SSH Keys

Brief note about SSH key types and managing them.

Prerequisites

To use SSH, you need:

• The OpenSSH client, which comes pre-installed on GNU/Linux, macOS, and Windows 10.
• SSH version 6.5 or later. Earlier versions used an MD5 signature, which is not secure.

To view the version of SSH installed on your system, run ssh -V.

SSH key types

You can use the following SSH key types:

• ED25519 (Preferred)

  The book Practical Cryptography With Go suggests that ED25519 keys are more secure and performant than RSA keys.

  OpenSSH 6.5 introduced ED25519 SSH keys in 2014, and they should be available on most operating systems.

• ED25519_SK

  Must have OpenSSH 8.2 or later installed.

• ECDSA_SK

  Must have OpenSSH 8.2 or later installed.

• RSA Available documentation suggests ED25519 is more secure than RSA.

  If you use an RSA key, the US National Institute of Science and Technology in Publication 800-57 Part 3 (PDF) recommends a key size of at least 2048 bits. The default key size depends on your version of ssh-keygen. Review the man page for your installed ssh-keygen command for details.

• DSA

• ECDSA (As noted in Practical Cryptography With Go, the security issues related to DSA also apply to ECDSA)

Generate an SSH key pair

If you do not have an existing SSH key pair, generate a new one:

1. Open a terminal.

2. Run ssh-keygen -t followed by the key type and an optional comment. This comment is included in the ```.pub`` file that’s created.

   You may want to use an email address for the comment.

   For example, for ED25519:

   ssh-keygen -t ed25519 -C "<comment>"
   

   For 2048-bit RSA:

   ssh-keygen -t rsa -b 2048 -C "<comment>"
   

   For ED25519_SK:

   ssh-keygen -t ed25519-sk -C "<comment>"
   

   For ECDSA_SK:

   ssh-keygen -t ecdsa-sk -C "<comment>"
   

3. Press Enter. Output similar to the following is displayed:

   Generating public/private ed25519 key pair.
   Enter file in which to save the key (/home/user/.ssh/id_ed25519):
   

4. Accept the suggested filename and directory, unless you want to save in a specific directory where you store other keys. If it’s the latter, do the following:

   eval $(ssh-agent -s)
   ssh-add <directory to private SSH key>
   

   You can also dedicate the SSH key pair to a specific host by saving these settings in the ~/.ssh/config file. For example:

   # GitLab.com
   Host gitlab.com
     PreferredAuthentications publickey
     IdentityFile ~/.ssh/gitlab_com_rsa
   
   # Private GitLab instance
   Host gitlab.company.com
     PreferredAuthentications publickey
     IdentityFile ~/.ssh/example_com_rsa
   

   For more information on these settings, see the man ssh_config page in the SSH configuration manual.

5. Specify a passpharse:

   Enter passphrase (empty for no passphrase):
   Enter same passphrase again:
   

   A confirmation is displayed, including information about where your files are stored.

A public and private key are generated. The public key may be shared but keep the private key secure.

Update your SSH key passphrase

You can update the passphrase for your SSH key:

1. Open a terminal and run this command:

   ssh-keygen -p -f /path/to/ssh_key
   

2. At the prompts, enter the passphrase and then press Enter.

Upgrade your RSA key pair to a more secure format

If your version of OpenSSH is between 6.5 and 7.8, you can save your private RSA SSH keys in a more secure OpenSSH format by opening a terminal and running this command:

ssh-keygen -o -f ~/.ssh/id_rsa

Alternatively, you can generate a new RSA key with the more secure encryption format with the following command:

ssh-keygen -o -t rsa -b 4096 -C "<comment>"

Generate an SSH key pair for a FIDO/U2F hardware security key

To generate ED25519_SK or ECDSA_SK SSH keys, you must use OpenSSH 8.2 or later:

1. Insert a hardware security key into your computer.

2. Open a terminal.

3. Run ssh-keygen -t followed by the key type and an optional comment. This comment is included in the .pub file that’s created. You may want to use an email address for the comment.

   For example, for ED25519_SK:

   ssh-keygen -t ed25519-sk -C "<comment>"
   

   For ECDSA_SK:

   ssh-keygen -t ecdsa-sk -C "<comment>"
   

   If your security key supports FIDO2 resident keys, you can enable this when creating your SSH key:

   ssh-keygen -t ed25519-sk -O resident -C "<comment>"
   

   -O resident indicates that the key should be stored on the FIDO authenticator itself. Resident key is easier to import to a new computer because it can be loaded directly from the security key by ssh-add -K or ssh-keygen -K.

4. Press Enter. Output similar to the following is displayed:

   Generating public/private ed25519-sk key pair.
   You may need to touch your authenticator to authorize key generation.
   

5. Touch the button on the hardware security key.

6. Accept the suggested filename and directory:

   Enter file in which to save the key (/home/user/.ssh/id_ed25519_sk):
   

7. Specify a passpharse:

   Enter passphrase (empty for no passphrase):
   Enter same passphrase again:
   

   A confirmation is displayed, including information about where your files are stored.

A public and private key are generated.

References

• Practical Cryptography With Go
• OpenSSH 8.2
• Publication 800-57 Part 3 (PDF)
• man ssh_config
• ssh-add -K
• ssh-keygen -K
• Passpharse
• Gitlab SSH Keys