Home / server / Questions / 277198
Accepted
user67327
Asked: 2011-06-06 10:13:06 +0800 CST

Can you make default client key length larger for ssh-keygen?

  • 772

When users employ ssh-keygen to create RSA key pairs, the default key length is 2048 bits.

You can override that on the command line with the -b argument, but few users will bother.

As mentioned in this article, it is recommended to use key lengths of 3072 or greater if you need security beyond 2030. Is there a way to cause 3072 (or 4096) to be the default length for all keys generated? I don't see it in the ssh_config or sshd_config manual pages. Or does it require recompilation of the program?

ssh rsa openssl ssh-keys

1 Answers

  1. Best Answer

    I don't think there is any way to do this via a configuration file. You could set up an alias and put it in a shell initialisation file. This won't stop the user from deleting the alias and running their own command though.

    alias ssh-keygen='ssh-keygen -b 3072'

    then

    $ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/iain/.ssh/id_rsa): /tmp/testkey
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /tmp/testkey.
Your public key has been saved in /tmp/testkey.pub.
The key fingerprint is:
47:3a:03:c8:ac:63:1c:bf:9d:44:1d:4b:b4:0e:66:04 
$ ssh-keygen -lf /tmp/testkey
3072 47:3a:03:c8:ac:63:1c:bf:9d:44:1d:4b:b4:0e:66:04 /tmp/testkey.pub

    You could put it in each (existing) user's ~/.bashrc and in /etc/skel/.bashrc so new user's get it too.

    • 2