SSH Key Generation Standards

Beginner

Enforce Ed25519 key generation, passphrase requirements, per-device key policy, naming conventions, and proper file permissions for SSH key management.

File Patterns

**/.ssh/****/ssh_config**/sshd_config

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# SSH Key Generation Standards

## Rule
All SSH keys MUST use Ed25519 algorithm, include passphrases, follow one-key-per-device policy, and use descriptive filenames with correct permissions.

## Format
```bash
# Required key generation command
ssh-keygen -t ed25519 -C "user@device-YYYY" -f ~/.ssh/purpose_ed25519
```

## Requirements

### Algorithm
```bash
# Good: Ed25519 (modern, secure, fast)
ssh-keygen -t ed25519

# Acceptable: RSA 4096 (legacy compatibility only)
ssh-keygen -t rsa -b 4096

# Bad: RSA 2048, DSA, ECDSA
ssh-keygen -t rsa -b 2048  # Too short
ssh-keygen -t dsa           # Deprecated
```

### Passphrase
- Every private key MUST have a passphrase
- Use ssh-agent or Keychain for caching
- Never generate keys with empty passphrase

### Naming Convention
```bash
~/.ssh/github_ed25519        # Service-specific
~/.ssh/work_ed25519          # Organization-specific
~/.ssh/personal_ed25519      # Personal servers
~/.ssh/deploy_ed25519        # CI/CD (no passphrase exception)
```

### File Permissions
```bash
chmod 700 ~/.ssh
chmod 600 ~/.ssh/*_ed25519       # Private keys
chmod 644 ~/.ssh/*.pub           # Public keys
chmod 600 ~/.ssh/config          # SSH config
chmod 600 ~/.ssh/authorized_keys # If present
```

### Key Comment
```bash
# Good: identifies owner and device
ssh-keygen -t ed25519 -C "alice@macbook-2026"
ssh-keygen -t ed25519 -C "alice@work-desktop"

# Bad: default comment or empty
ssh-keygen -t ed25519  # Default: user@hostname (not portable)
```

## Good
```bash
ssh-keygen -t ed25519 -C "alice@macbook-2026" -f ~/.ssh/github_ed25519
# Prompted for passphrase → enters strong passphrase
chmod 600 ~/.ssh/github_ed25519
```

## Bad
```bash
ssh-keygen  # Defaults to RSA, default filename, no comment
# Passphrase: (empty) → NO!
```

FAQ

Discussion

Loading comments...

# SSH Key Generation Standards ## Rule All SSH keys MUST use Ed25519 algorithm, include passphrases, follow one-key-per-device policy, and use descriptive filenames with correct permissions. ## Format ```bash # Required key generation command ssh-keygen -t ed25519 -C "user@device-YYYY" -f ~/.ssh/purpose_ed25519 ``` ## Requirements ### Algorithm ```bash # Good: Ed25519 (modern, secure, fast) ssh-keygen -t ed25519 # Acceptable: RSA 4096 (legacy compatibility only) ssh-keygen -t rsa -b 4096 # Bad: RSA 2048, DSA, ECDSA ssh-keygen -t rsa -b 2048 # Too short ssh-keygen -t dsa # Deprecated ``` ### Passphrase - Every private key MUST have a passphrase - Use ssh-agent or Keychain for caching - Never generate keys with empty passphrase ### Naming Convention ```bash ~/.ssh/github_ed25519 # Service-specific ~/.ssh/work_ed25519 # Organization-specific ~/.ssh/personal_ed25519 # Personal servers ~/.ssh/deploy_ed25519 # CI/CD (no passphrase exception) ``` ### File Permissions ```bash chmod 700 ~/.ssh chmod 600 ~/.ssh/*_ed25519 # Private keys chmod 644 ~/.ssh/*.pub # Public keys chmod 600 ~/.ssh/config # SSH config chmod 600 ~/.ssh/authorized_keys # If present ``` ### Key Comment ```bash # Good: identifies owner and device ssh-keygen -t ed25519 -C "alice@macbook-2026" ssh-keygen -t ed25519 -C "alice@work-desktop" # Bad: default comment or empty ssh-keygen -t ed25519 # Default: user@hostname (not portable) ``` ## Good ```bash ssh-keygen -t ed25519 -C "alice@macbook-2026" -f ~/.ssh/github_ed25519 # Prompted for passphrase → enters strong passphrase chmod 600 ~/.ssh/github_ed25519 ``` ## Bad ```bash ssh-keygen # Defaults to RSA, default filename, no comment # Passphrase: (empty) → NO! ```