bugzilla-daemon at bugzilla.mindrot.org
2017-Jan-21 07:10 UTC
[Bug 2666] New: Ability to specify minimum RSA key size for user keys
https://bugzilla.mindrot.org/show_bug.cgi?id=2666
Bug ID: 2666
Summary: Ability to specify minimum RSA key size for user keys
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: aaronmdjones at gmail.com
The `PubkeyAcceptedKeyTypes' sshd_config(5) option allows a system
administrator to restrict the kinds of keys that can be used by users
to log in to the system; and they can disable e.g.
`ecdsa-sha2-nistp256' and `ecdsa-sha2-nistp384' while still allowing
`ecdsa-sha2-nistp521', but they cannot restrict the RSA key size if
they allow `ssh-rsa'.
This bug is a feature request for a `PubkeyAcceptedRSAMinKeySize'
option (or similar naming).
If a user attempts to login with a e.g. 2048-bit RSA key, and this is
set to something higher than 2048, the user should be denied access.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Feb-15 02:31 UTC
[Bug 2666] Ability to specify minimum RSA key size for user keys
https://bugzilla.mindrot.org/show_bug.cgi?id=2666
Sam Hoffman <samuelhoffman2 at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |samuelhoffman2 at gmail.com
--- Comment #1 from Sam Hoffman <samuelhoffman2 at gmail.com> ---
+1
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jul-10 08:32 UTC
[Bug 2666] Ability to specify minimum RSA key size for user keys
https://bugzilla.mindrot.org/show_bug.cgi?id=2666
stefan.ss at gmx.de changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |stefan.ss at gmx.de
--- Comment #2 from stefan.ss at gmx.de ---
need this option also to allow again previous RSA minimum size default
768.
I know 768 is too small for security,
_but_ old puttygen version creates in ~50% RSA keys with 1023 bits,
when using with the default of requested size 1024.
SSH_RSA_MINIMUM_MODULUS_SIZE was increased to 1024, so public key login
no longer works with old public keys.
so enforced to stay on old openssh server version (7.4).
Cannot distribute new keys for this accounts.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Feb-29 12:23 UTC
[Bug 2666] Ability to specify minimum RSA key size for user keys
https://bugzilla.mindrot.org/show_bug.cgi?id=2666
Petr Bodnar <p.bodnar at centrum.cz> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |p.bodnar at centrum.cz
--- Comment #3 from Petr Bodnar <p.bodnar at centrum.cz> ---
(In reply to stefan.ss from comment #2)> need this option also to allow again previous RSA minimum size
> default 768.
>
> I know 768 is too small for security,
> _but_ old puttygen version creates in ~50% RSA keys with 1023 bits,
> when using with the default of requested size 1024.
>
> SSH_RSA_MINIMUM_MODULUS_SIZE was increased to 1024, so public key
> login no longer works with old public keys.
>
> so enforced to stay on old openssh server version (7.4).
> Cannot distribute new keys for this accounts.
100% agreed and voting for this issue resolution.
It is also questionable and maybe for a separate bug (?) why the
hard-coded limit was not set to 1023 when it is known that PuTTYgen
randomly generates(-ed) shorter keys when 1024 is (was) requested. See
this quote regarding 1023 key size from its old, but most probably
still valid
[documentation](https://the.earth.li/~sgtatham/putty/0.61/htmldoc/Chapter8.html):
> This is perfectly normal, and you do not need to worry. The lengths should
only ever differ by one, and there is no perceptible drop in security as a
result.
--
You are receiving this mail because:
You are watching the assignee of the bug.