ssh key類型這麼多，要如何選擇呢？

用過ssh的朋友都知道，ssh key的類型有不少種，好比dsa、rsa、 ecdsa、ed25519等，那這麼多種類型，咱們要如何選擇呢？

今天看到一篇相關文章，寫的挺好的，在這裏分享下。

在具體看這篇文章以前，咱們先說結論：

1. ssh key的類型有四種，分別是dsa、rsa、 ecdsa、ed25519。
2. 根據數學特性，這四種類型又能夠分爲兩大類，dsa/rsa是一類，ecdsa/ed25519是一類，後者算法更先進。
3. dsa由於安全問題，已再也不使用了。
4. ecdsa由於政治緣由和技術緣由，也不推薦使用。
5. rsa是目前兼容性最好的，應用最普遍的key類型，在用ssh-keygen工具生成key的時候，默認使用的也是這種類型。不過在生成key時，若是指定的key size過小的話，也是有安全問題的，推薦key size是3072或更大。
6. ed25519是目前最安全、加解密速度最快的key類型，因爲其數學特性，它的key的長度比rsa小不少，優先推薦使用。它目前惟一的問題就是兼容性，即在舊版本的ssh工具集中可能沒法使用。不過據我目前測試，尚未發現此類問題。

再總結一下：

若是能夠的話，優先選擇ed25519，不然選擇rsa。

$ ssh-keygen -t ed25519

如下是原文：

OpenSSH supports several signing algorithms (for authentication keys) which can be divided in two groups depending on the mathematical properties they exploit:

DSA and RSA, which rely on the practical difficulty of factoring the product of two large prime numbers,
ECDSA and Ed25519, which rely on the elliptic curve discrete logarithm problem. (example)
Elliptic curve cryptography (ECC) algorithms are a more recent addition to public key cryptosystems. One of their main advantages is their ability to provide the same level of security with smaller keys, which makes for less computationally intensive operations (i.e. faster key creation, encryption and decryption) and reduced storage and transmission requirements.

OpenSSH 7.0 deprecated and disabled support for DSA keys due to discovered vulnerabilities, therefore the choice of cryptosystem lies within RSA or one of the two types of ECC.

#RSA keys will give you the greatest portability, while #Ed25519 will give you the best security but requires recent versions of client & server[2]. #ECDSA is likely more compatible than Ed25519 (though still less than RSA), but suspicions exist about its security (see below).

更多原創文章，請關注我微信公衆號：