Re: ssh-keygen(1): by default generate ed25519 key (instead of rsa)
On Tue, 8 Nov 2022 at 14:23, Joerg Sonnenberger wrote: > Am Tue, Nov 08, 2022 at 01:23:52PM +1100 schrieb Darren Tucker: [...] > > Not quite: the default value for IdentityFile has RSA before ED25519. [...] > I tried that first and it picked up id_ed25519 from the agent, even if > both keys are accepted by the server. It prefers keys present in the agent as those don't require entering a passphrase. It'll also prefer keys explicitly specified by the user on the command line since that demonstrates user intent. And the behaviour is also modified by IdentitiesOnly. > I guess that makes the answer a case of "it's complicated". It is. And IdentityFile works differently to most other options (it's cumulative, not first-match) which was probably a mistake, but we're kind of stuck with it. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: ssh-keygen(1): by default generate ed25519 key (instead of rsa)
Am Tue, Nov 08, 2022 at 01:23:52PM +1100 schrieb Darren Tucker: > On Tue, 8 Nov 2022 at 11:05, Joerg Sonnenberger wrote: > > Am Mon, Nov 07, 2022 at 12:53:43PM +0100 schrieb Renaud Allard: > [...] > > > Wouldn't it also be a good idea for ssh client to also try the ed25519 key > > > first if there are multiple keys? > > > > That's already happening. > > Not quite: the default value for IdentityFile has RSA before ED25519. > Changing the default order is a potentially disruptive change, though, > as configs that previously worked may hit MaxAuthTries instead. > > IdentityFile > [...] The default is ~/.ssh/id_rsa, > ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, > ~/.ssh/id_ed25519_sk and ~/.ssh/id_dsa. > > $ SSH_AUTH_SOCK= ssh -F/dev/null localhost > Enter passphrase for key '/home/dtucker/.ssh/id_rsa': > Enter passphrase for key '/home/dtucker/.ssh/id_ecdsa': > Enter passphrase for key '/home/dtucker/.ssh/id_ed25519': I tried that first and it picked up id_ed25519 from the agent, even if both keys are accepted by the server. I guess that makes the answer a case of "it's complicated". Joerg
Re: ssh-keygen(1): by default generate ed25519 key (instead of rsa)
On Tue, 8 Nov 2022 at 11:05, Joerg Sonnenberger wrote: > Am Mon, Nov 07, 2022 at 12:53:43PM +0100 schrieb Renaud Allard: [...] > > Wouldn't it also be a good idea for ssh client to also try the ed25519 key > > first if there are multiple keys? > > That's already happening. Not quite: the default value for IdentityFile has RSA before ED25519. Changing the default order is a potentially disruptive change, though, as configs that previously worked may hit MaxAuthTries instead. IdentityFile [...] The default is ~/.ssh/id_rsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk and ~/.ssh/id_dsa. $ SSH_AUTH_SOCK= ssh -F/dev/null localhost Enter passphrase for key '/home/dtucker/.ssh/id_rsa': Enter passphrase for key '/home/dtucker/.ssh/id_ecdsa': Enter passphrase for key '/home/dtucker/.ssh/id_ed25519': -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: ssh-keygen(1): by default generate ed25519 key (instead of rsa)
Am Mon, Nov 07, 2022 at 12:53:43PM +0100 schrieb Renaud Allard: > > > On 11/6/22 15:29, Job Snijders wrote: > > Dear all, > > > > Support for using Ed25519 for server and user authentication was > > introduced in 2014. I like the compactness of Ed25519 public keys. > > > > Perhaps now is a good time to make Ed25519 the default key type when > > invoking ssh-keygen(1) without arguments? > > > > Kind regards, > > > > Job > > > Hi Job, > > Wouldn't it also be a good idea for ssh client to also try the ed25519 key > first if there are multiple keys? That's already happening. Joerg
Re: ssh-keygen(1): by default generate ed25519 key (instead of rsa)
