What are ssh-keygen best practices?

Question

Most users would simply type ssh-keygen and accept what they're given by default.

But what are the best practices for generating ssh keys with ssh-keygen?

For example:

Use -o for the OpenSSH key format rather than the older PEM format (OpenSSH 6.5 introduced this feature years ago on 2014-01-30)
How should one calculate how many rounds of KDF to use with -a?
Should -T be used to test the candidate primes for safety? What -a value to use with this?
For the different key types, what are the recommended minimum -b bit sizes?
etc... (there are a mind-boggling set of options in the manual page).

(2) http://crypto.stackexchange.com/questions/40311/how-many-kdf-rounds-for-an-ssh-key (3) `-T` tests probable-primeness not 'safety'; you should never install a moduli file that isn't primes (4) for RSA at least 2048 maybe 3072; for DSA NIST requires _group_ 2048 but also _subgroup and hash_ 224+ and SSH can't handle the latter (yet?); for ECDSA the minimum possible 256 is fine; for Ed25519 there is no choice — dave_thompson_085, Nov 24 '16 at 06:18
Confusingly the manual explanation for `-T` is: `Test DH group exchange candidate primes (generated using the -G option) for safety.`. What is primes(4), and how does one translate this into something that can be typed at a command line (eg, in the RSA case)? — Tom Hale, Nov 24 '16 at 07:26
'primes' is the last word of my '(3)' about your third bullet and '(4)' is about your fourth bullet. Yes the man page for ssh-keygen is misleading; the page it links to for moduli(5) (that '(5)' meaning section 5 in the Unix man scheme) is better but still not exact. In short if you want to generate 'moduli' (really pairs of modulus and generator) always do `-G` THEN `-T` and use only the second result. It does produce 'safe' primes (p=2q+1) but 'safe' here is a historical relic, it is nonsmooth prime that matters. — dave_thompson_085, Nov 24 '16 at 09:13
Bleah! Of course no prime is smooth, and I meant DH wants prime with _order of Zp\* i.e. p-1_ nonsmooth. While I'm at it, most of the mind-boggling options are about key import/export/conversion and file management and OpenSSH's idiosyncratic certs; the actual key (and even parameter) generation options in the program named keygen are relatively few. — dave_thompson_085, Nov 26 '16 at 07:55
Necroed: new keyfile format is the default (for all keytypes) since 7.8 in 2018-08 and -o is no longer needed (or documented) — dave_thompson_085, Mar 22 '21 at 03:32

score 250 · Accepted Answer · edited Mar 21 '22 at 23:58

250

I recommend the Secure Secure Shell article, which suggests:

ssh-keygen -t ed25519 -a 100

Ed25519 is an EdDSA scheme with very small (fixed size) keys, introduced in OpenSSH 6.5 (2014-01-30) and made default ("first-preference") in OpenSSH 8.5 (2021-03-03). These have complexity akin to RSA at 4096 bits thanks to elliptic curve cryptography (ECC). The -a 100 option specifies 100 rounds of key derivations, making your key's password harder to brute-force.

However, Ed25519 is a rather new key algorithm (Curve25519's popularity spiked only when it was surmised that other standards had been diluted) and its adoption is not yet universal. Large steps were made in 2018, so we're nearly there, but on older systems or for older servers (like CentOS/RHEL < 7 or Ubuntu < 15.04), you can generate a similarly-complex RSA key with 4096 bits:

ssh-keygen -t rsa -b 4096 -o -a 100

(You may need to omit the -o option since it requires OpenSSH 6.5+ and is the default starting in v7.8, at which point it was removed from the ssh-keygen man page. This dictates usage of a new OpenSSH format to store the key rather than the previous default, PEM. Ed25519 requires this new format, so we do not need to explicitly state it given -t ed25519. A previous man page stated that “the new format has increased resistance to brute-force password cracking.” See this answer for more detail.)

