[devsda]

> This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword.

So does it send these phantom keystrokes only when there are real keystrokes?

On first reading I thought it sends periodic+random keystrokes and so {Client,Server}AliveInterval option(s) may not be required to keep the connection alive. Need to try and confirm the behaviour.

This version also changes ssh-keygen to generate ed25519 keys by default. Time to update scripts that generate keys without a '-t' arg.

[acquacow]

It's 2023, you shouldn't be using the old rsa keys anyway.

[tialaramex]

Meh. RSA is only used to sign things in SSH and the keys used are generated in a conventional way and with the parameters you'd be told to pick (e.g. exponent 65537)

I'd say at this point the risk of silly goofs in the curve code is similar to the risk from RSA given how well understood it is.