- Use Ed25519 keys. They are now supported in pretty much every server out there (all recent OpenSSH versions, GitHub, GitLab, etc). RSA 2048 keys are unbreakable for the foreseeable future, and using 4096 bit keys are just being paranoid with no gain. You can fit 4x Ed25519 keys in a tweet.
- Setup and use ssh-agent. They make the life so easy.
- You can use Yubikey and pretty much every other solution out there with with OpenSSH now.
> You can use Yubikey and pretty much every other solution out there with with OpenSSH now.
Unfortunately, you can't use Ed25519 keys unless you have the latest/newest model(s) of Yubikey and that Yubikey came with at least a specific firmware version (5.2.3, IIRC). Even if that weren't so, there's still loads of popular / widely-used software that isn't even close to supporting Ed25519 (yet) but has supported RSA for years and years (and will continue to for the foreseeable future).
I'd like to be able to "upgrade" to an Ed25519 key but I can't come up with any real reason to expand my collection of Yubikeys any further (I think I'm up to nine, at last count, and the three newest ones haven't even been opened!). I don't plan on purchasing another Yubikey until four or five of the ones I already have decide to call it quits, so I won't be using an Ed25519 key anytime in the next couple of years, at least.
Even if I could start using an Ed25519 key with my Yubikeys today, I'd likely still have to keep an RSA key around for the "legacy" stuff, in which case I might as well just save myself the trouble and stick with RSA for a while longer.
A private RSA (2048+) key on a Yubikey is still much "better", IMO, than a private Ed25519 key sitting on one's hard drive.
In an ideal world we could all just switch everything over to Ed25519 at about the same time and then retire RSA shortly afterwards. It's gonna be a long time before everyone has ditched RSA keys and moved to Ed25519, though -- RSA isn't going anywhere anytime soon!
I love my YubiKey but it is severely underused but that's me not them. I've had 3 over the past 4 years with 1 older basic model in my desk as a backup then 1 NFC enabled key on my keyring or person. The original NFC key died and has been replaced with a more recent model but I couldn't tell you what components it supports.
I should look into setting it up with more things at home.
> I think I'm up to nine, at last count, and the three newest ones haven't even been opened!
I am a bit confused. Aren't yubikeys able to store multiple keys on them? Why do you have to use so many? Why not instead e.g. a LUKS encrypted usb flashdrive?
Well, I started out with a Symantec VIP Yubikey many, many years ago. Then, MtGox sent me one for 2FA after some compromise there. Later, I bought a "full-featured" Yubikey for use with GPG and SSH on my desktop / workstation. After that, I got two Nanos so that I could leave one, permanently, in each of a pair of laptops. Shortly after that, I decided I should have a spare -- you know, just in case.
At some point, I received another pair of Nanos as free replacements due to one of the issues that Yubico had (weak RNG or something, I think?). Those two and the "spare" are the ones that are still unopened in the package.
Finally, (I'm not really sure why but) I bought a pair of the "GitHub" U2F-only Yubikeys when there was some special deal going on. Now that I think about it, I don't think I've ever even used them either.
The only ones that I really use are the ones that I leave in my workstation and my primary laptop (primarily used for SSH but, to a lesser extent, for signing git commits and unlocking KeePassXC databases as well).
> Why not instead e.g. a LUKS encrypted usb flashdrive?
Oh, I've got probably a dozen or so of those also!
My recommendation anymore is keepassxc for movable ssh keys. It can put them into the agent and remove them automatically when screen locks or other events happen. Combined with a yubikey for 2fa on the database the security is pretty decent. A flash drive with a portable copy of keepassxc should work nicely.
If you're using OpenSSH >= 8.2, Ed25519 support isn't really much of a concern. The vast majority of ("enterprise") Linux systems -- and, likewise, much of the "legacy" software in use today -- likely won't be running >= 8.2 for at least a few more years.