Do not consider the other new ECC algorithm called ECDSA. It is considered suspect (it has known weaknesses and since the US government has been involved in its development, it may be compromised beyond that). Ed25519 was developed without any known government involvement.

Stay well away from DSA (“ssh-dss”) keys: they're not just suspect, DSA is insecure.

edited Mar 21 '22 at 23:58

Ned64

245
1
2
13

answered Nov 30 '16 at 22:17

Adam Katz

10,418
2
22
48

1

Another good thing to remember is that you can keep your rsa keys around until you migrate all your host systems to your new ed25519 public key. Put both in the agent, and the client/host will negotiate the best supported. – Raman Jan 22 '18 at 21:43
Azure Linux VM's don't work with ed25519 https://support.microsoft.com/en-my/help/4013792/can-t-use-ed25519-ssh-keys-for-azure-linux-vms – juanmah Mar 05 '18 at 09:29
2

@juanmah – Yes, that's why I linked the [Ed25519 adoption](https://ianix.com/pub/ed25519-deployment.html) page and offered RSA 4096 as an alternative. That page points to [Cyberduck](https://cyberduck.io/) for implementing Ed25519 on Azure (though that's presumably for Windows, not Linux). I'd assume you could upgrade OpenSSH on the Linux VM; the newer the better, but Ed25519 requires OpenSSH 6.5+. If you want a lightweight server, consider installing [pts-dropbear](https://github.com/pts/pts-dropbear). – Adam Katz Mar 05 '18 at 15:20
To make this stupid easy for me, I added this to my `.bashrc` file: `alias ssh-keygen="ssh-keygen -t rsa -b 4096 -o -a 100"` – void.pointer Sep 19 '18 at 18:33
3

[As of 7.8 about a month ago](https://www.openssh.com/txt/release-7.8) (see the first bullet) `ssh-keygen` writes 'new' format automatically, and if you want legacy format (for other than ed25519) you use `-m PEM` – dave_thompson_085 Oct 02 '18 at 01:00
Why would you use `-a` without providing a passphrase? – Basil Bourque Jul 09 '19 at 00:26
3

@BasilBourque – It will prompt you for a passphrase. If you provide a passphrase on the command line like `-N "secret pass phrase e>Q9= octet"` then it's visible to other users on the system (e.g. `ps auxww |grep keygen`) and it is saved in your command history, so it's best to enter interactively. – Adam Katz Jul 09 '19 at 13:42

score 26 · Answer 2 · edited Aug 29 '18 at 10:22

Most users would simply type ssh-keygen and accept what they're given by default.

Yes. To do a security for people, it needs to be simple. Therefore the default option should be safe, compatible and fast. You can provide alternatives, but default should be "good enough" for these who don't care. Therefore RSA (2048) in the old PEM format is the default at the moment.

Use -o for the OpenSSH key format rather than the older PEM format (OpenSSH 6.5 introduced this feature almost 3 years ago on 2014-01-30)

Three years is nothing. A lot of containers managed to evolve during these years, but SSH is here more than 20 years and still needs to deal with older clients. The new OpenSSH format is not widely adopted and supported yet.

How should one calculate how many rounds of KDF to use with -a?

Depends on the use case. Creating your key for your "stuff" repo on Github will be different than creating a keys in your favorite national agency as a certification authority or to access super-secret documents on dedicated server.

As pointed out, this is only for the new format, which is not yet widely used and it increases the time to decrypt key. The default number of rounds is 16 (would be nice to see it documented somewhere). More in the Cryptography question.

Should -T be used to test the candidate primes for safety? What -a value to use with this?

No. It is used for generating primes (/etc/ssh/moduli) for DH key exchange. It is not used in any way for generating SSH keys. How to generate and test the moduli file is explained in separate chapter MODULI GENERATION of manual page for ssh-keygen.

For the different key types, what are the recommended minimum -b bit sizes?

