• Dylan Jacob
• Fri 12 February 2021
• 0 Comments

Here is how I create my SSH keys, and why I do it the way I do. For a much more in depth and lengthy explanation, go to https://infosec.mozilla.org/guidelines/openssh.

Initial config

If you don’t already have a .ssh directory in your home directory, then you need to run these commands:

mkdir ~/.ssh
chmod 700 ~/.ssh

This will create a new directory called .ssh, and set it so it is readable, writable and executable by the user owner (you), but no permissions are given to the group owner, or anyone else on the system. All of your SSH related stuff will go in here; public keys, private keys, known_hosts file, authorized_keys file and ssh config file.

Key Generation

Firstly, don’t use DSA keys. They are old, and much less secure. There really isn’t a valid reason to use them these days. So just don’t.

I prefer ED25519 keys over RSA. While RSA is the most commonly used algorithm, you need to use a big key in order to make it secure (3072-4096 bits). ED25519 is a curve based algorithm that is much faster and more compact. The only downside is that it has only been supported by OpenSSH 6.5+, so it’s not compatible with older clients and servers. TL;DR – Use ED25519 for newer (modern) OpenSSH versions, use RSA 3072 or RSA 4096 for older ones.

Heres how to generate the keys in both cases:

# ED25519 - OpenSSH 6.5+
$ ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_$(whoami)_$(date +%Y-%m-%d) -C "SSH Key for AWS servers"

# RSA 4096 - OpenSSH <=6.4
$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_$(whoami)_$(date +%Y-%m-%d) -C "SSH Key for AWS servers"

These commands will create two files each. In the case of the first command, it will create id_ed25519_jdoe_2020-12-30 and id_ed25519_jdoe_2020-12-30.pub. The public key is the one that you will put out on a server, or in github, etc. The private key should stay right where it is and never be shared, moved, looked at or otherwise disturbed. No, you don’t need to put it on a USB drive and copy it to all of your other computers. No, you don’t need to upload it to DropBox. The private key should be chmod 600, end of story. You can put your public key on a blimp if you want. You do you.