SSH Changes

SSH-keygen changed default algorithm and fixed security issues.

SSH Changes
Photo by Lorenzo Herrera / Unsplash

SSH is the go-to tool for Admins and DevOps all over the planet and beyond. Last year/ Recently the Key-gen part was, finally, upgraded from RSA to ED25519 as the default. What does it mean for us? Nothing or a lot.

Version 9.5/9.5p1 (2023-10-04)

The default is the ED25519 standard.

  • ssh-keygen: generate Ed25519 keys by default. Ed25519 public keys are very convenient due to their small size. Ed25519 keys are specified in RFC 8709 and OpenSSH has supported them since version 6.5 (January 2014).

Version 9.6/9.6p1 (2023-12-18)

This release contains fixes for a newly-discovered weakness in the SSH transport protocol, a logic error relating to constrained PKCS#11 keys in ssh-agent(1) and countermeasures for programs that invoke ssh(1) with user or hostnames containing invalid characters.
  • ssh, sshd, ssh-add, ssh-keygen: add support for reading ED25519 private keys in PEM PKCS8 format. Previously, only the OpenSSH private key format was supported.

Users of Ed25519

Notable uses of Ed25519 include OpenSSH, GnuPG and various alternatives, and the signify tool by OpenBSD. Usage of Ed25519 (and Ed448) in the SSH protocol has been standardized. In 2023 the final version of the FIPS 186-5 standard included deterministic Ed25519 as an approved signature scheme.

Use of RSA

If you need to use the outdated RSA algorithm you need to use the -t option.

How to check my Version?

Check your Client by ssh -V and the server by sshd -V or you can check both by dpkg-query --showformat='${Version}\n' --show openssh-server openssh-client


References

OpenSSH [1] ed25519 [2] PGP [3] GnuPG [4]


  1. The official documentation for OpenSSH are the man pages for each tool:
    ssh, sshd, ssh-keygen, ssh-agent, scp, sftp, ssh-keyscan, sftp-server, ↩︎

  2. Ed25519 theory wikipedia ↩︎

  3. Pretty Good Privacy and OpenPGP PGP and OpenPGP ↩︎

  4. GNU Private Guard wikipedia ↩︎