Intro to SSH keys

Secure Shell (better known as SSH) is a cryptographic network protocol which allows users to securely perform a number of network services over an unsecured network. SSH keys provide a more secure way of logging into a server with SSH than using a password alone.

SSH key authentication is based on public key cryptography. Public-key cryptography, or asymmetric cryptography, is a cryptographic system that uses pairs of keys: public keys, which may be disseminated widely, and private keys, which are known only to the owner. The generation of such keys depends on cryptographic algorithms based on mathematical problems to produce one-way functions. Effective security only requires keeping the private key private; the public key can be openly distributed without compromising security.

To generate a SSH key pair, you run ssh-keygen on your local system.
You can then manually add your public key to the remote system’s authorized_keys file or use the ssh-copy-id tool.

You can run ssh-keygen which will ask you where to save the keys (by default homedir/.ssh/) and a password to protect the private key.
Once the key has been generated the key’s fingerprint and randomart image is displayed.

$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/id_demo
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_demo
Your public key has been saved in /home/user/.ssh/
The key fingerprint is:
SHA256:zUxlPfBF0IqrdJZJJ8Gm4tqy83AgRvV2ZV10xNlWjbY adam@TheFox
The key's randomart image is:
+---[RSA 3072]----+
|      .    .*+.X&|
|     . .   =+.*oB|
|    .   o oo +.= |
|   .   ..*. + E  |
|    o ..S.+. *   |
|   . . .. . *    |
|      .o.. +     |
|      +o. .      |
|      .=.        |

By default ssh-keygen generated a key using the RSA-SHA2-SHA256 algorithm with a 3072 bits key length. You can select a different key type (-t) and bit length (-b), add a comment (-C) and more. See ssh-keygen(1).

Note that these defaults change over time as weaknesses are discovered in key algorithms or cracking keys becomes more feasible as computing power increases.

# pick a different key size (multiple of 1024)
ssh-keygen -t rsa -b 4096

# add a comment
ssh-keygen -C ""

For RSA keys a key length of at least 3072 bits is (currently) considered sufficiently strong. A key length shorter than 2048 bits is considered insecure.

Old keys

If you’re still using SSH keys generated using the default configuration from over 5 years ago, you’re most probably using keys with a key length of less than 2048 bits.
In this case, it’s important that you replace these keys by stronger keys (also removing the old keys from your and the remote system).

Use the following command to list all keys in your SSH directory.

for key in ~/.ssh/*; do echo ${key}; ssh-keygen -l -f "${key}"; done

This command will display the key length and the algorithm used to generate the key. The algorithm could be any of the following:

  • DSA: It’s unsafe and even no longer supported since OpenSSH version 7, you need to upgrade it!
  • RSA: It depends on key size. If it has 3072 or 4096-bit length, then you’re good. Less than that, you probably want to upgrade it. The 1024-bit length is even considered unsafe.
  • ECDSA: It depends on how well your machine can generate a random number that will be used to create a signature. There’s also a trustworthiness concern on the NIST curves that being used by ECDSA.
  • Ed25519: It’s the most recommended public-key algorithm available today!

Upgrade to Ed25519 keys

I’m by no means an expert in crypto (real crypto as in cryptology, not cryptocurrency).
If you want to know a bit more on the benefits of Ed25519, I suggest you read this Medium article by Risan Bagja Pradana.

In short: Ed25519 offers a better security with faster performance compared to DSA or ECDSA and is more compact than RSA keys.

To generate a Ed25519 key we again use ssh-keygen but we configure it to use a different key type.

ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519_demo -C ""
  • -o: Save the private key using the new OpenSSH format rather than the PEM format. Actually, this option is implied when you specify the key type as ed25519.
  • -a: The numbers of KDF (Key Derivation Function) rounds. Higher numbers result in slower passphrase verification, increasing the resistance to brute-force password cracking should the private key be stolen.
  • -t: Specifies the type of key to create, in our case Ed25519.
  • -f: Specify the filename of the generated key file. If you want it to be discovered automatically by the SSH agent, it must be stored in the default .ssh directory within your home directory.
  • -C: An option to specify a comment. It’s purely informational and can be anything. But it’s usually filled with <login>@<hostname> of who generated the key.

If you then copy the public key to the remote system, using any of the techniques mentioned earlier, you can now login using your new key and remove the old one.

ssh -i ~/.ssh/id_ed25519_demo sequr@