If you use SSH keys and haven’t migrated to the newer ED25519 Twisted Edwards curve key pairs – well you should. It is presently the most recommended key type. Faster and possibly more secure than RSA key types. Even though this type has been supported by OpenSSH for a number of years now, there are still some tricks to have up your sleeve.

Create a new SSH Key:

$ ssh-keygen -a 100 -t ed25519 -f ~/.ssh/key-file -C "[email protected]"

Don’t forget to add the key to your SSH Agent.

$ ssh-add ~/.ssh/key-file

This should have created a key-file.pub file as well that is your public key. Upload this to your configuration management tool that populates your SSH authorized_keys file on your remote targets. Just like normal. You should now be able to SSH to the remote targets with the new key. Validate with:

$ ssh -v user@target

Sometimes, I want to make sure only one specific SSH key is used with a special host. This can be done with the following bit in ~/.ssg/config for that host.

Host super-secure
  HostName <IP Address>
  User me
  IdentityFile ~/.ssh/key-file
  IdentitiesOnly yes

Or, for targets that should not be presented with an SSH key at all!

Host super-secure-version-2
  HostName <IP Address>
  User me
  PreferredAuthentications keyboard-interactive,password

I’ve found that for even more “secure” applications I would get the following message when trying to connect via SSH before my authentication was refused.

debug1: Skipping ssh-ed25519 key [email protected] - not in PubkeyAcceptedKeyTypes.

In this case, the SSH client needs to be instructed not to skip the ED25519 key types. Simple enough with this configuration:

Host *
  PubkeyAcceptedKeyTypes +ssh-ed25519