Monday, November 17, 2025

SSH Keys on FreeBSD

SSH on my macOS Tahoe 26.1 uses cryptographic algorithm ssh-ed25519. SSH on my FreeBSD 14.3 uses cryptographic algorithm ssh-rsa

Why?

The difference between ssh-rsa and ssh-ed25519 SSH keys comes down to cryptographic algorithm, security level, performance, and future-proofing.  

Let's deep dive into details ... 

Cryptographic Algorithms 

ssh-rsa

  • Uses RSA, an older public-key algorithm (based on large prime factorization).
  • Security depends on key length (2048-bit, 3072-bit, 4096-bit, etc.).
  • Considered aging; standard RSA sha1 signatures are no longer accepted by modern OpenSSH unless explicitly re-enabled.

ssh-ed25519

  • Uses Ed25519, based on modern elliptic-curve cryptography.
  • Fixed key size: 256 bits.
  • Designed to be secure, fast, and resistant to side-channel attacks. 

Security Strength

ssh-rsa

  • RSA 2048-bit is okay, but not recommended for new deployments.
  • RSA 4096-bit is stronger but slower.
  • Vulnerable to misconfigurations (e.g., SHA-1 fallback).
  • Larger attack surface.

ssh-ed25519

  • Stronger modern cryptography.
  • Small, efficient keys without sacrificing security.
  • Resistant to quantum attacks to a similar degree as RSA (neither is truly quantum-safe, but RSA is more at risk).

And the winner is ssh-ed25519. 

Performance

ssh-rsa

  • Slower to generate.
  • Slower for the server to verify.
  • Uses more CPU on embedded/low-power boards (e.g., Raspberry Pi, routers).

ssh-ed25519

  • Extremely fast to generate and verify.
  • Ideal for servers, IoT, and low-power devices.

 And the winner is ssh-ed25519. 

Key Size

  • ssh-rsa 2048-bit key size: ~600–700 bytes
  • ssh-ed25519 key size: ~68 bytes

And the winner is ssh-ed25519, because smaller keys are faster to transfer and store.

SSHD Compatibility

ssh-rsa

  • Fully supported, but SHA1-based RSA signatures are disabled by default since OpenSSH 8.8+.
  • Must use ssh-rsa-sha2-256 or ssh-rsa-sha2-512, but many old clients don’t support these.

ssh-ed25519

  • Supported in all modern OpenSSH versions (7.4+ continues strong support).
  • Not supported on very old systems (e.g., older enterprise appliances, ancient macOS, or old network gear).

Which one should you use?

ssh-ed25519 is recommended, because it is more Secure, Faster, Smaller, and more future-proof.

Choose ssh-rsa only if you must support legacy devices that do not understand Ed25519 and/or you need compatibility with old enterprise/OpenSSH clients.

Although FreeBSD ships with RSA support, OpenSSH on FreeBSD does not enable weak SHA-1 RSA signatures by default. OpenSSH 8.8 and later (which FreeBSD 14.x uses) disabled SHA-1 RSA.

So when you see “ssh-rsa” in FreeBSD:

  • It does not mean SHA-1 is being used.
  • It does not mean weak RSA is allowed.
  • It only means FreeBSD supports RSA keys signed with SHA-2, which are still considered secure. 

Why not switch the default to Ed25519 only?

There are several practical reasons:

  1. Backward compatibility
    • Not all SSH clients support Ed25519. For example some older
      • Linux distros
      • Network switches
      • Firewalls
      • RSA-only enterprise gear
    • FreeBSD aims to be a stable server OS that “just works” everywhere.
  2. OpenSSH upstream philosophy
    • OpenSSH has not removed RSA. It only removed weak SHA1 signatures.
    • As long as RSA+SHA2 remains secure, OpenSSH continues to include it.
  3. Enterprise environments move slowly
    • RSA keys (especially 4096-bit) are still widely deployed.
  4. Some compliance policies require RSA
    • Certain old corporate PKI systems still issue RSA certificates only. 

What FreeBSD 14.3 actually defaults to?

For host keys, FreeBSD still generates both:

  • ssh-ed25519
  • ssh-rsa (SHA-2 signatures)


For client keys:

  • You are free to choose ssh-ed25519, and it’s the recommended one. 

What could you do on FreeBSD?

If you want to modernize:

  • Prefer Ed25519 for user keys
    • ssh-keygen -t ed25519
  • You can disable RSA in sshd_config
    • PubkeyAcceptedAlgorithms=ssh-ed25519
    • HostKeyAlgorithms=ssh-ed25519 

But only do this if you’re sure nothing legacy needs to connect.

Conclusion

FreeBSD 14.3 still includes ssh-rsa because many systems still need it, but it uses secure SHA-2 RSA, not the old weak SHA-1 version. FreeBSD prioritizes compatibility and stability, leaving it to the admin to tighten security if desired.

To be honest, I will use FreeBSD default settings as long as it works. Do not get me wrong. I like modernization, but I change FreeBSD default settings only when it makes sense and there are some significant benefits.

 

on

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)