Revisions to What are ssh-keygen best practices?

Add -o no longer needed 7.8 in 2018-08

edited Apr 21 at 9:29

Most users would simply type ssh-keygen and accept what they're given by default.

But what are the best practices for generating ssh keys with ssh-keygen?

For example:

Use -o for the OpenSSH key format rather than the older PEM format (OpenSSH 6.5 introduced this feature years ago on 2014-01-30) (no longer needed since v7.8 in 2018-08)
How should one calculate how many rounds of KDF to use with -a?
Should -T be used to test the candidate primes for safety? What -a value to use with this?
For the different key types, what are the recommended minimum -b bit sizes?
etc... (there are a mind-boggling set of options in the manual page).

Most users would simply type ssh-keygen and accept what they're given by default.

But what are the best practices for generating ssh keys with ssh-keygen?

For example:

Use -o for the OpenSSH key format rather than the older PEM format (OpenSSH 6.5 introduced this feature years ago on 2014-01-30)
How should one calculate how many rounds of KDF to use with -a?
Should -T be used to test the candidate primes for safety? What -a value to use with this?
For the different key types, what are the recommended minimum -b bit sizes?
etc... (there are a mind-boggling set of options in the manual page).

Most users would simply type ssh-keygen and accept what they're given by default.

But what are the best practices for generating ssh keys with ssh-keygen?

For example:

Use -o for the OpenSSH key format rather than the older PEM format (OpenSSH 6.5 introduced this feature years ago on 2014-01-30) (no longer needed since v7.8 in 2018-08)
How should one calculate how many rounds of KDF to use with -a?
Should -T be used to test the candidate primes for safety? What -a value to use with this?
For the different key types, what are the recommended minimum -b bit sizes?
etc... (there are a mind-boggling set of options in the manual page).

The question is specifically about key generation

deleted 9 characters in body

edited Mar 21, 2021 at 13:11

Most users would simply type ssh-keygen and accept what they're given by default.

But what are the best practices for generating ssh keys with ssh-keygen?

For example:

Use -o for the OpenSSH key format rather than the older PEM format (OpenSSH 6.5 introduced this feature almost 3 years ago on 2014-01-30)
How should one calculate how many rounds of KDF to use with -a?
Should -T be used to test the candidate primes for safety? What -a value to use with this?
For the different key types, what are the recommended minimum -b bit sizes?
etc... (there are a mind-boggling set of options in the manual page).

Most users would simply type ssh-keygen and accept what they're given by default.

But what are the best practices for generating ssh keys with ssh-keygen?

For example:

Use -o for the OpenSSH key format rather than the older PEM format (OpenSSH 6.5 introduced this feature almost 3 years ago on 2014-01-30)
How should one calculate how many rounds of KDF to use with -a?
Should -T be used to test the candidate primes for safety? What -a value to use with this?
For the different key types, what are the recommended minimum -b bit sizes?
etc... (there are a mind-boggling set of options in the manual page).

Most users would simply type ssh-keygen and accept what they're given by default.

But what are the best practices for generating ssh keys with ssh-keygen?

For example:

Use -o for the OpenSSH key format rather than the older PEM format (OpenSSH 6.5 introduced this feature years ago on 2014-01-30)
How should one calculate how many rounds of KDF to use with -a?
Should -T be used to test the candidate primes for safety? What -a value to use with this?
For the different key types, what are the recommended minimum -b bit sizes?
etc... (there are a mind-boggling set of options in the manual page).