And Azure doesn't support it while instantiating a VM. Which boggles my mind since AFAICT all they have to do with the key material I hand them is to copy it into authorized_keys, not inspect it and tell me my valid key is invalid.
>Setup and use ssh-agent. They make the life so easy.
My #1 ssh usability tip: put this into ~/.ssh/config:
AddKeysToAgent yes
It'll automatically add keys to your agent the first time you use them during a session, so you don't need a separate step for adding keys every time you log in.
> It'll automatically add keys to your agent the first time you use them during a session
If you have more than one private key in your agent, then SSH will try each one sequentially. That can lead to mistakenly getting banned by monitoring software for what can appear indistinguishable to be an authentication attack. Not to mention the wrongness of presenting "any and all keys" to any host you connect to.
If you have multiple keys in your agent, you _really_ should manually configure what key to present using `-i` or `IdentityFile`. But you should also use `IdentitiesOnly` too.
> If you have multiple keys in your agent, you _really_ should manually configure what key to present using `-i` or `IdentityFile`.
If you specify -i or IdentityFile, the agent isn't used at all. You will have to type the keyfile password even if the key is in the agent, therefore making the agent useless.
This "feature" has been a big annoyance for me, since I like to use different keys per machine.
There's no way that's true. I just checked and I have that option set on many of my ssh aliases, and ssh-agent functions exactly as expected.
Maybe it depends on version or something? I've had the same config for years though over several very different OSes and presumably versions of everything.
Wow, you're right. I tried again just now and it worked fine. In the past I tried for some time to get this setup working and was never able to do it. I don't know what I was doing wrong.
> If you specify -i or IdentityFile, the agent isn't used at all. You will have to type the keyfile password even if the key is in the agent, therefore making the agent useless.
I thought so as well, so the reply to this message surprised. I looked into it, and the following is the case on my Debian 18.04 machine running KDE:
With specifying the key through `IdentityFile` I can happily connect without a running ssh-agent. So it's true, that it can do without using the ssh-agent. But if the key has a password, it will prompt for it everytime it's used. I wouldn't phrase it "the agent isn't used at all", though, because for when ssh-agent is running, and it contains the key+password, it seems to happily use that agent, as it doesn't prompt for the password anymore.
Side note: If my understanding is correct, `IdentifyFile` lessens the need for consulting the ssh-agent as stated above, but, except from consulting it for the key password, the agent might be consulted for one more reason as well: Iterating over keys if using the specified one proved unfruitful. For this to stop, you'd have to specify `IdentitiesOnly yes` as well. But this I didn't test, so it's based on theoretical understanding only.
Edit: Oh, the last part was already explained in some other thread which branched of from this. So this post didn't actually provide some new insights, it seems.
I don't understand what `IdentitiesOnly` does. If I have `IdentityFile`s defined for hosts in ssh_config, doesn't that already accomplish what this does? Can you explain what situation `IdentitiesOnly` covers that is different from `IdentityFile`?
Author here. If you specify an IdentityFile then that’ll be tried first (as an explicit identity) but if that doesn’t work then by default, ssh-agent identities will be tried sequentially afterwards. IdentitiesOnly suppresses that behaviour.
I'd recommend you try "AddKeysToAgent confirm", then you'll get a prompt to approve the key usage each time its used. (Can be annoying for usage with automation like ansible).
Having a forwarded agent was how matrix recently got hacked, confirmation is a decent work around if you need to forward your agent.
It's still good info, I don't think it's obvious to most people. I was doing a pentest for a Fortune 500 company, and a key component of us compromising their entire network was a bastion host that controlled access to sensitive parts of their network. Turns out whoever controlled the machine made the rookie mistake of running a cron job as root that ran a non root-owned script, which enabled us to elevate and copy the ssh keys of a lot of IT staff.
Yes, be careful when using ForwardAgent and, more importantly, avoid using it altogether unless you absolutely need to!
