Since the algorithms are in a state of flux, I find that using an ssh-audit tool (available on Github) ( here's a more recent fork) to be extremely useful.Įxample output of a current but secured SSH settings is given below: # general Should I be using RSA or the newest ed25519 algorithm? This article claims that ECDSA is the old elliptic-curve DSA implementation that is known to have severe vulnerabilites
I found from this question here that as a client you are able to specify within ssh_config which one of the public key pairs from the hosts' /etc/ssh/ directory you would like.įrom the ssh_config man page I found that the current defaults are as follows: recently my SSH server has been sending me a ECDSA fingerprint instead of an RSA, but I was wondering which algorithm should I choose if it even matters?
When you first connect to an SSH server that is not contained inside your known_hosts file your SSH client displays the fingerprint of the public key that the server gave.
