Signatures in ssh-keygen
the default option rsa
for the -t
argument explains that the chosen option is using the SHA1 signature, so one should choose rsa-sha2-256
for example.
Note that this is a different situation from previous SHA-1 usage in X.509This applies when using (HTTPS) certificatescertificates, but is irrelevant to plain keys.
Certificates, such as those used in HTTPS (X.509), had to be replaced because they hold a signature inside – eachEach certificate is signed by the parent CA at the time it is issued. This long-term signature is stored in the certificate itself (and it's very important to realize that this is a completely separatedifferent thing and unrelated tofrom the short-term signatures that are made during each connection and then thrown away). That's why many HTTPS (X.509) certificates had to be replaced – the issuing CA had stamped them with RSA/SHA-1 signatures.
So if your workplace usesOpenSSH has also created its own certificate format, which is what the manual page is referring to. These so-called "OpenSSH"SSH certificates" are (enot just regular SSH keys – they're additionaly signed by e.g. your workplace CA. So if you have files whose names end with *-cert.pub
), you might need to have those re-issued and. (Use ssh-keygen -Lf <file>
will tell you whetherto check how they were signed using RSA/SHA-1 or RSA/SHA-256).
But if you just generated a key yourself, then it doesplain SSH keys do not havehold any long-term signature inside, so there's nothing you need – they're only used to do with itmake temporary signatures during each connection. So there is nothing that needs replacement in the key itself.
The -l
option
I tried checking the type of the key with ssh-keygen -l -f keyssh-keygen -l -f key
and it shows me that it is indeed SHA256 type
Other key types