[Ach] missing recommendations for ssh-keys

[Sven Kieske]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

today I was searching the web for recommended ways
to generate private/public keypairs in order to
use them for ssh authentication.

There is no real documentation on this.

Wouldn't it be nice to add recommendations
to this project for ssh-keygen?

I ended up useing something like

ssh-keygen -t rsa -b 4096

there is some information on the web, e.g.:
https://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys

https://security.stackexchange.com/questions/23383/ssh-key-type-rsa-dsa-ecdsa-are-there-easy-answers-for-which-to-choose-when

but it's not really formalized and backed e.g. by a paper.

I guess the default keysize of 2048 bits for rsa is, according
to the draft paper, a little bit weak?


I understand that until now the primary focus of the paper is
to provide administrators with secure defaults for server-side
software, but I think it is also important to give advice about
safe defaults for client software admins use to manage those servers?

It could also be worth mentioning related security measures like:

on which host should I generate key pairs?


What do you think?


kind regards

Sven
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQGcBAEBAgAGBQJTf4CsAAoJEAq0kGAWDrqlkqYMAKfe9m+oul7g5568oRHLepSP
zBwfcVkkm/bO7wwL/HzbbaKiXKn3eyIPI/bjDtw31TC6feSutEgQKQs84GGjr0GD
J+o40i+rWLEMgGpZZrz2d2TxHOQSQFttUpotCUr1uET5Xgt6rwE0NV+/AwD4YJx2
3k88rKYbVj5p7KsREro1Cf9CwQmACrb09BVtIXXXXrJnb7WD0Yd3pvkmd56JP5bu
6Qxvrs9qjtcAxFHR2286uwlXHOXsAKIDeDAXWXq4O7tT0ZUUYvJb7lq3ng0ihWC8
MTRC6yR6Q7fN0rAErtgfQ8PeyEpDbe0YSdwJ4x4fmoVkkYfj/1kSgsErJLSy8Ffj
bi0JlWAsINZbhsqFzENvDruLGVevyv1vXgxcfLPuJ2V7VTUYl/qzSpBSPEucgHP+
zUfYJKjBCANqaliCKa3MS48y3NBizWrmj7/i7I+3/VZBOp1uIsl21FiVuxBJBOcW
jzrEiWH7PsCyM0OiJ02g9PCNISj7HhRRohOXKTuBRQ==
=k6n4
-----END PGP SIGNATURE-----