linux quick tip

Quick tip – “doing” ed25519 ssh keys

If you are still using DSA or ECDSA keys, then “what is wrong with you?”. If you are using RSA keys with a bit length of < 3072 or ideally 4096, then I’ll refer you to my statement above. DSA is legacy and you would need a seriously old SSH client to still use it anyway, and ECDSA has serious security concerns thanks to NIST taking too much “input” from the NSA on its curve selection for ECDSA.

So this leaves long bit length RSA or ed25519. The former can still be secure, and potentially even more secure for keys with a bit length > 4096, the latter is more performant, has smaller key files, and is the cool hip new thing. It provides 128bits worth of security, similar to RSA at 3072. Crucially both are vulnerable to quantum attacks. So we will have to wait and see what will replace them in the future.

ssh-keygen -o -a 200 -t ed25519 -f ~/.ssh/id_ed25519_$(date +%Y-%m-%d) -C "SSH key for xyz"

You’ll be asked for a pass phrase for your key. Depending on your security habits and preferences use a strong one or none at all. ¯\_(ツ)_/¯

  • -o : Saves the private-key using the new OpenSSH format rather than the PEM format. Implied when you specify the key type as ed25519.
  • -a: Numbers of KDF (Key Derivation Function) rounds. Higher numbers result in slower passphrase verification. This slows brute-force password cracking should the private-key be stolen and the thief does not have access to you personally with a crow bar.
  • -t: Specifies the type of key to create, in this case Ed25519.
  • -f: Specifies the filename of the generated key file. For ssh agent to auto discover, it must be stored in the default `.ssh` directory within your home directory. We also include the creation date here for no specific reason.
  • -C: An option to specify a comment. Purely informational and can be anything.

The directory ~/.ssh/ will contain your new private key and your public key which has the .pub extension appended to it. Don’t forget the .pub key is what gets uploaded to a remote server with ssh-copy-id. Guard the private key like your life depends on it.

To add the key to SSH agent make sure that it’s running first.

eval "$(ssh-agent -s)"

You should get its PID back.

Then add the new key with this command:

ssh-add ~/.ssh/id_ed25519_2021-03-17

You could also use the ~/.ssh/config to define this key for use with a specific host. But that’s out of scope for this quick tip. Try

man sshd

as a starting point for your mastery of ssh.

%d bloggers like this: