[Ach] missing recommendations for ssh-keys

MacLemon metalab.at at maclemon.at
Sat May 24 23:52:06 CEST 2014


On 24.05.2014, at 23:34, Hanno Böck <hanno at hboeck.de> wrote:
> On Fri, 23 May 2014 19:09:00 +0200
> 
> I'd sum up my personal recommendations:
> * Avoid RSA keys below 2048 bits, create new keys with 4096 bits but
>  2048 bit keys can stay if you already have them
> * Avoid DSA keys
> * Avoid ECDSA keys
> * If you like to have fancy new elliptic curve stuff use an ed25519 key
>  instead of ecdsa. But RSA-only is okay, because you'll likely need
>  that anyway for compatibility reasons
> * Completely avoid SSH v1 keys

I pretty much totally agree with this. DJB's ed25519 stuff is available from SSH 6.5 upwards. You may, or may not have that on your system. So it's likely that you need multiple keys for RSA and ECC types depending on the servers you connect to.

This is what I usually use:
RSA: ssh-keygen -b 8192 -C "helpful comment, machine, purpose" -t rsa -f "id_rsa_filename"

ed25519: ssh-keygen -C "helpful comment, machine, purpose" -t ed25519 -f "id_ed25519_foo"

Best regards
Pepi


More information about the Ach mailing list