SSH Encryption – Why GitHub Recommends ed25519 but Uses ECDSA

encryptiongithubssh

GitHub's guide Generating a new SSH key and adding it to the ssh-agent recommends using ed25519 when configuring SSH keys for connecting to GitHub, but if you SSH to github.com, you see the host key is of ECDSA type (see below). Why don't they use the same type of encryption for server cert as they recommend for client cert?

user@computer:/$ ssh -T [email protected]
The authenticity of host 'github.com (140.82.114.3)' can't be established.
ECDSA key fingerprint is SHA256:p2QAMXNIC1TJYWeIOttrVc98/R1BUFWu3/LiyKgUfQM.

Best Answer

First, neither ECDSA nor Ed25519 (EdDSA) is an encryption scheme or algorithm; they are both signature algorithms (or schemes) used in SSH as host authentication (aka host-key) algorithms or methods, as well as 'user' authentication.

github.com has all three currently-accepted types of host key, presumably for maximum interoperability (especially since it costs them nothing to do so):

$ for t in ed25519 ecdsa rsa; do ssh-keyscan -t $t 2>/dev/null github.com; done
github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

Which one is used for a given connection depends on the capabilities and preferences of the client, namely your ssh program. If you are using OpenSSH (which is not the only implementation of SSH and not the only program named ssh, though I'd expect the most common among githubians who are almost by definition FOSSites) versions 6.5 to 8.1 prefer ecdsa then ed25519 (unless using an OpenSSL version that doesn't support ECC, or not using OpenSSL at all); only 8.2 up prefer ed25519 first. You can override this with e.g. ssh -oHostKeyAlgorithms=ssh-ed25519 ... or an equivalent config setting, see the man page.

Setup

Install putty.zip which is available at the PuTTY Download Page or you can download individually.
- PuTTY: putty.exe (or by FTP)
  
  The SSH and Telnet client itself.
- Plink: plink.exe (or by FTP)
  
  A command-line interface to the PuTTY back ends.
- Pageant: pageant.exe (or by FTP)
  
  An SSH authentication agent for PuTTY, PSCP, PSFTP, and Plink.
- PuTTYgen: puttygen.exe (or by FTP)
  
  An RSA and DSA key generation utility.
Generate RSA and PPK Keys
1. Using the Git Bash, use ssh-keygen to generate a pair of RSA public/private keys. More information on how to do this can be found on the official Generating SSH keys article.
2. In PuTTYgen, import your existing ~/.ssh/id_rsa (private) key, via Conversions → Import key.
3. Save the imported key via the Save private key button as ~/.ssh/id_rsa.ppk.
4. You should now have the following keys in your ~/.ssh directory:
  - id_rsa: Private (OpenSSH) RSA key
  - id_rsa.pub: Public (OpenSSH) RSA key
  - id_rsa.ppk: Private (PuTTY) key
Install Git for Windows.

Make sure that you choose to use Plink.

Note: If you have already installed Git, you can just run the installer again and set Plink to be your default SSH application.
Set your Environment paths.
1. In Control Panel, navigate to the System view.
2. Choose Advanced system settings.
3. In the System Properties window, click the Advanced tab.
4. Click Environment variables….
5. Add the following System variables (if not already set):
  - GIT_HOME: C:\Program Files\Git
  - GIT_SSH: C:\Program Files (x86)\PuTTY\plink.exe
6. Append the Git binary directory to the system path.
  - Path: %Path%;%GIT_HOME%\bin
Open Pageant and load the ppk key located at ~/.ssh/id_rsa.ppk.

Note: Once Pageant has started, you can click on its icon in the system tray located in the taskbar, next to the time, on the right.
Open Putty and connect to test your connection via SSH and add the server's key as a known host.

Examples hostnames:
- GitHub: git@github.com:22 (or via ssh-agent ssh -Tv git@github.com)
- BitBucket: git@bitbucket.org:22 (or via ssh-agent ssh -Tv git@bitbucket.org)
Start Git Bash.

You should be able to push and pull from your remote host without entering a password each time.

Shortcut

You can place a shortcut in your startup directory to auto-load your key each time you log into your Windows account.

Via Batch Script

This idea was inspired by an answer to this question:

Super User: How to make a shortcut from CMD?.

