SSH Key Types and Cryptography: The Short Notes

On nearly all current (< 3 years old) operating systems there are 4 different types of SSH key types available - both as a client’s key and the host key:

  • DSA (No longer allowed by default in OpenSSH 7.0+)
  • RSA
  • ECDSA (OpenSSH 5.7+)
  • ed25519 (OpenSSH 6.5+)

So which one to use?

In general, the best practice preference is to use ed25519 if possible, otherwise use RSA (4096 bits) due to mistrust of NIST’s curve for ECDSA. Which key is chosen/created is managed by HostKeyAlgorithms in sshd.conf, and when you create a client key by running ssh-keygen. So what about the other parts of an SSH connection, and can I use an ed25519 key anywhere?

The key types are just one portion of an SSH connection; authentication. SSH connections have three major cryptographic phases, the key exchange, the authentication, followed by the negotiated symmetric encryption used by the rest of the connection. (If you want more detail, check out Digital Ocean or Cisco’s explanations.)

Unlike the SSH key type, the ciphers and key exchange are decided on between sshd and ssh depending on their feature set and what is defined in their config files.

If you’re running OpenSSH 6.3 or newer you can see what algorithms are supported by running one of the three commands: ssh -Q [cipher|mac|kex], or read man ssh_config.

Key Exchange

A glossed over version of the key exchange, has the client and the server share some information (eg. public keys) and use the Diffie-Hellman algorithm with a decided curve to set up the cipher (symmetric key) and the MAC (message authentication code to confirm validity) to be used for the rest of the connection.

Mozilla’s recomended list of kex choices to use (specify in sshdconfig) per their [wiki](https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern.28OpenSSH_6.7.2B.29) is a great starting point. The summary being anything at least with a sha256 confirmation helps.

Encryption

The symmetric key created during the key exchange step is now used to encrypt and decrypt the rest of the connection.

Mozilla’s wiki again lists the most recommended ciphers and MACs with the new chacha20-poly1305 being the first on the list.

Key Type Reference

OS OpenSSH Type
Ubuntu 12.04 5.9 dsa,rsa,ecdsa
Ubuntu 14.04 6.6 dsa,rsa,ecdsa,ed25519
Ubuntu 16.04 7.2 dsa*,rsa,ecdsa,ed25519
Fedora 23 7.1 dsa*,rsa,ecdsa,ed25519
CentOS 7 6.4 dsa,rsa,ecdsa
Mac OS X 10.11 (El Capitan) 6.9 dsa,rsa,ecdsa,ed25519
macOS 10.12 (Sierra DP) 7.2 dsa*,rsa,ecdsa,ed25519
Cmder 7.1 dsa*,rca,edsa,ed25519
Window 10 (14342) 6.6.1 dsa,rsa,ecdsa,ed25519
PuTTY N/A dsa,rsa,ecdsa[1],ed25519[1]

* - disabled by default for sshd
1 - PuTTY stable only supports dsa and rsa but the latest development snapshots support ecdsa and ed25519.

TL;DR

Unless you’re using CentOS 6 or Ubuntu 12.04, use ed25519 keys and Mozilla’s config files to limit the preferred connection ciphers.

http://www.openssh.com/legacy.html