Ssh – Can you make default client key length larger for ssh-keygen

opensslrsasshssh-keys

When users employ ssh-keygen to create RSA key pairs, the default key length is 2048 bits.

You can override that on the command line with the -b argument, but few users will bother.

As mentioned in this article, it is recommended to use key lengths of 3072 or greater if you need security beyond 2030. Is there a way to cause 3072 (or 4096) to be the default length for all keys generated? I don't see it in the ssh_config or sshd_config manual pages. Or does it require recompilation of the program?

Best Answer

I don't think there is any way to do this via a configuration file. You could set up an alias and put it in a shell initialisation file. This won't stop the user from deleting the alias and running their own command though.

alias ssh-keygen='ssh-keygen -b 3072'

then

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/iain/.ssh/id_rsa): /tmp/testkey
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /tmp/testkey.
Your public key has been saved in /tmp/testkey.pub.
The key fingerprint is:
47:3a:03:c8:ac:63:1c:bf:9d:44:1d:4b:b4:0e:66:04 
$ ssh-keygen -lf /tmp/testkey
3072 47:3a:03:c8:ac:63:1c:bf:9d:44:1d:4b:b4:0e:66:04 /tmp/testkey.pub

You could put it in each (existing) user's ~/.bashrc and in /etc/skel/.bashrc so new user's get it too.

Best Answer

Related Solutions

SSH Authentication – Use Only Password and Ignore SSH Key

Linux – setting minimum size of accepted rsa key

Related Topic