groupGenerateEgressKey

Create a new public + private key pair for a group

usage

--osh groupGenerateEgressKey --group GROUP --algo ALGO --size SIZE [--encrypted]

--group GROUP

Group name to generate a new egress key for.

--algo ALGO

Specifies the algo of the key, either rsa, ecdsa or ed25519.

--size SIZE

Specifies the size of the key to be generated.

For RSA, choose between 2048 and 8192 (4096 is good). For ECDSA, choose either 256, 384 or 521. For ED25519, size is always 256.
--encrypted

If specified, a passphrase will be prompted for the new key

Note that the actually available algorithms on a bastion depend on the underlying OS and the configured policy.

A quick overview of the different algorithms:

+---------+------+----------+-------+-----------------------------------------+
| algo    | size | strength | speed | compatibility                           |
+=========+======+==========+=======+=========================================+
| DSA     |  any | 0        | n/a   | obsolete, do not use                    |
| RSA     | 2048 | **       | **    | works everywhere                        |
| RSA     | 4096 | ***      | *     | works almost everywhere                 |
| ECDSA   |  521 | ****     | ***** | OpenSSH 5.7+ (Debian 7+, Ubuntu 12.04+) |
| Ed25519 |  256 | *****    | ***** | OpenSSH 6.5+ (Debian 8+, Ubuntu 14.04+) |
+---------+------+----------+-------+-----------------------------------------+

This table is meant as a quick cheat-sheet, you're warmly advised to do your own research, as other constraints may apply to your environment.