Creating ED25519 SSH keys

TLDR; The following command will create a new SSH key using ED25519 with an auto-generated comment.

ssh-keygen -t ed25519 -f $HOME/.ssh/id_ed25519 -C "$(whoami)@$(hostname)-$(date +'%y%m%d')"

SSH Keys

The best, and sometimes only, way to connect to a remote SSH server is via an SSH key. Allowing key only access to a SSH server massively reduces an attackers ability to brute force the server and raises the overall level of security.

Deciding to use a SSH key leads to the question of which type of key to use. Of the four types currently supported, two: DSA and ECDSA, are either weak or suspect. This leaves two, RSA and Ed25519, which are still believed to be secure. The default key type is currently RSA while Ed25519 is more recent, requiring OpenSSH version 6.5 or higher.

Normally when generating the default, a new RSA key, I would typically use 4096 bits for increased security. While larger key sizes are better for security, they also result in much longer public keys which can be an annoying length.

Below is an example of a 4096 bit RSA key:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCukrneWtxjhmIsA0285bOdEphQo7DD5CQP9iYyBSN3JF//BMbilNt7mrrHMdFZl/thZZRbK1OvcbDfZOgcPlBJcja2w9+SpI0odnARMacsMQ5J8vsiL33StocQcIymTr3893wmRhK/oyjIC91O0dpCAro4kFC3id4rMv/3yXWLVazxRTnpyafb2QX/sgIJt3UZDXubQb+DIJtewNFRQQ0zLAcmrWzkIQdtVyTRjlk8NGkmtKLs/+u41SDDqzbVv6Kr3i/8pY1HxFrb4HQT0dLYHl0CHxWtv8EqrF+Pj6j34LjjtOeIyP34zdX2XsWrozXjEcjTyt/IC2dy/Bzwy+g+1MlHQQcnhmioqZAM6IFiLO22eut6J+Qaa5DSGdNGAl1YtuebANpXdYWBpkW2WVyYepJX7S2Sl8A8s309v8XLrDgOrdLcPyZ/3v08gFWPJ0jVyxYvWc415CmB+IXzOI7am4X4TZkB/+kAkfVqA3uynl5BEpgeDG5MXusd2Oc453EjSMb+ItzvAnY/ewiqrdsteNqnLs/YX7gB8A7iKE6fwMKZ9YmYt2uVcMNlFHcjhi4ejbNYE0IdCf9FbuL8/sESHad97ZshQ2zp5OW5G3isnCnCg4xNn7CJg4NYYQytAADILB8lZQ1sbH91ESfEmGBT+MEEz9UMNejRrT3DEN4abQ== [email protected]

More recently I have been trying the newer Ed25519 keys. These are limited to 256 bits and the -b flag for ssh-keygen does nothing when used with this type of key. Compare length of the RSA key above to Ed25519 key displayed below.

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF+ebvcy+FDfAVEkH8LgyHWMZMTeTVFGcIkOIWInzqfM [email protected]

The RSA key is 716 characters verse 68 characters for the Ed25519 key. The reduced length make managing a large number of keys in the authorized_key file easier.

Commenting SSH keys

The most important part of keeping public keys manageable is making sure all public keys have good comments on them. This makes it much easier to identify old keys when auditing public keys on sites like GitHub.

I typically use the format of [email protected] for the comment on keys, an example being [email protected]. This makes it easy to identify the user, hostname, and creation time of the public key at a glance.

Comments can be provided with the -C flag to ssh-keygen.

Generating SSH keys

The ssh-keygen command will create a new key and the most common options are below:

  • -t {rsa,ed25519} Key type: RSA or ED25519
  • -b [number] Number of bits, only needed for RSA keys
  • -C "Comment" Comment for the key
  • -f filename The filename for the key

By default new SSH keys will go into the .ssh folder in the current users home folder. The default RSA keys will have the filenames id_rsa for the private key and for the public key while Ed25519 keys will use the similar filename id_ed25519 for the private key and for the public key.

Adding key to remote host

Once you have created a new SSH public key, this key can be copied to the .ssh/authorized_keys file on remote hosts to allow remote login.

The ssh-copy-id command on Linux simplifies the process by copying the public key for you however this command needs to be able to connect via SSH using another method such as password login first.