# Different SSHd key schemes



## Phishfry (Jul 30, 2018)

I want to make some strong keys for my SSH server. I see the key is this by default:
ecdsa-sha2-nistp256

Cant help to notice ed25519_key in /etc/ssh/sshd_config What is this and is it supported?
Just enabling this setting in ssh server is not enough is it?
From all my NanoBSD trials I know the first 3 keys are generated by FreeBSD on firstboot.
What's up with *ed25519* ?
https://en.wikipedia.org/wiki/EdDSA

```
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
```


----------



## SirDice (Jul 30, 2018)

It should be generated too:

```
sshd_keygen()
{
        sshd_keygen_alg rsa1
        sshd_keygen_alg rsa
        sshd_keygen_alg dsa
        sshd_keygen_alg ecdsa
        sshd_keygen_alg ed25519
}
```


```
* ssh(1), sshd(8): Add support for Ed25519 as a public key type.
   Ed25519 is a elliptic curve signature scheme that offers
   better security than ECDSA and DSA and good performance. It may be
   used for both user and host keys.
```
https://www.openssh.com/txt/release-6.5


----------



## getopt (Jul 30, 2018)

I'd prefer to comment out all the weak ciphers showing the section in /etc/rc.d/sshd like this:

```
sshd_keygen()
{
#       sshd_keygen_alg rsa1
        sshd_keygen_alg rsa
#       sshd_keygen_alg dsa
#       sshd_keygen_alg ecdsa
        sshd_keygen_alg ed25519
}
```
Furthermore I'd erase all unused remaining keys in /etc/ssh/.


----------



## ShelLuser (Jul 30, 2018)

Phishfry said:


> I want to make some strong keys for my SSH server. I see the key is this by default:
> ecdsa-sha2-nistp256


Keys for what exactly? Because if we're talking host keys then it uses something else by default, according to sshd_config(5):

```
HostKey
             Specifies a file containing a private host key used by SSH.  The
             defaults are /etc/ssh/ssh_host_dsa_key,
             /etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key and
             /etc/ssh/ssh_host_rsa_key.
```
But here's the thing: this only becomes an issue if you wish to use hostbased authentication which isn't used by default. Although it can make it more difficult to falsely gain entrance you could also be adding an extra layer of problems, especially if you need to access a host from a remote location. Instead of one you'd now need 2 keys (edit: assuming you're also using keybased authentication for your users, which I personally consider a must-have option).

Each to their own of course, obviously, but I usually only rely on keybased authentication for the actual users who need access. So: one key per user.


----------



## Phishfry (Jul 30, 2018)

I was just exploring /etc/ssh/sshd_config and the setting piqued my interest.

I just made my first cloud VM with Linode and I want to make sure I am doing all I can.
Followed the handbook and some good threads.
Glad I bought a used copy of "The Book of pf". I now feel confident I have good basic rule set.

Reading on keys and certs. I have much to learn.


----------

