Re: Question about ssh-keygen -a rounds

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



raf wrote:

> Hi,
> 
> man ssh-keygen says:
> 
>   -a rounds
>      When saving a private key, this option specifies
>      the number of KDF (key derivation function) rounds used.
>      Higher numbers result in slower passphrase verification
>      and increased resistance to brute-force password cracking
>      (should the keys be stolen).
> 
> What constitutes "Higher" here? Is 100 high or is 100000 high?
> 
> What's the default number of rounds in the absence of the -a option?
> Could the default value be added to the manpage?
> 
> cheers,
> raf

I've just checked the source, and the default is 16.
The algorithm is bcrypt. So 16 is probably perfect.
It would be nice for this information to be in the
manpage. Here's a potential patch.

cheers,
raf

--- ssh-keygen.1.orig   2020-07-15 11:42:34.000000000 +1000
+++ ssh-keygen.1        2020-07-15 11:48:28.000000000 +1000
@@ -270,6 +270,7 @@ When saving a private key, this option s
 (key derivation function) rounds used.
 Higher numbers result in slower passphrase verification and increased
 resistance to brute-force password cracking (should the keys be stolen).
+The KDF algorithm is bcrypt. The default number of rounds is 16.
 .It Fl B
 Show the bubblebabble digest of specified private or public key file.
 .It Fl b Ar bits

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux