[patch] ssh-keygen(1): generate Ed25519 keys when invoked without arguments

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

Dear all,

Ed25519 public keys being as small as they are is very convenient.
There is an opportunity to nudge the world towards modern algorithms.
I believe choices made in OpenSSH can positively impact the wider
eco-system and industry. I'd like to suggest ssh-keygen to generate an
Ed25519 keypair, if invoked without any arguments.

OpenSSH has supported Ed25519 since version 6.5 (January 2014).
The newly published FIPS 186-5 (February 2023) guidelines approve
the EdDSA algorithms specified in IETF RFC 8032 (January 2017).

At p2k23 Theo de Raadt suggested now (before OpenBSD 7.4 release) is
good timing to consider this change. Is there a reason not to do this?

OK?

Kind regards,

Job

Further reading:
  Original Ed25519 paper: https://ed25519.cr.yp.to/ed25519-20110926.pdf
  IETF RFC 8032: https://datatracker.ietf.org/doc/html/rfc8032
  FIPS 186-5: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf

Index: ssh-keygen.1
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.1,v
retrieving revision 1.229
diff -u -p -r1.229 ssh-keygen.1
--- ssh-keygen.1	23 Jul 2023 20:04:45 -0000	1.229
+++ ssh-keygen.1	3 Sep 2023 21:29:11 -0000
@@ -185,7 +185,7 @@ The type of key to be generated is speci
 option.
 If invoked without any arguments,
 .Nm
-will generate an RSA key.
+will generate an Ed25519 key.
 .Pp
 .Nm
 is also used to generate groups for use in Diffie-Hellman group
Index: ssh-keygen.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v
retrieving revision 1.470
diff -u -p -r1.470 ssh-keygen.c
--- ssh-keygen.c	17 Jul 2023 04:01:10 -0000	1.470
+++ ssh-keygen.c	3 Sep 2023 21:29:12 -0000
@@ -61,11 +61,7 @@
 #include "ssh-pkcs11.h"
 #endif
 
-#ifdef WITH_OPENSSL
-# define DEFAULT_KEY_TYPE_NAME "rsa"
-#else
-# define DEFAULT_KEY_TYPE_NAME "ed25519"
-#endif
+#define DEFAULT_KEY_TYPE_NAME "ed25519"
 
 /*
  * Default number of bits in the RSA, DSA and ECDSA keys.  These value can be
@@ -252,7 +248,7 @@ ask_filename(struct passwd *pw, const ch
 	char *name = NULL;
 
 	if (key_type_name == NULL)
-		name = _PATH_SSH_CLIENT_ID_RSA;
+		name = _PATH_SSH_CLIENT_ID_ED25519;
 	else {
 		switch (sshkey_type_from_name(key_type_name)) {
 		case KEY_DSA_CERT:
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux