SSH protocol has supported both RSA and DSA algorithms since its inception, but their security properties and recommendations have evolved significantly. While both remain technically viable options, modern security standards strongly favor RSA due to several technical advantages.
RSA (Rivest-Shamir-Adleman) has become the de facto standard for SSH key pairs because:
- Supports key lengths up to 16384 bits (though 4096 is typical)
- Not vulnerable to the same mathematical weaknesses as DSA
- More flexible for different use cases
- Better supported across all SSH implementations
The minimum recommended RSA key length is 2048 bits as of 2023. Anything below this is considered insecure:
ssh-keygen -t rsa -b 4096 -C "user@example.com"DSA (Digital Signature Algorithm) has several limitations:
- Fixed at 1024 bits (NIST standard), which is now considered weak
- Requires perfect entropy during generation
- Some modern SSH implementations disable DSA by default
Example of DSA key generation (not recommended for new systems):
ssh-keygen -t dsa -C "legacy-system@example.com"For most modern systems, use RSA with at least 3072 bits:
# Best practice for new deployments
ssh-keygen -t rsa -b 3072 -f ~/.ssh/production_key -N "strong-passphrase"
# For maximum security (slower operations)
ssh-keygen -t rsa -b 4096 -f ~/.ssh/ultra_secure_keyTo check existing key strength:
ssh-keygen -l -f ~/.ssh/id_rsa- New implementations should default to RSA-3072 or RSA-4096
- Existing DSA keys should be phased out
- Consider Ed25519 for systems supporting modern algorithms
- Regularly rotate keys (annually or per security policy)
| Algorithm | Min Bits | Recommended | Legacy Support |
|---|---|---|---|
| RSA | 2048 | 3072-4096 | Universal |
| DSA | 1024 | Not recommended | Limited |
When setting up SSH authentication, you primarily have two cryptographic algorithm choices for key pairs:
RSA (Rivest-Shamir-Adleman): The more versatile and widely supported option. RSA keys can be used for both encryption and digital signatures.
DSA (Digital Signature Algorithm): A US government standard that's limited to digital signatures only. DSA has stricter requirements on key lengths.
Modern security practices strongly favor RSA over DSA for several reasons:
- DSA keys must be exactly 1024 bits (insecure by modern standards) while RSA supports flexible lengths
- OpenSSH 7.0+ disabled DSA by default due to security concerns
- RSA works with all SSH implementations while DSA support is inconsistent
- NIST has deprecated DSA for most applications
The bare minimum RSA key length should be 2048 bits, though 4096 bits is becoming the new standard for critical systems.
Example of generating a secure RSA key:
ssh-keygen -t rsa -b 4096 -C "user@example.com"
This creates a 4096-bit RSA key pair with your email as the comment.
The only legitimate case for DSA is when connecting to legacy systems that:
- Only accept DSA keys
- Cannot be upgraded
- Are in isolated, low-risk environments
Even then, consider setting up a bastion host with RSA instead.
Basic RSA key with default length (3072 bits on recent OpenSSH):
ssh-keygen -t rsa
DSA key (not recommended):
ssh-keygen -t dsa
Ed25519 (modern alternative to both):
ssh-keygen -t ed25519 -a 100
| Algorithm | OpenSSH Support | Minimum Bits |
|---|---|---|
| RSA | All versions | 2048 |
| DSA | Disabled in 7.0+ | 1024 (fixed) |
| ECDSA | 5.7+ | 256 |
| Ed25519 | 6.5+ | 256 |
For maximum compatibility across different SSH clients and servers, RSA remains the safest choice. Modern systems should consider Ed25519 where supported.