Most users would simply type
ssh-keygen and accept what they’re given by default.
But what are the best practices for generating
ssh keys with
-o for the OpenSSH key format rather than the older PEM format (OpenSSH 6.5 introduced this feature years ago on 2014-01-30)
How should one calculate how many rounds of KDF to use with
-T be used to test the candidate primes for safety? What
-a value to use with this?
For the different key types, what are the recommended minimum
-b bit sizes?
etc… (there are a mind-boggling set of options in the manual page).
For extra protection use
chattr on those keys e.g.
sudo chattr + /home/"username"/.ssh/id_rsa.pub
/etc/passwd as well as
Answered by user192494 on November 11, 2021
Here's a one liner for Ed25519 based on recommended values: (without passphrase)
ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519 -q -N ''
Another one for RSA:
ssh-keygen -t rsa -b 4096 -o -a 100 -f ~/.ssh/id_rsa -q -N ''
-N: New passphrase
Edit & disclaimer:
To answer some comments, this answer focus on simplicity, and indicates explicitly that it's not using a passphrase for the key.
the one liners above can be used in a non-interactive script to generate key pairs. If you don't like using an empty passphrase you can set one after
-N option (it will be recorded to shell history), or set an environment variable that reads user input.
Answered by Yassine ElBadaoui on November 11, 2021
I recommend the Secure Secure Shell article, which suggests:
ssh-keygen -t ed25519 -a 100
Ed25519 is an EdDSA scheme with very small (fixed size) keys, introduced in OpenSSH 6.5 (2014-01-30). These have complexity akin to RSA at 4096 bits thanks to elliptic curve cryptography (ECC). The
-a 100 option specifies 100 rounds of key derivations, making your key's password harder to brute-force.
However, Ed25519 is a rather new key algorithm (Curve25519's popularity spiked only when it was surmised that other standards had been diluted) and its adoption is not yet universal. Large steps were made in 2018, so we're nearly there, but on older systems or for older servers, you can generate a similarly-complex RSA key with 4096 bytes:
ssh-keygen -t rsa -b 4096 -o -a 100
-o option also requires OpenSSH 6.5 and is the default starting in v7.8, so it is no longer present in the
ssh-keygen man page. This dictates usage of a new OpenSSH format to store the key rather than the previous default, PEM. Ed25519 requires this new format, so we don't need to explicitly state it given
-t ed25519. A previous man page stated that “the new format has increased resistance to brute-force password cracking.” See this answer for more detail.)
Do not consider the other new ECC algorithm called ECDSA. It is considered suspect (it has known weaknesses and since the US government has been involved in its development, it may be compromised beyond that). Ed25519 was developed without any known government involvement.
Stay well away from DSA (“ssh-dss”) keys: they're not just suspect, DSA is insecure.
Answered by Adam Katz on November 11, 2021
Most users would simply type
ssh-keygenand accept what they're given by default.
Yes. To do a security for people, it needs to be simple. Therefore the default option should be safe, compatible and fast. You can provide alternatives, but default should be "good enough" for these who don't care. Therefore RSA (2048) in the old PEM format is the default at the moment.
-ofor the OpenSSH key format rather than the older PEM format (OpenSSH 6.5 introduced this feature almost 3 years ago on 2014-01-30)
Three years is nothing. A lot of containers managed to evolve during these years, but SSH is here more than 20 years and still needs to deal with older clients. The new OpenSSH format is not widely adopted and supported yet.
- How should one calculate how many rounds of KDF to use with
Depends on the use case. Creating your key for your "stuff" repo on Github will be different than creating a keys in your favorite national agency as a certification authority or to access super-secret documents on dedicated server.
As pointed out, this is only for the new format, which is not yet widely used and it increases the time to decrypt key. The default number of rounds is
16 (would be nice to see it documented somewhere). More in the Cryptography question.
-Tbe used to test the candidate primes for safety? What
-avalue to use with this?
No. It is used for generating primes (
/etc/ssh/moduli) for DH key exchange. It is not used in any way for generating SSH keys. How to generate and test the
moduli file is explained in separate chapter
MODULI GENERATION of manual page for
- For the different key types, what are the recommended minimum
This is not SSH specific, but generally key sizes are recommended by NIST in this document, page 12 (per 2015):
RSA (2048 bits) ECDSA (Curve P-256)
The Ed25519 does have fixed size so the
-b parameter is ignored.
Answered by Jakuje on November 11, 2021
1 Asked on August 4, 2020 by user23013
1 Asked on July 29, 2020 by happyface
Get help from others!