What are ssh-keygen best practices?
I recommend the Secure Secure Shell article, which suggests:
ssh-keygen -t ed25519 -a 100
Ed25519 is an EdDSA scheme with very small (fixed size) keys, introduced in OpenSSH 6.5 (2014-01-30). These have complexity akin to RSA at 4096 bits thanks to elliptic curve cryptography (ECC). The -a 100 option specifies 100 rounds of key derivations, making your key's password harder to brute-force.
However, Ed25519 is a rather new key algorithm (Curve25519's popularity spiked only when it was surmised that other standards had been diluted) and its adoption is not yet universal. Large steps were made in 2018, so we're nearly there, but on older systems or for older servers, you can generate a similarly-complex RSA key with 4096 bytes:
ssh-keygen -t rsa -b 4096 -o -a 100
(The -o option also requires OpenSSH 6.5 and is the default starting in v7.8, so it is no longer present in the ssh-keygen man page. This dictates usage of a new OpenSSH format to store the key rather than the previous default, PEM. Ed25519 requires this new format, so we don't need to explicitly state it given -t ed25519. A previous man page stated that “the new format has increased resistance to brute-force password cracking.” See this answer for more detail.)
Do not consider the other new ECC algorithm called ECDSA. It is considered suspect (it has known weaknesses and since the US government has been involved in its development, it may be compromised beyond that). Ed25519 was developed without any known government involvement.
Stay well away from DSA (“ssh-dss”) keys: they're not just suspect, DSA is insecure.
Most users would simply type
ssh-keygenand accept what they're given by default.
Yes. To do a security for people, it needs to be simple. Therefore the default option should be safe, compatible and fast. You can provide alternatives, but default should be "good enough" for these who don't care. Therefore RSA (2048) in the old PEM format is the default at the moment.
- Use
-ofor the OpenSSH key format rather than the older PEM format (OpenSSH 6.5 introduced this feature almost 3 years ago on 2014-01-30)
Three years is nothing. A lot of containers managed to evolve during these years, but SSH is here more than 20 years and still needs to deal with older clients. The new OpenSSH format is not widely adopted and supported yet.
- How should one calculate how many rounds of KDF to use with
-a?
Depends on the use case. Creating your key for your "stuff" repo on Github will be different than creating a keys in your favorite national agency as a certification authority or to access super-secret documents on dedicated server.
As pointed out, this is only for the new format, which is not yet widely used and it increases the time to decrypt key. The default number of rounds is 16 (would be nice to see it documented somewhere). More in the Cryptography question.
- Should
-Tbe used to test the candidate primes for safety? What-avalue to use with this?
No. It is used for generating primes (/etc/ssh/moduli) for DH key exchange. It is not used in any way for generating SSH keys. How to generate and test the moduli file is explained in separate chapter MODULI GENERATION of manual page for ssh-keygen.
- For the different key types, what are the recommended minimum
-b bitsizes?
This is not SSH specific, but generally key sizes are recommended by NIST in this document, page 12 (per 2015):
RSA (2048 bits)
ECDSA (Curve P-256)
The Ed25519 does have fixed size so the -b parameter is ignored.
Here's a one liner for Ed25519 based on recommended values: (without passphrase)
ssh-keygen -t ed25519 -a 100 -f ~/.ssh/id_ed25519 -q -N ""
Another one for RSA:
ssh-keygen -t rsa -b 4096 -o -a 100 -f ~/.ssh/id_rsa -q -N ""
-N: New passphrase-q: Silencessh-keygen