Re: ssh-keygen(1): by default generate ed25519 key (instead of rsa)

Sun, 06 Nov 2022 17:13:49 -0800 

I think it's time; RFC 8709 has been a thing for a couple of years
now and a bit of gentle pressure is good.

ok djm, but cc openssh@ so others can chime in

-d

On Sun, 6 Nov 2022, Job Snijders wrote:

> Dear all,
> 
> Support for using Ed25519 for server and user authentication was
> introduced in 2014. I like the compactness of Ed25519 public keys.
> 
> Perhaps now is a good time to make Ed25519 the default key type when
> invoking ssh-keygen(1) without arguments?
> 
> Kind regards,
> 
> Job
> 
> Index: ssh-keygen.1
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v
> retrieving revision 1.226
> diff -u -p -r1.226 ssh-keygen.1
> --- ssh-keygen.1      10 Sep 2022 08:50:53 -0000      1.226
> +++ ssh-keygen.1      6 Nov 2022 13:31:19 -0000
> @@ -185,7 +185,7 @@ The type of key to be generated is speci
>  option.
>  If invoked without any arguments,
>  .Nm
> -will generate an RSA key.
> +will generate an ed25519 key.
>  .Pp
>  .Nm
>  is also used to generate groups for use in Diffie-Hellman group
> Index: ssh-keygen.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v
> retrieving revision 1.459
> diff -u -p -r1.459 ssh-keygen.c
> --- ssh-keygen.c      11 Aug 2022 01:56:51 -0000      1.459
> +++ ssh-keygen.c      6 Nov 2022 13:31:21 -0000
> @@ -61,12 +61,6 @@
>  #include "ssh-pkcs11.h"
>  #endif
>  
> -#ifdef WITH_OPENSSL
> -# define DEFAULT_KEY_TYPE_NAME "rsa"
> -#else
> -# define DEFAULT_KEY_TYPE_NAME "ed25519"
> -#endif
> -
>  /*
>   * Default number of bits in the RSA, DSA and ECDSA keys.  These value can be
>   * overridden on the command line.
> @@ -252,7 +246,7 @@ ask_filename(struct passwd *pw, const ch
>       char *name = NULL;
>  
>       if (key_type_name == NULL)
> -             name = _PATH_SSH_CLIENT_ID_RSA;
> +             name = _PATH_SSH_CLIENT_ID_ED25519;
>       else {
>               switch (sshkey_type_from_name(key_type_name)) {
>               case KEY_DSA_CERT:
> @@ -3748,7 +3742,7 @@ main(int argc, char **argv)
>       }
>  
>       if (key_type_name == NULL)
> -             key_type_name = DEFAULT_KEY_TYPE_NAME;
> +             key_type_name = "ed25519";
>  
>       type = sshkey_type_from_name(key_type_name);
>       type_bits_valid(type, key_type_name, &bits);
> 
>

Reply via email to