On 11/6/22 15:29, Job Snijders wrote: Dear all, Support for using Ed25519 for server and user authentication was introduced in 2014. I like the compactness of Ed25519 public keys. Perhaps now is a good time to make Ed25519 the default key type when invoking ssh-keygen(1) without arguments? Kind regards, Job Hi Job, Wouldn't it also be a good idea for ssh client to also try the ed25519 key first if there are multiple keys? Best Regards smime.p7s Description: S/MIME Cryptographic Signature
Re: ssh-keygen(1): by default generate ed25519 key (instead of rsa)
On Mon, Nov 07, 2022 at 01:45:28AM -0500, A Tammy wrote: > > On 11/6/22 09:29, Job Snijders wrote: > > Dear all, > > > > Support for using Ed25519 for server and user authentication was > > introduced in 2014. I like the compactness of Ed25519 public keys. > > > > Perhaps now is a good time to make Ed25519 the default key type when > > invoking ssh-keygen(1) without arguments? > > I'd love this to happen. > > I think there are a few large platforms, e.g. AWS, which aren't > supporting these keys (at least I couldn't add mine and had to add the > rsa one). It might be a good push for them to finally add support :D yeah! AWS is the only reason I have a rsa key now. > > aisha > > > Kind regards, > > > > Job > > > > Index: ssh-keygen.1 > > === > > RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v > > retrieving revision 1.226 > > diff -u -p -r1.226 ssh-keygen.1 > > --- ssh-keygen.110 Sep 2022 08:50:53 - 1.226 > > +++ ssh-keygen.16 Nov 2022 13:31:19 - > > @@ -185,7 +185,7 @@ The type of key to be generated is speci > > option. > > If invoked without any arguments, > > .Nm > > -will generate an RSA key. > > +will generate an ed25519 key. > > .Pp > > .Nm > > is also used to generate groups for use in Diffie-Hellman group > > Index: ssh-keygen.c > > === > > RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v > > retrieving revision 1.459 > > diff -u -p -r1.459 ssh-keygen.c > > --- ssh-keygen.c11 Aug 2022 01:56:51 - 1.459 > > +++ ssh-keygen.c6 Nov 2022 13:31:21 - > > @@ -61,12 +61,6 @@ > > #include "ssh-pkcs11.h" > > #endif > > > > -#ifdef WITH_OPENSSL > > -# define DEFAULT_KEY_TYPE_NAME "rsa" > > -#else > > -# define DEFAULT_KEY_TYPE_NAME "ed25519" > > -#endif > > - > > /* > > * Default number of bits in the RSA, DSA and ECDSA keys. These value can > > be > > * overridden on the command line. > > @@ -252,7 +246,7 @@ ask_filename(struct passwd *pw, const ch > > char *name = NULL; > > > > if (key_type_name == NULL) > > - name = _PATH_SSH_CLIENT_ID_RSA; > > + name = _PATH_SSH_CLIENT_ID_ED25519; > > else { > > switch (sshkey_type_from_name(key_type_name)) { > > case KEY_DSA_CERT: > > @@ -3748,7 +3742,7 @@ main(int argc, char **argv) > > } > > > > if (key_type_name == NULL) > > - key_type_name = DEFAULT_KEY_TYPE_NAME; > > + key_type_name = "ed25519"; > > > > type = sshkey_type_from_name(key_type_name); > > type_bits_valid(type, key_type_name, ); > > >
Re: ssh-keygen(1): by default generate ed25519 key (instead of rsa)
On 2022/11/07 12:02, Solène Rapenne wrote: > Le Sun, 6 Nov 2022 18:41:50 +0400, > Loganaden Velvindron a écrit : > > > On Sun, 6 Nov 2022 at 18:31, Job Snijders wrote: > > > > > > Dear all, > > > > > > Support for using Ed25519 for server and user authentication was > > > introduced in 2014. I like the compactness of Ed25519 public keys. > > > > > > Perhaps now is a good time to make Ed25519 the default key type when > > > invoking ssh-keygen(1) without arguments? > > > > > > > I agree, but I think we lack data on deployed ssh systems at large. > > > > > Kind regards, > > > > > > Job > > FWIW, Azure doesn't support ed25519 yet > > https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/ed25519-ssh-keys > This doesn't cause a problem, you can simply generate an RSA key if you would like to use a key to connect to a system that does not yet support ed25519 keys. Using ed25519 by default is also a gentle nudge to vendors (maybe it will become easier for them to add support than explain to users how to generate an rsa key).
