On Sun, Nov 06, 2022 at 04:29:59PM +0100, Solène Rapenne wrote: > Le Sun, 6 Nov 2022 14:29:52 +0000, > Job Snijders <j...@openbsd.org> a écrit : > > > Dear all, > > > > Support for using Ed25519 for server and user authentication was > > introduced in 2014. I like the compactness of Ed25519 public keys. > > > > Perhaps now is a good time to make Ed25519 the default key type when > > invoking ssh-keygen(1) without arguments? > > > > Kind regards, > > > > Job > > Does it have other advantages over rsa apart being more compact?
If server and client are in the same CPU range, the much faster signing (factor 15) will easily compensate the slowing verification (factor 6) when compared with 2048bit RSA. This is why servers generally prefer ECC, especially with perfect forward security. It doesn't matter as much in the context of OpenSSH. For the question at hand: I regulary have to interact with SSH servers that don't support ECDSA or ED25519. Those are mostly non-OpenSSH implementations and/or deeply embedded devices. Joerg
