Understanding SSH-Keygen: Formats, Key Differences, and Configuration in Linux Distributions

Sameer iSameer i
2 min read

Table of contents

Overview of SSH-Keygen

SSH (Secure Shell) is a cryptographic network protocol for secure communication over unsecured networks. SSH key pairs — composed of a public and private key — are used for authenticating users without passwords. ssh-keygen is a command-line tool used to generate these key pairs.

Key Formats

SSH keys can be generated in various formats, each serving different purposes and compatibility requirements. The primary formats include:

  1. RSA (Rivest-Shamir-Adleman)

  • Usage: Most common, used for both encryption and digital signatures.

  • Bit-length: Commonly 2048 or 4096 bits.

  • Security: Considered secure, but gradually being phased out in favor of more modern algorithms.

  • Command:

ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa

2. ECDSA (Elliptic Curve Digital Signature Algorithm)

  • Usage: Preferred for speed and shorter key lengths.

  • Bit-length: Typically 256, 384, or 521 bits.

  • Security: Stronger security with shorter keys; widely accepted.

  • Command:

ssh-keygen -t ecdsa -b 521 -f ~/.ssh/id_ecdsa

3. Ed25519

  • Usage: Modern, highly secure, and efficient. Recommended for new deployments.

  • Bit-length: Fixed at 256 bits.

  • Security: Superior to ECDSA and RSA in terms of security and performance.

  • Command:

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519

4. DSA (Digital Signature Algorithm)

  • Usage: Older, less secure; often deprecated.

  • Bit-length: Typically 1024 bits.

  • Security: Not recommended due to weaker security.

  • Command:

ssh-keygen -t dsa -b 1024 -f ~/.ssh/id_dsa

Key Differences Across Linux Distributions

  • Default Key Format:

Debian/Ubuntu: Default key format is RSA.

Red Hat/CentOS: Usually also default to RSA, but support generating all key types.

OpenSUSE: Often defaults to RSA, with options to select others.

  • Key Length:

Most distributions allow key length customization, though defaults are generally 2048 or 4096 for RSA.

  • Configuration Files:

/etc/ssh/sshd_config: Controls the SSH server configuration, including accepted key types.

/etc/ssh/ssh_config: Controls client-side SSH behavior.

Changing Default Key Type and Length

You can modify the default key type or length by configuring ssh-keygen command-line options in a shell profile or by editing SSH configuration files:

  1. Customizing via .bashrc or .zshrc:
alias ssh-keygen='ssh-keygen -t ed25519'

2. Updating SSH Configuration:

  • Edit /etc/ssh/sshd_config to specify accepted key types:
PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-512,rsa-sha2-256

3. Setting Default Key Format in User Profile:

  • Modify ~/.ssh/config to default to a specific key format
Host *
  IdentityFile ~/.ssh/id_ed25519

Conclusion

Understanding the differences between SSH key formats and how they vary across Linux distributions is crucial for secure and efficient SSH usage. With ssh-keygen, users have the flexibility to generate keys in multiple formats, customize their defaults, and ensure compatibility across systems.

0
Subscribe to my newsletter

Read articles from Sameer i directly inside your inbox. Subscribe to the newsletter, and don't miss out.

ssh-keysssh-keygenLinux

Written by

Sameer i
Sameer i