Re: ssh-keygen(1): by default generate ed25519 key (instead of rsa)
Le Sun, 6 Nov 2022 18:41:50 +0400, Loganaden Velvindron a écrit : > On Sun, 6 Nov 2022 at 18:31, Job Snijders wrote: > > > > Dear all, > > > > Support for using Ed25519 for server and user authentication was > > introduced in 2014. I like the compactness of Ed25519 public keys. > > > > Perhaps now is a good time to make Ed25519 the default key type when > > invoking ssh-keygen(1) without arguments? > > > > I agree, but I think we lack data on deployed ssh systems at large. > > > Kind regards, > > > > Job FWIW, Azure doesn't support ed25519 yet https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/ed25519-ssh-keys
Re: ssh-keygen(1): by default generate ed25519 key (instead of rsa)
On 11/6/22 09:29, Job Snijders wrote: > Dear all, > > Support for using Ed25519 for server and user authentication was > introduced in 2014. I like the compactness of Ed25519 public keys. > > Perhaps now is a good time to make Ed25519 the default key type when > invoking ssh-keygen(1) without arguments? I'd love this to happen. I think there are a few large platforms, e.g. AWS, which aren't supporting these keys (at least I couldn't add mine and had to add the rsa one). It might be a good push for them to finally add support :D aisha > Kind regards, > > Job > > Index: ssh-keygen.1 > === > RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v > retrieving revision 1.226 > diff -u -p -r1.226 ssh-keygen.1 > --- ssh-keygen.1 10 Sep 2022 08:50:53 - 1.226 > +++ ssh-keygen.1 6 Nov 2022 13:31:19 - > @@ -185,7 +185,7 @@ The type of key to be generated is speci > option. > If invoked without any arguments, > .Nm > -will generate an RSA key. > +will generate an ed25519 key. > .Pp > .Nm > is also used to generate groups for use in Diffie-Hellman group > Index: ssh-keygen.c > === > RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v > retrieving revision 1.459 > diff -u -p -r1.459 ssh-keygen.c > --- ssh-keygen.c 11 Aug 2022 01:56:51 - 1.459 > +++ ssh-keygen.c 6 Nov 2022 13:31:21 - > @@ -61,12 +61,6 @@ > #include "ssh-pkcs11.h" > #endif > > -#ifdef WITH_OPENSSL > -# define DEFAULT_KEY_TYPE_NAME "rsa" > -#else > -# define DEFAULT_KEY_TYPE_NAME "ed25519" > -#endif > - > /* > * Default number of bits in the RSA, DSA and ECDSA keys. These value can be > * overridden on the command line. > @@ -252,7 +246,7 @@ ask_filename(struct passwd *pw, const ch > char *name = NULL; > > if (key_type_name == NULL) > - name = _PATH_SSH_CLIENT_ID_RSA; > + name = _PATH_SSH_CLIENT_ID_ED25519; > else { > switch (sshkey_type_from_name(key_type_name)) { > case KEY_DSA_CERT: > @@ -3748,7 +3742,7 @@ main(int argc, char **argv) > } > > if (key_type_name == NULL) > - key_type_name = DEFAULT_KEY_TYPE_NAME; > + key_type_name = "ed25519"; > > type = sshkey_type_from_name(key_type_name); > type_bits_valid(type, key_type_name, ); >
Re: ssh-keygen(1): by default generate ed25519 key (instead of rsa)
Should we have a small window where the key is generated, but not yet the default? Or should we use the snapshot period to create some pain, and see which clouds react (we will allow them to self-publish their hate for the choices of their customers), but then when release time comes, we can make a subtly more conservative decision?
