1:68:a8:8d:cf:23:86:66 asmith@asmith-D123ABC
The key's fandomart image is:
+--[ RSA 4096]----+
| . o.o*o. |
| o o.++ |
| + + o |
| * o + . |
| S . . o |
| . o . . |
| E o + o |
| o . . . o |
| |
+-----------------+

Comments

Adding comments to keys can allow you to organise your keys more easily. The comments are stored in end of the public key file and can be viewed in clear text. For example:

cat id_rsa2.pub
ssh-rsa AAAWB3NzaC1yc2EAAAABIwAAQQEAyyA8wePstPC69PeuHFtOwyTecByonsHFAjHbVnZ+h0dpomvLZxUtbknNj3+c7MPYKqKBOx9gUKV/diR/mIDqsb405MlrI1kmNR9zbFGYAAwIH/Gxt0Lv5ffwaqsz7cECCBbMojQGEz3IH3twAvDfF6cu5p00QfP0MSmEi/eB+W+h30NGdqLJCziLDlp409jAfXbQm/4Yx7apLvEmkaYSrb5f/pfvYv1FCV1tS8/J7DgdHUAWo6gyGUUSZJgsyHcuJT7v9Tf0xwiFWOWL9WsWXa9fCKqTeYnYJhHlqfinZRnT/+jkz0OZ7YmXo6j4Hyms3RBOqenIX1W6gnIn+eQIkw== This is the key's comment

As you can see the comment is appended in clear text to the end of the public key file. To alter the comment just edit the public key file with a plain text editor such as nano or vim.

To add a comment to the public key file when generating the key add to the key generation command -C "you comment". For example to generate 4048 bit RSA key with “home machine” as a comment you will do the following:

ssh-keygen -b 4048 -t rsa -C "home machine"

asmith@asmith-D123ABC ~ $ ssh-keygen -b 4096 -t rsa -C "HomeMachine 12272012"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/asmith/.ssh/id_rsa): HomeMachine12272012
Enter pass-phrase (empty for no pass-phrase):
Enter same pass-phrase again:
Your identification has been saved in HomeMachine12272012.
Your public key has been saved in HomeMachine12272012.pub.
The key fingerprint is:
a4:ce:14:a7:bb71:4e:64:0a:ef:c3:72:51:d0:96 HomeMachine 12272012
The key's randomart image is:
+--[ RSA 4096]----+
| .. . |
| .E |
| .. . |
| . . . |
| o =. o S . |
| * = . + |
| * o ++ |
| o = . o |
| o.o.+. |
+-----------------+

While the pass-phrase boosts the security of the key, under some conditions you may want to leave it empty. Leaving the pass-phrase empty allows you to use the key from within scripts, for example to transfer a file via scp. While passphraseless keys are very useful for scripts just remember to only use them at trusted machines.

You can change the pass-phrase of key after it’s been created, and you should do it at least annually. To change the pass-phrase execute:

ssh-keygen -p

After this you will be prompted to enter the location of your private key and enter twice the new pass-phrase. If you don’t want a pass-phrase just enter empty one.

Feel free to share your public keys, as its name suggests, it should be public. Keep in mind that your private keys should be kept private. If someone gets hold of your private key, change it immediately, even if it’s pass-phrase protected.