Seriously, the default options to ssh-keygen should be all anybody needs. If you need to pass arguments to increase the security of the generated key, then the software has completely failed its purpose. Passing arguments should only be for falling back on less secure options, if there is some limiting factor for a particular deployment.
There is absolutely no reason to pass arguments to ssh-keygen. If it is actually deemed necessary to do so, then that package's installation is inexcusably broken.
Not all systems that you might want to use your keys on support Ed25519, and this was especially true when it was first introduced to OpenSSH. Similarly not everything can handle the new key format. (Interestingly, there's another way to increase the resistance of SSH private keys to password brute-forcing that uses PBKDF2 and is more widely supported, but there's no way to create keys that use it using OpenSSH itself.)
If you want SSH access to Github or Gitlab, you'll need to paste your pubkey there. Leaking your user@host can be a concern if you're trying to maintain anonymity, e.g. Gwern, particularly if your username is your real name. You can strip out the user@host part from the paste, but it's safer to just get rid of it. It's easy to accidentally paste the whole thing into an .ssh/authorized_keys file, for example.
Even if it's not, your default hostname when using a MacBook Pro is typically "<username>s-MacBook-Pro.local" which reveals you're using a MacBook Pro. That info leak probably doesn't matter, but generally you want to reveal as little information as possible.
What kind of person cares enough about anonymity to change the comment in their ssh key, but not change the default hostname of their Mac? That person is very inconsistent.
Because it helps usability when the user is editing ~/.ssh/authorized_keys - if the default is not changed, the key comment has some context, so finding the right key is easier.
I strip comments from my SSH keys too for the same reason you do. But most people don't seem to care and there is a reason for the default.
In my case, I'd actually quite like the comments to be left in, one of those is my personal key, one is for work. Differentiating is useful depending on why I have access.
Certainly, but your user@host will be leaked to the staff of Github / Gitlab and to anyone that compromises your account. The unfortunate thing about anonymity is that a small mistake can be costly. It depends what your threat model is, though.
Comment section is set to what it is because this is easier way to tell where
the public key comes from. It vastly simplifies key management, which is much
more important than the tiny bits of anonymity you get from not setting the
comment.
Anonymity is a different issue from security. You might get a little extra of that by taking user info from keys, but IMO for anonymity you should ensure your user info does not link to the real person.
No, this is a completely unnecessary piece of information that ssh is unnecessarily jamming into the pubkey. What possible use does including the hostname of the generating machine serve for public key authentication?
Today it's my hostname. Tomorrow ssh-keygen (with default arguments) could start including more sensitive information, like the IPv6 address of my machine that's open to the internet and its exact OS version, and leave me open to a lot of attacks. Hence, I'm not going to trust the default arguments for it.
First, this field is important. It's not used for authentication in any way,
as it's just an optional comment, ignored by sshd otherwise. It's not an
information for sshd, though: it's information for human user. Without this
comment you don't have an easy way to tell where the keys come from.
Second, if you don't trust ssh-keygen, why the heck do you use it in the first
place?
Why it would suddenly leak such information? User+host is put in the comment
field for dozen years already, if not longer (and has quite good
explaination why it is there). Where does this distrust of yours come from?
It's completely opaque to me.
Aliases are per shell process. You need to reload your .bashrc (or whatever file you define aliases in) in every shell. Shell scripts are instantly available in all shell instances. Also, shell scripts can be invoked by shell scripts, which aliases can't.
I agree, but for something as simple as that I’d prefer a script to use `ssh-keygen` instead of relying on the presence of a one-line script in the PATH.
Well. OP says
->Generate your new sexy Ed25519 key
I too, say, No f'ing thanks
https://en.wikipedia.org/wiki/Curve25519
In cryptography, Curve25519 is an elliptic curve offering 128 bits of security - The curve is birationally equivalent to Ed25519, a Twisted Edwards curve.
First of all the Ecrypt project is is really outdated. Second you're reading the table wrong. Curve25519 gives you 128 bit of symmetric security, but the curve is 255 bit long. So from your table this compares to 3248 RSA.
Third I'm no fan of such key number tables, it's a bit arbitrary and doesn't really reflect the complexities of modern cryptography.
The paper of the designers of ed25519 specifies the design of the curve: the modulo is 2 to the 255th power - 19 (note that it's how the curve got its name), in the table you quote it's equvalent to (roughly) 3000 RSA bits:
As both rockdoe and hannob have mentioned, ed25519 provides the same attack resistance as a 128-bit symmetric cipher. This is even mentioned in the original DJB ed25519 paper:
> High security level. This system has a 2^128 security target; breaking it has similar difficulty to breaking NIST P-256, RSA with ≈ 3000-bit keys, strong 128-bit block ciphers, etc. (The same techniques would also produce speed improvements at other security levels.) The best attacks known actually cost more than 2^140 bit operations on average, and degrade quadratically in success probability as the number of bit operations drops.
Plus, we KNOW they were routinely breaking 64bit effective strength since the 90s, 30 years on we need a lot lot more than twice the strength, even against half decent hackers - but changing the backbone is considered "too expensive".
So that isn't ME saying the US doesn't have anything valuable enough to protect. Its the US standards agencies.
If it really was equivalent to 816bit rsa, messages encrypted with it would be cracked within hours, and nobody would use ecc... I'd like to see proof that a 256bit Curve25519 is really that weak.
There is absolutely no reason to pass arguments to ssh-keygen. If it is actually deemed necessary to do so, then that package's installation is inexcusably broken.