giving a passphrase seems like a good idea – because it will protect your key (if passphrase is sufficiently strong) if it get’s stolen.

So even if somebody manages to hack into your client and steal your private ssh-key – they won’t be able – unless they capture your passphrase.

downside: you can’t (well) automate processess that use ssh for backup purposes such as rsync every monday at 00:00 o’clock this folder to this server – if a passphrase is in use.

you can do it like this – keep your ssh key on a stick that you wear like a neckless

is there any key-size-limit?

2048Bits is default, 4096Bits is in use.

8192Bits (8*1024) have 16384Bits (16*1024) and been tested and should work.

uname -a
Linux debian 3.16.0-4-686-pae #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) i686 GNU/Linux
ssh -V
OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t 3 May 2016

ssh-keygen -t rsa -b 4096; # generate a 4096Bit long-strong key

# from the manpage:
-b bits
Specifies the number of bits in the key to create. For RSA keys, the minimum size is 768 bits and the default is 2048 bits. Generally, 2048
bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, the -b flag determines the key
length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other than these three values
for ECDSA keys will fail. ED25519 keys have a fixed length and the -b flag will be ignored.

# what about 1024*8 = 8192 ?

ssh-keygen -t rsa -b 8192 # generate a 8192Bit long-strong key?
# works just the same (takes longer to generate though)

Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:CMaKLUUoJTqQEcc09tTv3N+RlWSX1NZBSiQqB340T30 user@suse
The key's randomart image is:
+---[RSA 8192]----+
|=OB .. . o oooo+=|
|*=.=  o o = o..E=|
|+ . =  + + . .+.o|
| = o . .=      ..|
|o o   .oS.     o |
| .      o .   o  |
|           . . . |
|            . .  |
|                 |
+----[SHA256]-----+

wc -l ~/.ssh/id_rsa
99 /home/user/.ssh/id_rsa; # it has 99 lines

# what about 1024*16 = 16384 ? - just in case dwave and the CIA get serous about quantum computing :-p

ssh-keygen -t rsa -b 16384 # generate a 16384Bit long-strong key?
# works just the same (takes waaaaaaay longer to be generate though)
# expect one cpu core to go 100% for the next 10 minutes :-D - the RAM usage is only 3.8MBytes

Enter file in which to save the key (/home/user/.ssh/id_rsa):
/home/user/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:mXqdzMlbq+JMZ4ifZF3MIcaatHvRLkIL1w2UHEitqVo user@suse
The key'
s randomart image is:
+---[RSA 16384]---+
|       ..+oo     |
|        .o+      |
|        .o= .    |
|       .oO B .   |
|      ..S o *    |
|      E* X *     |
|     oo X & o    |
|    .  B.* + .   |
|       .=.o..    |
+----[SHA256]-----+

wc -l ~/.ssh/id_rsa
195 /home/user/.ssh/id_rsa; # now double the size :-D

scp ~/.ssh/id_rsa.pub  172.20.0.12: # uploading key to test-server running debian8.7
user@172.20.0.12's password:
id_rsa.pub                                                                                                                       100% 2783     2.7KB/s   00:00

# switching over to ssh-server
cat id_rsa.pub >> ./.ssh/authorized_keys; # attaching public RSA 16384 key to authorized_keys

# switching over to ssh-client
user@suse:~> ssh user@172.20.0.12
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Fri May  5 12:13:53 2017 from 172.20.0.7
user@debian:~$ # works like a charm :)

speed with larger keys

more cpu is needed – but in general probably bandwidth is the limiting factor if you operate over the internet.

# 4096Bits RSA key
scp 1gybe.testfile 172.20.0.12:
1gybe.testfile 100% 1024MB 41.0MB/s 00:25
[user@centos ~]$ scp 1gybe.testfile 172.20.0.12:
1gybe.testfile 100% 1024MB 41.0MB/s 00:25
[user@centos ~]$ scp 1gybe.testfile 172.20.0.12:
1gybe.testfile 100% 1024MB 41.0MB/s 00:25

user@suse:~> scp 1gybe.testfile 172.20.0.12:
1gybe.testfile 100% 1024MB 36.6MB/s 00:28
user@suse:~> scp 1gybe.testfile 172.20.0.12:
1gybe.testfile 100% 1024MB 37.9MB/s 00:27
user@suse:~> scp 1gybe.testfile 172.20.0.12:
1gybe.testfile 100% 1024MB 37.9MB/s 00:27

manpage: ssh-keygen.man.txt

admin