Looking at ssh-keygen.c from openssh-6.2p2.tar.gz lines 186-187:
if (type == KEY_DSA && *bitsp != 1024)
fatal("DSA keys must be 1024 bits");
It appears to me that ssh-keygen will only generate 1024 bit DSA keys.
Is that still current?
FIPS 186-3 (2009-06) section 4.2 and FIPS 186-4 [1] (2013-07) section
4.2 state:
4.2 Selection of Parameter Sizes and Hash Functions for DSA
This Standard specifies the following choices for the pair L and N
(the bit lengths of p and q,
respectively):
L = 1024, N = 160
L = 2048, N = 224
L = 2048, N = 256
L = 3072, N = 256
Federal Government entities shall generate digital signatures using
use one or more of these
choices.
I see there is bug 1647 [2] about this.
However, RFC 6668 [3] (2012-07) added SHA-256 to the recommended list
of data integrity functions for SSH making the L=2048,N=256 and
L=3072,N=256 DSA choices from FIPS 186-3/186-4 standards compliant.
It also appears that OpenSSH added support for both SHA-256 and
SHA-512 in version 5.9p1 (2011-09).
I have updated bug 1647 with the additional information.
Are there any plans to add support for generating DSA 2048, 3072 keys?
[1] http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
[2] https://bugzilla.mindrot.org/show_bug.cgi?id=1647
[3] http://tools.ietf.org/html/rfc6668
--Kyle
P.S. What, by the way, does OpenSSH do if you have an existing DSA
2048 or 3072 key? (OpenSSL will generate them just fine.)