Secure Shell (SSH) is the backbone of secure remote access—but with so many key algorithms to choose from, which one should you use? Let’s walk through the history, the trade‑offs, and the modern sweet spot for most users. Secure Shell (SSH) is the backbone of secure remote access—but with so many key algorithms to choose from, which one should you use? Let’s walk through the history, the trade‑offs, and the modern sweet spot for most users. Why SSH Keys Matter Today You’ve probably typed ssh user@server dozens of times—but do you know what’s happening under the hood? SSH key algorithms aren’t just academic: they determine how fast your connections are, how resilient they are to future attacks (think quantum!), and even whether your CI pipeline can talk to GitHub without a hitch. ssh user@server In this guide you’ll learn: Why asymmetric crypto is critical in SSH The pros and cons of RSA, DSA, ECDSA, and Ed25519 Pro tips for choosing and generating keys on Linux/macOS Why asymmetric crypto is critical in SSH Why The pros and cons of RSA, DSA, ECDSA, and Ed25519 RSA DSA ECDSA Ed25519 Pro tips for choosing and generating keys on Linux/macOS Pro tips SSH Asymmetric Encryption in a Nutshell Authentication & Key ExchangeSSH uses your public/private key pair to sign a random challenge—no shared passwords flying over the wire. Session EncryptionOnce you’re in, SSH negotiates a fast symmetric cipher (AES, ChaCha20) for the bulk of data. Authentication & Key ExchangeSSH uses your public/private key pair to sign a random challenge—no shared passwords flying over the wire. Authentication & Key Exchange sign Session EncryptionOnce you’re in, SSH negotiates a fast symmetric cipher (AES, ChaCha20) for the bulk of data. Session Encryption Pro tip: Always use SSH‑2 (the only supported protocol since 1998) and disable weak ciphers in your sshd_config. Pro tip: Always use SSH‑2 (the only supported protocol since 1998) and disable weak ciphers in your sshd_config. Pro tip: sshd_config Handy OpenSSH Flags ssh-keygen -o -a 100 -b <bits> -t <type> -C "you@example.com" ssh-keygen -o -a 100 -b <bits> -t <type> -C "you@example.com" -o : bcrypt‑protected private key format -a 100 : increase passphrase KDF rounds on fast machines -b <bits> : key size (ignored for Ed25519) -C "<comment>" : annotation in authorized_keys -o : bcrypt‑protected private key format -o -a 100 : increase passphrase KDF rounds on fast machines -a 100 -b <bits> : key size (ignored for Ed25519) -b <bits> -C "<comment>" : annotation in authorized_keys -C "<comment>" authorized_keys RSA: The Classic Workhorse Overview: “Rivest–Shamir–Adleman” relies on factoring large n = p · q. Still everywhere thanks to legacy systems. Overview: n = p · q When to use it: When to use it: Compatibility with old devices or strict compliance regimes When you need a familiar backup plan Compatibility with old devices or strict compliance regimes When you need a familiar backup plan Generate a 4096‑bit key: Generate a 4096‑bit key: ssh-keygen -t rsa -b 4096 -o -a 100 -C "you@example.com" ssh-keygen -t rsa -b 4096 -o -a 100 -C "you@example.com" How it works: How it works: Pick two large primes p and q. Compute n = p · q and phi(n) = (p - 1) · (q - 1). Choose e, compute d as e · d ≡ 1 (mod phi(n)). Encrypt with c = m^e mod n; decrypt with m = c^d mod n. Pick two large primes p and q. p q Compute n = p · q and phi(n) = (p - 1) · (q - 1). n = p · q phi(n) = (p - 1) · (q - 1) Choose e, compute d as e · d ≡ 1 (mod phi(n)). e d e · d ≡ 1 (mod phi(n)) Encrypt with c = m^e mod n; decrypt with m = c^d mod n. c = m^e mod n m = c^d mod n Security: Security: Current margin: 3072 + bit keys are safe today. Future threat: Quantum computers could run Shor’s algorithm and break it. Current margin: 3072 + bit keys are safe today. Current margin: Future threat: Quantum computers could run Shor’s algorithm and break it. Future threat: DSA: The Legacy Signature Overview: Digital Signature Algorithm (ssh-dss) is an older NIST standard locked to 1024 bits and SHA‑1—disabled by default in OpenSSH ≥ 7.0. Overview: ssh-dss When to use it: When to use it: Only if you absolutely must connect to pre‑2010 appliances Only if you absolutely must connect to pre‑2010 appliances Why it’s weak: Why it’s weak: 1024 bits → ~80 bits security SHA‑1 → collision risks Nonce reuse → private key leaks 1024 bits → ~80 bits security SHA‑1 → collision risks Nonce reuse → private key leaks ECDSA: Curve‑Based Alternative Overview: ECDSA uses NIST curves (P‑256/384/521) to offer RSA‑like security with smaller keys. Overview: When to use it: When to use it: FIPS‑compliant environments You want smaller keys and faster ops than RSA FIPS‑compliant environments You want smaller keys and faster ops than RSA Generate P‑256 key: Generate P‑256 key: ssh-keygen -t ecdsa -b 256 -o -a 100 -C "you@example.com" ssh-keygen -t ecdsa -b 256 -o -a 100 -C "you@example.com" Snapshot: Snapshot: Key size: 256 bits → ~128 bits security Signature: ~70 – 100 bytes Caveat: Each signature needs a fresh random k—poor RNG = total compromise. Key size: 256 bits → ~128 bits security Key size: Signature: ~70 – 100 bytes Signature: Caveat: Each signature needs a fresh random k—poor RNG = total compromise. Caveat: k Ed25519: The Modern Default Overview: Ed25519 (EdDSA on Curve25519) is fast, secure, and simple. Default in OpenSSH since v9.4. Overview: fast secure simple When to use it: When to use it: Almost always—modern servers, Git hosts, CI, hardware tokens Almost always—modern servers, Git hosts, CI, hardware tokens Generate your key: Generate your key: ssh-keygen -t ed25519 -a 100 -C "you@example.com" ssh-keygen -t ed25519 -a 100 -C "you@example.com" How it works (high‑level): How it works (high‑level): Derive a 256‑bit scalar from your seed (SHA-512 + clamp). Sign with a deterministic nonce (no RNG headaches). Verify with a single point‑mul and addition. Derive a 256‑bit scalar from your seed (SHA-512 + clamp). Sign with a deterministic nonce (no RNG headaches). Verify with a single point‑mul and addition. Security & Performance: Security & Performance: ~128 bits classical security Constant‑time ladder → side‑channel resistance 32 byte keys, 64 byte signatures ~128 bits classical security Constant‑time ladder → side‑channel resistance 32 byte keys, 64 byte signatures TL;DR & Next Steps Most users: Go with Ed25519—easy, fast, and future‑proof (until quantum arrives). Legacy: RSA 4096 bits if you need compatibility; avoid DSA altogether. Compliance: ECDSA (P‑256/P‑384) in FIPS environments. Most users: Go with Ed25519—easy, fast, and future‑proof (until quantum arrives). Most users Ed25519 Legacy: RSA 4096 bits if you need compatibility; avoid DSA altogether. Legacy Compliance: ECDSA (P‑256/P‑384) in FIPS environments. Compliance Action Item: Action Item: rm ~/.ssh/id_{rsa,ecdsa}* ssh-keygen -t ed25519 -a 100 -C "new-key@$(hostname)" rm ~/.ssh/id_{rsa,ecdsa}* ssh-keygen -t ed25519 -a 100 -C "new-key@$(hostname)" For more detailed SSH notes, visit my GitHub. For more detailed SSH notes, visit my GitHub