REM |==================================================================|
REM | Pageant Autoload.bat                                             |
REM |                                                                  |
REM | This script creates a shortcut for auto-loading a PPK (key) in   |
REM | Pageant by writing a temporary VB script and executing it. The   |
REM | following information below is added to the shortcut.            |
REM |                                                                  |
REM | Filename  : Pageant Autoload                                     |
REM | Target    : pageant.exe                                          |
REM | Arguments : id_rsa.ppk                                           |
REM | Start in  : ~/.ssh                                               |
REM |==================================================================|
@echo off

REM |==================================================================|
REM | Global Values - Do not touch these!                              |
REM |==================================================================|
SET VBSCRIPT="%TEMP%\%RANDOM%-%RANDOM%-%RANDOM%-%RANDOM%.vbs"
SET STARTUP_DIR=Microsoft\Windows\Start Menu\Programs\Startup
SET STARTUP_USER_DIR=%APPDATA%\%STARTUP_DIR%
SET STARTUP_ALL_USERS_DIR=%PROGRAMDATA%\%STARTUP_DIR% REM Alternative

REM |==================================================================|
REM | Shortcut Values - You can change these to whatever you want.     |
REM |==================================================================|
SET FILENAME=Pageant Autoload.lnk
SET TARGET=%PROGRAMFILES(x86)%\PuTTY\pageant.exe
SET ARGUMENTS=id_rsa.ppk
SET START_IN=%%USERPROFILE%%\.ssh
SET DESCRIPTION=Autoload PuTTY key with Pageant on startup (Ctrl+Alt+S)
SET HOTKEY=CTRL+ALT+S

REM |==================================================================|
REM | Write a new VB script, on the fly; execute and delete it.        |
REM |==================================================================|
ECHO Set oWS = WScript.CreateObject("WScript.Shell") >> %VBSCRIPT%
ECHO sLinkFile = "%STARTUP_USER_DIR%\%FILENAME%" >> %VBSCRIPT%
ECHO Set oLink = oWS.CreateShortcut(sLinkFile) >> %VBSCRIPT%
ECHO oLink.TargetPath = "%TARGET%" >> %VBSCRIPT%
ECHO oLink.Arguments = "%ARGUMENTS%" >> %VBSCRIPT%
ECHO oLink.WorkingDirectory = "%START_IN%" >> %VBSCRIPT%
ECHO oLink.Description = "%DESCRIPTION%"  >> %VBSCRIPT%
ECHO oLink.HotKey = "%HOTKEY%" >> %VBSCRIPT%
ECHO oLink.Save >> %VBSCRIPT%
CScript //Nologo %VBSCRIPT%
DEL %VBSCRIPT% /f /q

Via Windows Explorer

Navigate to the startup directory in Windows Explorer.
- User Startup/ directory (preferred) is located at:
```
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup
```
- All Users Startup/ directory is located at:
```
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup
```
Right-click inside the folder and select New → Shortcut
In the Create Shortcut dialog, enter the following information.
- Location: "C:\Program Files (x86)\PuTTY\pageant.exe"
- Name: Pageant Autoload
Right-click the new shortcut and choose Properties from the context menu.
Modify the following fields under the Shortcut tab:
- Target: "%PROGRAMFILES(x86)%\PuTTY\pageant.exe" id_rsa.ppk
- Start in: %USERPROFILE%\.ssh
Notes:
1. If you are using a 32-bit Windows OS, you should use the %PROGRAMFILES% environment variable instead of %PROGRAMFILES(x86)%.
2. If you placed your shortcut in the All Users startup directory, make sure that the current user has an id_rsa.ppk key in their ~/.ssh directory or the key will not auto-load.

Closing Remarks

There you have it. Next time you log into your Windows profile, you will be greeted with a Pageant prompt to enter the password for your key. If you did not set a password on your key, then your key should be loaded automatically without a prompt.

If you are not sure if your key loaded view the current keys in Pageant by selecting View Keys from the context menu for Pageant in the system tray.

Cygwin cannot create .ssh

This worked for me!
http://ekawas.blogspot.co.uk/2007/03/solving-pesky-ssh-issues-in-cygwin.html

First, locate the file called 'passwd' in your C:\path\to\cygwin\etc directory and open it with wordpad.

Second, replace the text
/home/YOUR_NAME
with
/cygdrive/c/Documents and Settings/YOUR_NAME