Re: ssh-keygen(1): by default generate ed25519 key (instead of rsa)
I think it's time; RFC 8709 has been a thing for a couple of years now and a bit of gentle pressure is good. ok djm, but cc openssh@ so others can chime in -d On Sun, 6 Nov 2022, Job Snijders wrote: > Dear all, > > Support for using Ed25519 for server and user authentication was > introduced in 2014. I like the compactness of Ed25519 public keys. > > Perhaps now is a good time to make Ed25519 the default key type when > invoking ssh-keygen(1) without arguments? > > Kind regards, > > Job > > Index: ssh-keygen.1 > === > RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v > retrieving revision 1.226 > diff -u -p -r1.226 ssh-keygen.1 > --- ssh-keygen.1 10 Sep 2022 08:50:53 - 1.226 > +++ ssh-keygen.1 6 Nov 2022 13:31:19 - > @@ -185,7 +185,7 @@ The type of key to be generated is speci > option. > If invoked without any arguments, > .Nm > -will generate an RSA key. > +will generate an ed25519 key. > .Pp > .Nm > is also used to generate groups for use in Diffie-Hellman group > Index: ssh-keygen.c > === > RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v > retrieving revision 1.459 > diff -u -p -r1.459 ssh-keygen.c > --- ssh-keygen.c 11 Aug 2022 01:56:51 - 1.459 > +++ ssh-keygen.c 6 Nov 2022 13:31:21 - > @@ -61,12 +61,6 @@ > #include "ssh-pkcs11.h" > #endif > > -#ifdef WITH_OPENSSL > -# define DEFAULT_KEY_TYPE_NAME "rsa" > -#else > -# define DEFAULT_KEY_TYPE_NAME "ed25519" > -#endif > - > /* > * Default number of bits in the RSA, DSA and ECDSA keys. These value can be > * overridden on the command line. > @@ -252,7 +246,7 @@ ask_filename(struct passwd *pw, const ch > char *name = NULL; > > if (key_type_name == NULL) > - name = _PATH_SSH_CLIENT_ID_RSA; > + name = _PATH_SSH_CLIENT_ID_ED25519; > else { > switch (sshkey_type_from_name(key_type_name)) { > case KEY_DSA_CERT: > @@ -3748,7 +3742,7 @@ main(int argc, char **argv) > } > > if (key_type_name == NULL) > - key_type_name = DEFAULT_KEY_TYPE_NAME; > + key_type_name = "ed25519"; > > type = sshkey_type_from_name(key_type_name); > type_bits_valid(type, key_type_name, ); > >
Re: ssh-keygen(1): by default generate ed25519 key (instead of rsa)
On Sun, Nov 06, 2022 at 04:29:59PM +0100, Solène Rapenne wrote: > Le Sun, 6 Nov 2022 14:29:52 +, > Job Snijders a écrit : > > > Dear all, > > > > Support for using Ed25519 for server and user authentication was > > introduced in 2014. I like the compactness of Ed25519 public keys. > > > > Perhaps now is a good time to make Ed25519 the default key type when > > invoking ssh-keygen(1) without arguments? > > > > Kind regards, > > > > Job > > Does it have other advantages over rsa apart being more compact? If server and client are in the same CPU range, the much faster signing (factor 15) will easily compensate the slowing verification (factor 6) when compared with 2048bit RSA. This is why servers generally prefer ECC, especially with perfect forward security. It doesn't matter as much in the context of OpenSSH. For the question at hand: I regulary have to interact with SSH servers that don't support ECDSA or ED25519. Those are mostly non-OpenSSH implementations and/or deeply embedded devices. Joerg
Re: ssh-keygen(1): by default generate ed25519 key (instead of rsa)
Le Sun, 6 Nov 2022 14:29:52 +, Job Snijders a écrit : > Dear all, > > Support for using Ed25519 for server and user authentication was > introduced in 2014. I like the compactness of Ed25519 public keys. > > Perhaps now is a good time to make Ed25519 the default key type when > invoking ssh-keygen(1) without arguments? > > Kind regards, > > Job Does it have other advantages over rsa apart being more compact?