This is not SSH specific, but generally key sizes are recommended by NIST in this document, page 12 (per 2015):

RSA (2048 bits)
ECDSA (Curve P-256)

The Ed25519 does have fixed size so the -b parameter is ignored.

It is usually best practice to generate a key on the same system where you use it, so incompatibility between new file format and old software isn't a big problem. The _algorithm_ (`-t`) is more often an issue: ed25519 keys won't interop with older versions, even ECDSA won't work with very old or RedHat-formerly-nobbled versions, while new versions reject DSA unless you tweak the configuration (there are already several Qs on that) -- so as you said we end up with RSA as the the works-everywhere choice. — dave_thompson_085, Nov 26 '16 at 08:02
Regarding protocols, my `sshd_config` man page says: `The default is ‘2’. Protocol 1 suffers from a number of cryptographic weaknesses and should not be used. It is only offered to support legacy devices. ` — Tom Hale, Dec 07 '16 at 23:25
Yes. I don't even think somebody would want to allow this protocol. It is not default on any of the current systems and there is no reason to allow it. — Jakuje, Dec 08 '16 at 07:34
@TomHale update: protocol 1 (including rsa1 keys) was deleted at 7.6 in 2017-10 — dave_thompson_085, Jan 14 '22 at 23:54
Could you please update your link with the [latest version](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final). Am I right that the table on p55 now reccomends a RSA key length of 15360? — Tom Hale, Feb 06 '22 at 03:27
@TomHale no. The link you provided is an update for the part 1 of that document. The part 3 was not updated and 2k are still generally ok. The table 2 on page 55 lists it as a comparable strength to the AES256. AES128 is still ok and comparable strength to RSA is 3k only so this answer is still correct. — Jakuje, Feb 06 '22 at 11:15

score 13 · Answer 3 · edited May 15 '22 at 23:16

13

Here's a one liner for Ed25519 based on recommended values: (without passphrase)

ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519 -q -N ''

Another one for RSA:

ssh-keygen -t rsa -b 4096 -o -a 100 -f ~/.ssh/id_rsa -q -N ''

For adding to ssh agent automatically, you can use (RSA, no passphase):

keyname='secretKey' ; comment='someone@email.com' ; ssh-keygen -t rsa -b 4096 -o -a 100 -f ~/.ssh/$keyname -q -N '' -C $comment ; eval `ssh-agent` ; ssh-add ~/.ssh/$keyname

-N: New passphrase
-q: Silence ssh-keygen

Edit & disclaimer: To answer some comments, this answer focus on simplicity, and indicates explicitly that it's not using a passphrase for the key. the one liners above can be used in a non-interactive script to generate key pairs. If you don't like using an empty passphrase you can set one after -N option (it will be recorded to shell history), or set an environment variable that reads user input.

edited May 15 '22 at 23:16

Community

1

answered Oct 13 '17 at 06:15

Yassine ElBadaoui

255
2
4

15

An empty passphrase is *not* a best practice. Yes, it is necessary for certain automated tasks, but those are exceptions. Your filenames are the defaults, making the use of `-f output_keyfile` unnecessary. – Adam Katz Apr 11 '18 at 18:34
5

Does `-a 100` have any value at all with an empty passphrase? It seems that such a key is still trivially brute-forceable (try nothing -- and it works!) – Jonathan Klabunde Tomer Mar 13 '19 at 03:45
3

Please explain why you would use `-a` with an empty passphrase. This seems senseless, but I may be uneducated in this regard. – Basil Bourque Jul 09 '19 at 00:21
2

I tested this by using `-a 1000 -N ''` and there was no delay. With `-a 1000 -N 'x'` there is a delay. Conclusion: `-a` with `-N` has no effect. – Tom Hale Feb 06 '22 at 03:05
3

Please add `-C ` to add the service name that this key is being generated for... because [best practice] we all generate different keys for each service, right? – Tom Hale Feb 06 '22 at 03:07

What are ssh-keygen best practices?

3 Answers3

Linked