What sort of SSH keys our users use or have listed in their authorized keys files
Yesterday I wrote about the surprisingly persistence of RSA keys in SSH in general terms. Today I'm going to make that concrete, by looking at what sorts of SSH keys our users have in their authorized_keys files and have used for authenticating to our systems in 2020. Unsurprisingly, these turn out to be not quite the same.
Based on some fairly brute force grep'ing of authorized_keys files, we have 729 people with authorized keys files that have (theoretically) live keys, and the key types break down like this:
1790 ssh-rsa 380 ssh-dss 52 ecdsa-sha2-nistp256 23 ssh-ed25519 2 email@example.com 1 firstname.lastname@example.org 1 ecdsa-sha2-nistp521 1 ecdsa-sha2-nistp384
My first surprise is that we have so many DSA keys listed, since they're no longer supported (and those 380 ssh-dss keys are across 203 different people). People clearly don't clean out their authorized keys files very often. 670 people have RSA keys, 13 have Ed25519 keys, and 15 have some form of ECDSA keys (which implies that a few people list a bunch of ECDSA keys).
However, that's just what people have sitting around in their authorized keys files, not what actually gets used. What actually gets used is a somewhat different picture. Here are the numbers for how many different keys of each type have been used over the course of 2020 so far:
387 RSA 27 ECDSA 15 ED25519
RSA still dominates, but not as much as before. In terms of the number of people using various sorts of keys, 240 people have used RSA keys, 10 people have used Ed25519 keys, and 8 people have used ECDSA keys. Clearly RSA keys remain quite important to our users; most of our public key SSH authentication happens with them.
(At the same time, OpenSSH's good logging means that we could actually find all of these people if we needed to and tell them that their keys needed to change. Hopefully this isn't going to be necessary, at least not in volume.)
Another nice thing to see is that a significant number of people don't just use one key for everything. Both in their authorized keys files and in actual usage, we clearly have a certain number of people who routinely use several keys even for keys of the same type.
(I haven't attempted to use our logs to see how many people use two or three different types of keys.)