Re: ssh-keygen(1): by default generate ed25519 key (instead of rsa)
On Sun, 6 Nov 2022 at 18:31, Job Snijders wrote: > > Dear all, > > Support for using Ed25519 for server and user authentication was > introduced in 2014. I like the compactness of Ed25519 public keys. > > Perhaps now is a good time to make Ed25519 the default key type when > invoking ssh-keygen(1) without arguments? > I agree, but I think we lack data on deployed ssh systems at large. > Kind regards, > > Job > > Index: ssh-keygen.1 > === > RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v > retrieving revision 1.226 > diff -u -p -r1.226 ssh-keygen.1 > --- ssh-keygen.110 Sep 2022 08:50:53 - 1.226 > +++ ssh-keygen.16 Nov 2022 13:31:19 - > @@ -185,7 +185,7 @@ The type of key to be generated is speci > option. > If invoked without any arguments, > .Nm > -will generate an RSA key. > +will generate an ed25519 key. > .Pp > .Nm > is also used to generate groups for use in Diffie-Hellman group > Index: ssh-keygen.c > === > RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v > retrieving revision 1.459 > diff -u -p -r1.459 ssh-keygen.c > --- ssh-keygen.c11 Aug 2022 01:56:51 - 1.459 > +++ ssh-keygen.c6 Nov 2022 13:31:21 - > @@ -61,12 +61,6 @@ > #include "ssh-pkcs11.h" > #endif > > -#ifdef WITH_OPENSSL > -# define DEFAULT_KEY_TYPE_NAME "rsa" > -#else > -# define DEFAULT_KEY_TYPE_NAME "ed25519" > -#endif > - > /* > * Default number of bits in the RSA, DSA and ECDSA keys. These value can be > * overridden on the command line. > @@ -252,7 +246,7 @@ ask_filename(struct passwd *pw, const ch > char *name = NULL; > > if (key_type_name == NULL) > - name = _PATH_SSH_CLIENT_ID_RSA; > + name = _PATH_SSH_CLIENT_ID_ED25519; > else { > switch (sshkey_type_from_name(key_type_name)) { > case KEY_DSA_CERT: > @@ -3748,7 +3742,7 @@ main(int argc, char **argv) > } > > if (key_type_name == NULL) > - key_type_name = DEFAULT_KEY_TYPE_NAME; > + key_type_name = "ed25519"; > > type = sshkey_type_from_name(key_type_name); > type_bits_valid(type, key_type_name, ); >
ssh-keygen(1): by default generate ed25519 key (instead of rsa)
Dear all, Support for using Ed25519 for server and user authentication was introduced in 2014. I like the compactness of Ed25519 public keys. Perhaps now is a good time to make Ed25519 the default key type when invoking ssh-keygen(1) without arguments? Kind regards, Job Index: ssh-keygen.1 === RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v retrieving revision 1.226 diff -u -p -r1.226 ssh-keygen.1 --- ssh-keygen.110 Sep 2022 08:50:53 - 1.226 +++ ssh-keygen.16 Nov 2022 13:31:19 - @@ -185,7 +185,7 @@ The type of key to be generated is speci option. If invoked without any arguments, .Nm -will generate an RSA key. +will generate an ed25519 key. .Pp .Nm is also used to generate groups for use in Diffie-Hellman group Index: ssh-keygen.c === RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v retrieving revision 1.459 diff -u -p -r1.459 ssh-keygen.c --- ssh-keygen.c11 Aug 2022 01:56:51 - 1.459 +++ ssh-keygen.c6 Nov 2022 13:31:21 - @@ -61,12 +61,6 @@ #include "ssh-pkcs11.h" #endif -#ifdef WITH_OPENSSL -# define DEFAULT_KEY_TYPE_NAME "rsa" -#else -# define DEFAULT_KEY_TYPE_NAME "ed25519" -#endif - /* * Default number of bits in the RSA, DSA and ECDSA keys. These value can be * overridden on the command line. @@ -252,7 +246,7 @@ ask_filename(struct passwd *pw, const ch char *name = NULL; if (key_type_name == NULL) - name = _PATH_SSH_CLIENT_ID_RSA; + name = _PATH_SSH_CLIENT_ID_ED25519; else { switch (sshkey_type_from_name(key_type_name)) { case KEY_DSA_CERT: @@ -3748,7 +3742,7 @@ main(int argc, char **argv) } if (key_type_name == NULL) - key_type_name = DEFAULT_KEY_TYPE_NAME; + key_type_name = "ed25519"; type = sshkey_type_from_name(key_type_name); type_bits_valid(type, key_type_name, );