giving a passphrase seems like a good idea – because it will protect your key (if passphrase is sufficiently strong) if it get’s stolen.

So even if somebody manages to hack into your client and steal your private ssh-key – they won’t be able – unless they capture your passphrase.

downside: you can’t (well) automate processess that use ssh for backup purposes such as rsync every monday at 00:00 o’clock this folder to this server – if a passphrase is in use.

if you have given your private key a passphrase… great – more secure your connections are.

BUT! conveniance just has gone done – you need to type your passphrase every time you want to make that ssh connection.

IT-security seems to always be to find a good balance between conveniance and security

it is conveniant to give everybody access to everything… but in the end you will have some evil ransomeware asking you for money to restore your files.

you could do it like this – keep your ssh key on an (truecrypt-encrypted? 😀 (not 100% plausible denyability… (they can tell there is something on the stick besides music, but atleast encrypted) stick that you wear like a neckless:

is there any key-size-limit?

2048Bits is default, 4096Bits is in use.

8192Bits (8*1024) have 16384Bits (16*1024) and been tested and should work.

uname -a
Linux debian 3.16.0-4-686-pae #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) i686 GNU/Linux
ssh -V
OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t 3 May 2016

ssh-keygen -t rsa -b 4096; # generate a 4096Bit long-strong key

# from the manpage:
-b bits
Specifies the number of bits in the key to create. For RSA keys, the minimum size is 768 bits and the default is 2048 bits. Generally, 2048
bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, the -b flag determines the key
length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other than these three values
for ECDSA keys will fail. ED25519 keys have a fixed length and the -b flag will be ignored.

# what about 1024*8 = 8192 ?

ssh-keygen -t rsa -b 8192 # generate a 8192Bit long-strong key?
# works just the same (takes longer to generate though)

Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:CMaKLUUoJTqQEcc09tTv3N+RlWSX1NZBSiQqB340T30 user@suse
The key's randomart image is:
+---[RSA 8192]----+
|=OB .. . o oooo+=|
|*=.= o o = o..E=|
|+ . = + + . .+.o|
| = o . .= ..|
|o o .oS. o |
| . o . o |
| . . . |
| . . |
| |
+----[SHA256]-----+

wc -l ~/.ssh/id_rsa
99 /home/user/.ssh/id_rsa; # it has 99 lines

# what about 1024*16 = 16384 ? - just in case dwave and the CIA get serous about quantum computing :-p

ssh-keygen -t rsa -b 16384 # generate a 16384Bit long-strong key?
# works just the same (takes waaaaaaay longer to be generate though)
# expect one cpu core to go 100% for the next 10 minutes :-D - the RAM usage is only 3.8MBytes

Enter file in which to save the key (/home/user/.ssh/id_rsa):
/home/user/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:mXqdzMlbq+JMZ4ifZF3MIcaatHvRLkIL1w2UHEitqVo user@suse
The key'
s randomart image is:
+---[RSA 16384]---+
| ..+oo |
| .o+ |
| .o= . |
| .oO B . |
| ..S o * |
| E* X * |
| oo X & o |
| . B.* + . |
| .=.o.. |
+----[SHA256]-----+

wc -l ~/.ssh/id_rsa
195 /home/user/.ssh/id_rsa; # now double the size :-D

scp ~/.ssh/id_rsa.pub 172.20.0.12: # uploading key to test-server running debian8.7
user@172.20.0.12's password:
id_rsa.pub 100% 2783 2.7KB/s 00:00

# switching over to ssh-server
cat id_rsa.pub >> ./.ssh/authorized_keys; # attaching public RSA 16384 key to authorized_keys

# switching over to ssh-client
user@suse:~> ssh user@172.20.0.12
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Fri May 5 12:13:53 2017 from 172.20.0.7
user@debian:~$ # works like a charm :)

speed with larger keys

more cpu is needed – but in general probably bandwidth is the limiting factor if you operate over the internet.

# 4096Bits RSA key
scp 1gybe.testfile 172.20.0.12:
1gybe.testfile 100% 1024MB 41.0MB/s 00:25
[user@centos ~]$ scp 1gybe.testfile 172.20.0.12:
1gybe.testfile 100% 1024MB 41.0MB/s 00:25
[user@centos ~]$ scp 1gybe.testfile 172.20.0.12:
1gybe.testfile 100% 1024MB 41.0MB/s 00:25

user@suse:~> scp 1gybe.testfile 172.20.0.12:
1gybe.testfile 100% 1024MB 36.6MB/s 00:28
user@suse:~> scp 1gybe.testfile 172.20.0.12:
1gybe.testfile 100% 1024MB 37.9MB/s 00:27
user@suse:~> scp 1gybe.testfile 172.20.0.12:
1gybe.testfile 100% 1024MB 37.9MB/s 00:27

manpage: ssh-keygen.man.txt

passphrase session-cache – ssh-agent

„ssh-agent is a program to hold private keys used for public key authentication (RSA, DSA, ECDSA, Ed25519).

ssh-agent is usually started in the beginning of an X-session or a login session, and all other windows or programs are started as clients to the ssh-agent program.

Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using ssh(1).“

src: ssh-agent.man.txt

You can actually cache-per-session your passphrase with the ssh-agent.

it works like this:

ssh-add -l; # list all cached passphrases (none)
The agent has no identities.

eval $(ssh-agent); # will setup environment variables
Agent pid 2349

ssh-agent; # ives some info about ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-cvnht9zt5ehE/agent.2359; export SSH_AUTH_SOCK;
SSH_AGENT_PID=2360; export SSH_AGENT_PID;
echo Agent pid 2360;

ssh-add; # cache passphrase of current logged-in user 
Enter passphrase for /home/user/.ssh/id_rsa:

Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)

ssh-add -l; # reports that one passphrase has been cached
8192 SHA256:5Co8zddjNGPr1dXrdOKR5bRv78KtD/Hnrn8Z9D/ocQk /home/user/.ssh/id_rsa (RSA)

user@suse12:~/.ssh> ssh debian8; # you should be able to automatically login, without beeing asked for a passphrase during your whole session, this also works in sub-shells until you completely log-off/out of your system

Links:

ssh and security – https://linux-audit.com/audit-and-harden-your-ssh-configuration/

admin