Most users would simply type ssh-keygen and accept what they're given by default.

But what are the best practices for generating ssh keys with ssh-keygen?

For example:

• Use -o for the OpenSSH key format rather than the older PEM format (OpenSSH 6.5 introduced this feature years ago on 2014-01-30)

• How should one calculate how many rounds of KDF to use with -a?

• Should -T be used to test the candidate primes for safety? What -a value to use with this?

• For the different key types, what are the recommended minimum -b bit sizes?

• etc... (there are a mind-boggling set of options in the manual page).