Most "use cases" I've come across could have been solved "better" by simply using ProxyCommand instead. That was apparently too hard, though, so use of agent forwarding continued.
Since the introduction of ProxyJump a while back, however, it's now even easier to avoid using agent forwarding in most -- but not all -- cases.
So yes, be careful when using agent forwarding but, more importantly, as much as possible, just avoid using it entirely unless you absolutely must!
Sometimes I log into a machine and would like to ssh-clone a git repository there using the private key I've got on my local machine. Is there a way around forwarding my ssh-agent in this case?
> 2. Don't use agent forwarding unless you know you can trust the machine on the other end.
This gets said a lot, but doesn't forcing a prompt every time the forwarded key gets used mitigate this? SSH is not like surfing on the web with traffic flowing everywhere all the time. If you did not just now run any commands that are expected to invoke SSH, you probably don't want to answer yes to that prompt.
> Don't use agent forwarding unless you know you can trust the machine on the other end.
On both ends. Agent hijacking can happen on client or server, with an attacker present. And is there any machine you can 'trust' ? That's a big ask, and I think the modern 'zero trust' is fundamentally averse to the concept.
I've not noticed this option before, so will this replace keychain? I install this on every new laptop I use so I essentially only have to enter my ssh-agent password for the key once per reboot, and every bash shell hooks into it automatically.
> RSA 2048 keys are unbreakable for the foreseeable future, and using 4096 bit keys are just being paranoid with no gain
This is only true if you consider pure brute force as the only way to "break" RSA 2048. While as of right now there is no hard evidence there has been plenty of hearsay that some of the 5 Eyes have had tools for years that can drastically reduce the brute force complexity needed for RSA 2048 keys.
There is also really no such thing as being "paranoid with no gain" when it comes to computational security, since digital assets can be stored indefinitely and compromised in the future with more advanced computational power or techniques. On the contrary, given the computational power of your average laptop/server these days there's really no reason to _not_ use 4096 keys, unless you are operating on FAANG scale.
Sure, use Ed25519 keys, but their cryptographic strength and convenience are only some of the reasons: they also enforce the new style OpenSSH key format (which should be the default in current releases of OpenSSH, after we released that ranty blog post that one time :-))
> They are now supported in pretty much every server out there
Sadly whatever library Spring Integration uses does not support them yet, as I found out the hard way. I just tried to search for it and couldn't find the reference but just dealt with it a month or two ago.
I've been looking at MFT solutions recently (think fancy SFTP servers for file exchange) and the level of support is just plain bad. Out of roughly 20 products, I think there are maybe 2 that had ed25519 support.
Similarly with Java products that need to use SFTP to transfer files (think SuccessFactors, Dell Boomi etc.) These typically use JSCH which has not been updated for years.
It isn't practical on low end IoT devices which are now more than ever having to move toward encrypted communications. I work on a ~160Mhz product that typically takes 5+ minutes to generate a 2048-bit RSA key but can craft a 256-bit ECC key in 1 sec. There are no hardware resources that can speed this up. Stronger RSA is a dead end. It also chews up a non-trivial fraction of available RAM.
If I may ask, what SSH implementation are you using? One of the libssh's? It's always a pain when one has to forego OpenSSH because it just won't run on the low-end devices...
> I think op is saying, at the cost of an undetectable fraction of a second rounding error when you SSH somewhere, so what?
I tried switching from a 2048-bit to a 4096-bit key to control a modestly sized VPS (~4GB RAM, 2CPU) and scp file transfer speeds plummeted.
I have a symmetric 1GB FTTH connection and I'm used to everything being pretty quick. Using a longer key was like a return to dial-up speed. If you don't plan to transfer large files or directories you can safely ignore it, but I bet your patience will run out pretty quickly if you do.
- Setup and use ssh-agent. They make the life so easy.
- You can use Yubikey and pretty much every other solution out there with with OpenSSH now.