id_rsa.pub and id_dsa.pub are the public keys for id_rsa and id_dsa.
If you are asking in relation to SSH, id_rsa is an RSA key and can be used with the SSH protocol 1 or 2, whereas id_dsa is a DSA key and can only be used with SSH protocol 2. Both are very secure, but DSA does seem to be the standard these days (assuming all your clients/servers support SSH 2).
Update: Since this was written DSA has been shown to be insecure. More information available in Adam Katz's answer.
SSH uses public/private key pairs, so id_rsa is your RSA private key (based on prime numbers), which is more secure than your id_dsaDSA private key (based on exponents). Keep your private keys safe and share your id_rsa.pub and id_dsa.pub public keys broadly.
Ed25519 was introduced in OpenSSH 6.5 (2014-01-30) and GnuPG 2.1 (2014-11-06) and became the default ("first-preference") in OpenSSH 8.5 (2021-03-03). It has universal support nowadays.
Use RSA with 4096 bits when Ed25519 is unavailable
RSA key sizes of 4096 bits using the signature variant of rsa-sha2-512 (added in OpenSSH 7.2, 2016-02-29, default in OpenSSH 8.2, 2020-02-14) should have comparable complexity to Ed25519.
Ed25519 is still preferred to RSA due to a worry that RSA may be vulnerable to the same strength concerns as DSA, though applying that exploit to RSA is expected to be considerably harder.
It is now possible1 to perform chosen-prefix attacks against the SHA-1 hash algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm that depends on SHA-1 by default in a near-future release.
This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs.
The better alternatives include:
The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These algorithms have the advantage of using the same key type as "ssh-rsa", but use the safe SHA-2 hash algorithms. These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them.
The ssh-ed25519 signature algorithm. It has been supported in OpenSSH since release 6.5.
The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These have been supported by OpenSSH since release 5.7.
To check whether a server is using the weak ssh-rsa public key algorithm for host authentication, try to connect to it after removing the ssh-rsa algorithm from ssh(1)'s allowed list:
ssh -oHostKeyAlgorithms=-ssh-rsa user@host
If the host key verification fails and no other supported host key types are available, the server software on that host should be upgraded.
A future release of OpenSSH will enable UpdateHostKeys by default to allow the client to automatically migrate to better algorithms. Users may consider enabling this option manually.
As you noted, the default RSA signature variant has been rsa-sha2-512 since OpenSSH 7.2 (2016). This addresses the SHA-1 weakness and serves as a reminder that RSA itself is still considered secure. UpdateHostKeys has been enabled by default since OpenSSH 8.2 (Feb 2020). Any form of RSA is more secure than any form of DSA, though nowadays you should prefer ed25519 as explained in my answer.
So to be clear, DSA is not really a "better alternative".
Adam adds:
[This] could be read as suggesting DSA is more secure than RSA and that RSA should not be used.
Neither of those are true, though RSA keys generated before 2016 and deployed on systems running OpenSSH < 8.2 should be updated manually.
In October 2014, OpenSSH 7 (the default with Ubuntu 16.04LTS) has disabled default support for DSA. Take this as a strong sign that DSA is not a recommended method anymore.
发布评论
评论(4)
id_rsa.pub和id_dsa.pub是id_rsa和id_dsa的公钥。如果您询问与
SSH相关的问题,id_rsa是一个 RSA 密钥,可与 SSH 协议 1 或 2 一起使用,而id_dsa是 DSA 密钥,只能与 SSH 协议 2 一起使用。两者都非常安全,但 DSA 似乎现在已成为标准(假设您的所有客户端/servers 支持 SSH 2)。更新: 自从本文编写以来,DSA 已被证明是不安全的。更多信息请参见 Adam Katz 的回答。
id_rsa.pubandid_dsa.pubare the public keys forid_rsaandid_dsa.If you are asking in relation to
SSH,id_rsais an RSA key and can be used with the SSH protocol 1 or 2, whereasid_dsais a DSA key and can only be used with SSH protocol 2.Both are very secure, but DSA does seem to be the standard these days (assuming all your clients/servers support SSH 2).Update: Since this was written DSA has been shown to be insecure. More information available in Adam Katz's answer.
SSH 使用公钥/私钥对,所以
id_rsa是您的 RSA 私钥(基于素数),比您的id_dsa更安全DSA 私钥(基于指数)。确保您的私钥安全并广泛共享您的id_rsa.pub和id_dsa.pub公钥。DSA 不安全
DSA 有一个 可猜测参数(如果您计算机的随机数生成器低于标准),这将泄露您的密钥。 ECDSA(DSA的椭圆曲线升级)同样容易受到攻击。即使有好的随机数,DSA 也有 其他强度问题
< /a>/
SSH uses public/private key pairs, so
id_rsais your RSA private key (based on prime numbers), which is more secure than yourid_dsaDSA private key (based on exponents). Keep your private keys safe and share yourid_rsa.pubandid_dsa.pubpublic keys broadly.DSA is insecure
DSA has a guessable parameter if your computer's random number generator is sub par, which will reveal your secret key. ECDSA (DSA's elliptical curve upgrade) is similarly vulnerable. Even with good random numbers, DSA has other strength concerns
/???? (these are also found in Diffie-Hellman).
OpenSSH disabled DSA by default in 7.0 (2015-08-11) and disabled DSA support at compile time in 9.8 (2024-07-01). They intend to remove support entirely in 9.9 (early 2025).
Prefer Ed25519
Elliptic curve cryptography offers increased complexity with smaller key sizes. Ed25519 (based on the complexity of plane-modeled elliptical curves) is the preferred implementation due to its assumed lack of meddling (leaked documents show that the US NSA weakens crypto standards).
Ed25519 was introduced in OpenSSH 6.5 (2014-01-30) and GnuPG 2.1 (2014-11-06) and became the default ("first-preference") in OpenSSH 8.5 (2021-03-03). It has universal support nowadays.
Use RSA with 4096 bits when Ed25519 is unavailable
RSA key sizes of 4096 bits using the signature variant of rsa-sha2-512 (added in OpenSSH 7.2, 2016-02-29, default in OpenSSH 8.2, 2020-02-14) should have comparable complexity to Ed25519.
Ed25519 is still preferred to RSA due to a worry that RSA may be vulnerable to the same strength concerns as DSA, though applying that exploit to RSA is expected to be considerably harder.
不再(2020 年 5 月,十年后),有了 OpenSSH 8.2,如 由报道 ">胡里奥
(参见“SHA-1 是一个混乱:SHA-1 上的首次选择前缀冲突及其应用PGP 信任网络”Leurent, G 和 Peyrin, T (2020))
Adam Katz 在 评论:
因此需要明确的是,DSA 并不是真正的“更好的选择”。
亚当补充道:
Not anymore (May 2020, ten years later), with OpenSSH 8.2, as reported by Julio
(See "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020))
Adam Katz clarifies in the comments:
So to be clear, DSA is not really a "better alternative".
Adam adds:
是的,rsa 被认为更安全。
2014 年 10 月,OpenSSH 7(Ubuntu 16.04LTS 的默认设置)禁用了对 DSA 的默认支持。以此作为一个强有力的信号,表明 DSA 不再是推荐的方法。
https://www.gentoo.org /support/news-items/2015-08-13-openssh-weak-keys.html
Yes, rsa is considered more secure.
In October 2014, OpenSSH 7 (the default with Ubuntu 16.04LTS) has disabled default support for DSA. Take this as a strong sign that DSA is not a recommended method anymore.
https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html