Bye bye RSA keys?

Posted Feb 15, 2020 13:00 UTC (Sat) by cjwatson (subscriber, #7322)
In reply to: Bye bye RSA keys? by tlamp
Parent article: OpenSSH 8.2 released

While it is true that rsa-sha2-{256,512} will work fine, this advice to check ssh-keygen output is misleading and incorrect. The hash algorithm used to display the key fingerprint is unrelated to the public key algorithm used for client authentication.

Bye bye RSA keys?

Posted Feb 15, 2020 16:46 UTC (Sat) by tlamp (subscriber, #108540) [Link] (2 responses)

Hmm, true, the SHA256 is just for the fingerprint.

But doesn't relates the keysize to rsa-sha2-{256,512}?
I.e.:

2048 -> 256
4096 -> 512

Else, do you or anybody else knows a quick and general available method to get the used type from a public key?

Bye bye RSA keys?

Posted Feb 16, 2020 6:22 UTC (Sun) by djm (subscriber, #11651) [Link]

The signature algorithm doesn't relate to the key size, though OpenSSH will refuse RSA keys <1024 bits. Practically, you should use at least 2048 bit keys (this is the default for ssh0-keygen).

All existing ssh-rsa keys can be used with the newer rsa-sha2-256/512 signature types. Whether these are supported though is down to the ssh client and server in question, and the easiest way to find out whether both offer those algorithms is to try the recipe in the release notes ("ssh -oHostkeyAlgorithms=-ssh-rsa")

Bye bye RSA keys?

Posted Feb 16, 2020 9:59 UTC (Sun) by cjwatson (subscriber, #7322) [Link]

djm answered before I did and with more authority. But to explain in a bit more detail: authenticating yourself using an RSA key involves signing a message with that key to prove that you own it. RSA signatures normally work by first hashing the plaintext message with some hash function and then applying the RSA algorithm to the result. The hash function can be basically anything reasonable, but it needs to be agreed by both parties. From this you can see that there doesn't need to be any particular link between hash function and key size.

Part of the SSH authentication protocol involves agreeing on mutually-acceptable parameters, such as the key signature algorithm; as a result you may well find different algorithms being used depending on the client/server combination.