Why are only ed25519 and 4096-bit rsa keys recommended?

Why Are These Good Keys

ed25519 keys are fast, considered secure at the present time (new research could of course change this, like all cryptographic methods), and small. But not all clients support ed25519 keys yet. So, we recommend 4096-bit rsa keys as a fallback. They are universally supported and considered safe at the present time (this size is thought to be safe for quite a while). Their big downsides are that they are slower, the keys are larger, and implementations have to work hard to avoid certain implementation difficulties. See Generating SSH Keys for information on generating SSH keys.

The problems with other key types and smaller sizes of rsa keys are described in the sections below.

Problems with dsa Keys

They have been considered no longer secure for a long time. So much so in fact that OpenSSH deprecated them in 2015.

Problems with with ecdsa Keys

While the login nodes still support ECDSA (ecdsa) keys for those who have already made them, we cannot recommend generating new ones. They are harder to implement without bugs than the better ed25519 keys and the providence of their special parameters is under question (unverified claims of the use of a hardware random number generator vs. the “nothing up my sleeve” parameters of ed25519). New login nodes will not have ecdsa host keys and the existing ecdsa host keys on the login nodes will be phased out.

Problems with rsa Keys Smaller than 4096 Bits

rsa keys smaller than 2048 bits are no longer considered safe. 2048 are considered safe for some years still and 3072 for longer yet, but who will REALLY remember to rotate their rsa keys to a larger size in a few years? Therefore, we recommend 4096 bits for new RSA keys. That size means they will be safe for quite a while.

Problems with ed25519-sk and ecdsa-sk Keys

The ed25519-sk and ecdsa-sk keys are special ed25519 and ecdsa keys that use a compatible FIDO2 security key as 2FA (Second Factor Authentication). 2FA like this is a very powerful security feature to protect against the SSH key being stolen (login requires something you know and something you have).

Unfortunately, most of the login nodes do not support it yet. So, if you use one, only a few login nodes will be usable.

Support for them on all HPC login nodes is coming soon. However, when it is fully supported, we will only recommend using the ed25519-sk kind when possible due to the issues with ecdsa discussed above, though sadly some older security keys only support ecdsa-sk.

We strongly recommend the non-resident/non-discoverable variants of the keys (default for ssh-keygen). Resident/discoverable variants are a bit less supported and require different care to secure.