By default ssh-keygen uses an insecure password encryption method on the ssh key.
This change will add options to better protect the key.
See this page for more detail: https://latacora.singles/2018/08/03/the-default-openssh.html

Even if the user does not set a password, using the `-o` option needs to become
the new standard way to run `ssh-keygen`, since the default behavior is insecure.
Your help in establishing this option will be greatly appreciated and will help
improve overall security for your users and ssh users in general.

Originally submitted at
https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/6796.
Signed-off-by: Rémy Coutable <remy@rymai.me>