bugzilla-daemon at bugzilla.mindrot.org
2011-Feb-04 13:28 UTC
[Bug 1853] New: sshd doesn't seem to be able to auth a user using an rsa key of 20000 bit
https://bugzilla.mindrot.org/show_bug.cgi?id=1853 Summary: sshd doesn't seem to be able to auth a user using an rsa key of 20000 bit Product: Portable OpenSSH Version: 5.7p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: db.pub.mail at gmail.com sshd doesn't seem to be able to auth a user using an rsa key of 20000 bit. 1. I generated an ssh rsa key like this: ssh-keygen -t rsa -b 20000 2. I placed the public key into another users authorized_keys file 3. I tried to ssh that user. What happens: 4. "Feb 4 23:35:50 ABOX sshd[17138]: error: RSA_public_decrypt failed: error:04067069:lib(4):func(103):reason(105)" What should happen: 4. Accepted publickey for .... ------ Use cases: 1. having an ssh key over 9000. "00:18 < Kenny> Yes, so will I, for security-measures based on DragonBall Z memes. ;)" -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Feb-04 17:38 UTC
[Bug 1853] sshd doesn't seem to be able to auth a user using an rsa key of 20000 bit
https://bugzilla.mindrot.org/show_bug.cgi?id=1853 Tomas Mraz <t8m at centrum.cz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |t8m at centrum.cz --- Comment #1 from Tomas Mraz <t8m at centrum.cz> 2011-02-05 04:38:37 EST --- This is not blocked in ssh but in OpenSSL. RSA keys larger than 16384 bits are disallowed in it because of potential CPU resource overusage (effective DoS) on servers. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Feb-05 00:44 UTC
[Bug 1853] sshd doesn't seem to be able to auth a user using an rsa key of 20000 bit
https://bugzilla.mindrot.org/show_bug.cgi?id=1853 --- Comment #2 from daveb <db.pub.mail at gmail.com> 2011-02-05 11:44:44 EST --- (In reply to comment #1)> This is not blocked in ssh but in OpenSSL. RSA keys larger than 16384 > bits are disallowed in it because of potential CPU resource overusage > (effective DoS) on servers.Oh ok that's interesting. I didn't know that. I couldn't find a size limitation anywhere (other than ssh-keygen when generating a cert). -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Feb-06 02:50 UTC
[Bug 1853] sshd doesn't seem to be able to auth a user using an rsa key of 20000 bit
https://bugzilla.mindrot.org/show_bug.cgi?id=1853 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au Status|NEW |RESOLVED Resolution| |INVALID --- Comment #3 from Darren Tucker <dtucker at zip.com.au> 2011-02-06 13:50:53 EST --- The limitation is in OpenSSL's rsa.h (probably /usr/include/openssl/rsa.h or similar): $ grep "define.*RSA_MAX" /usr/include/openssl/rsa.h # define OPENSSL_RSA_MAX_MODULUS_BITS 16384 # define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */ If you want bigger keys, you'll need to change that and recompile OpenSSL then rebuild OpenSSH against it. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2011-Sep-06 05:32 UTC
[Bug 1853] sshd doesn't seem to be able to auth a user using an rsa key of 20000 bit
https://bugzilla.mindrot.org/show_bug.cgi?id=1853 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #4 from Damien Miller <djm at mindrot.org> 2011-09-06 15:32:46 EST --- close resolved bugs now that openssh-5.9 has been released -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Possibly Parallel Threads
- [Bug 2746] New: RFE: Allow to disable SHA1 signatures for RSA
- [Bug 1681] New: conversation function for passwd auth method assumes instead of fail
- [Bug 2000] New: when using ssh with ControlMaster/ControlPersist, one may get zombie processes
- [Bug 1496] New: ssh fails with xmalloc: zero size
- [Bug 1676] New: Add NSS keys support