NIST-Compliant SSH Key Generation with Ed25519
Introduction
Secure Shell (SSH) is an essential tool for secure remote access, automation, and key-based authentication. Following the National Institute of Standards and Technology (NIST) recommendations, this guide outlines the best practices for generating secure SSH key pairs, particularly for Ansible automation and system administration.
NIST now recognizes Ed25519 as a preferred algorithm due to its superior security, efficiency, and resistance to side-channel attacks compared to ECDSA and RSA. This guide provides automation scripts to streamline key generation and deployment using Ed25519.
Naming Convention
For consistency and security, use the following format:
<role>-<host>-<key_type>
Examples:
ansible-controller-prod-ed25519backup-server-ed25519
Generating a Secure Ed25519 SSH Key
To generate a passphrase-protected SSH key for production use:
ssh-keygen -t ed25519 -C "prod-server" -f ~/.ssh/prod-server-ed25519
During the process, enter a strong passphrase.
Secure Key Management
-
Use a Strong Passphrase – At least five to seven words with mixed complexity.
-
Store Private Keys Securely – Restrict access:
chmod 600 ~/.ssh/prod-server-*
- Use
ssh-agentfor Convenience:
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/prod-server-ed25519
- Rotate Keys Periodically – Ensure security over time.
Why Ed25519 Over ECDSA and RSA?
| Algorithm | Security Level | Key Size | Performance | Side-Channel Resistance | Deterministic |
|---|---|---|---|---|---|
| Ed25519 | 128-bit | 32 bytes | Fastest | Yes | Yes |
| ECDSA-384 | 128-bit | 48 bytes | Slower | No | No |
| RSA-4096 | 112-bit | 512 bytes | Slowest | No | Yes |
- Ed25519 is significantly faster and more secure than ECDSA and RSA, making it the best choice for modern SSH authentication.
- It is resistant to side-channel attacks, which can compromise private keys in other algorithms.
- Deterministic signing eliminates nonce-related vulnerabilities, improving cryptographic safety.
Automating SSH Key Generation and Deployment
Below is a script to generate and deploy Ed25519 SSH keys for an Ansible controller.
Script: generate_ansible_ssh_key.sh
#!/bin/bash
# Default settings
KEY_TYPE="ed25519"
KEY_NAME="ansible-controller-${KEY_TYPE}"
SSH_DIR="$HOME/.ssh"
KEY_PATH="$SSH_DIR/$KEY_NAME"
ANSIBLE_USER="ansible"
MANAGED_NODES=()
# Function to display usage
usage() {
echo "Usage: $0 [-u ansible_user] [-n managed_nodes]"
exit 1
}
# Parse command-line options
while getopts "u:n:" opt; do
case ${opt} in
u) ANSIBLE_USER="$OPTARG" ;;
n) IFS=',' read -r -a MANAGED_NODES <<< "$OPTARG" ;;
*) usage ;;
esac
done
# Generate SSH key
mkdir -p "$SSH_DIR"
ssh-keygen -t "$KEY_TYPE" -C "$KEY_NAME" -f "$KEY_PATH" -N ""
chmod 600 "$KEY_PATH"
# Deploy key to managed nodes
if [[ ${#MANAGED_NODES[@]} -gt 0 ]]; then
for NODE in "${MANAGED_NODES[@]}"; do
ssh-copy-id -i "${KEY_PATH}.pub" "$ANSIBLE_USER@$NODE"
done
fi
echo "SSH Key Setup Complete!"
Conclusion
Using Ed25519 for SSH keys ensures strong security, high performance, and resistance to cryptographic vulnerabilities. Implementing automated key generation and deployment simplifies system administration while adhering to NIST recommendations.
Books
- Garfinkel, S. (2005). SSH, The Secure Shell: The Definitive Guide. O'Reilly Media.
Web Articles
- Checketts, B. (2023, September 15). It's 2023. You Should Be Using an Ed25519 SSH Key (And Other Current Best Practices). Brandon Checketts' Blog. Retrieved from https://www.brandonchecketts.com/archives/its-2023-you-should-be-using-an-ed25519-ssh-key-and-other-current-best-practices
- Burns, A. (2023, March). How to Generate the Best SSH Keys. Keystash. Retrieved from https://www.keystash.io/guides/how-to-generate-the-best-ssh-keys.html
Research Papers
- Barker, E. (2020). Recommendation for Key Management: Part 1. NIST Special Publication 800-57. https://doi.org/10.6028/NIST.SP.800-57pt1r5
- Barker, E., & Roginsky, A. (2019). Transitioning the Use of Cryptographic Algorithms and Key Lengths. NIST Special Publication 800-131A. https://doi.org/10.6028/NIST.SP.800-131Ar2