search for: ssh_rsa_minimum_modulus_size

Hi, is there any chance to make SSH_RSA_MINIMUM_MODULUS_SIZE configurable? I keep receiving these messages: ssh_rsa_verify: RSA modulus too small: 512 < minimum 768 bits key_verify failed for server_host_key And it's quite a hassle to recompile each time I need to use it (there are still devices where you can't fix it easily). Thanks Mich...

...auth(struct ssh_sandbox *, pid_t); +#define setrlimit(x,y) (0) diff --git a/sshkey.c b/sshkey.c index e91c54f..cfdd437 100644 --- a/sshkey.c +++ b/sshkey.c @@ -1394,8 +1394,11 @@ rsa_generate_private_key(u_int bits, RSA **rsap) if (rsap == NULL) return SSH_ERR_INVALID_ARGUMENT; if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE || - bits > SSHBUF_MAX_BIGNUM * 8) + bits > SSHBUF_MAX_BIGNUM * 8) { + fprintf(stderr, "%s bits %d min %d max %d\n", __func__, bits, + SSH_RSA_MINIMUM_MODULUS_SIZE, SSHBUF_MAX_BIGNUM); return SSH_ERR_KEY_LENGTH; + } *rsap = NULL; if ((private = RSA_new()) == NUL...

Hi, OpenSSH 7.6p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at

...tor that is easily reachable by a medium botnet or cloud service. Adding a switch to turn these back on would be IMO irresponsible. If you think this is overly parentalistic and that an experienced admin is the one best equipped to assess risk, then I'd direct said experienced admin to the the SSH_RSA_MINIMUM_MODULUS_SIZE definition in sshkey.h that they can adjust themselves. -d

https://bugzilla.mindrot.org/show_bug.cgi?id=2666 Bug ID: 2666 Summary: Ability to specify minimum RSA key size for user keys Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee:

Functionality request for supporting Digital Signatures for RSA and DSS Public Key Algorithms in alignment with NIST SP800-131A. I assume this has been asked before, but I could not find in the archives. Support of "ssh-rsa-sha256" and "ssh-dss-sha256" public key algorithms for OpenSSH? I know Suite B Algorithms and x509 SSH Extension Algorithms are supported, but not a

...network gear, where either it is not possible because of the lack of new FW or lack of permit to upgrade. If you think that having this option needs more safeguards, please give ideas on what kind of extra checks or options or anything. So I implemented the option to lower the (now) hard limit of SSH_RSA_MINIMUM_MODULUS_SIZE. There is still real hard limit defined in the source code. My rationale for this option is that it is better to be able to use the same OpenSSH program to connect to older gear as well instead of having to compile a separate binary now and then to be able to connect. This way, one automatically...

...- fixed overflow in Kerberos client code - sshd no longer auto-enables Kerberos/AFS - experimental support for privilege separation, see UsePrivilegeSeparation in sshd(8) and http://www.citi.umich.edu/u/provos/ssh/privsep.html for more information. - only accept RSA keys of size SSH_RSA_MINIMUM_MODULUS_SIZE (768) or larger Other Changes: ============== - improved smartcard support (including support for OpenSC, see www.opensc.org) - improved Kerberos support (including support for MIT-Kerberos V) - fixed stderr handling in protocol v2 - client reports failure if -R style TCP forw...

Hi eveyone, Is there a way to set the minimum size accepted by sshd as an RSA public key? I want to restrict users to using RSA keys that are generated with ssh-keygen -b 2048 or greater. I didn't see any option in sshd_config. There is a ServerKeyBits option, but that seems to apply only for SSHv1. Please help me and provide your response.Thanks in advance. Regards Ravi Pratap

All, I occasionally manage some APC PDU devices. I manage them via a VPN, which enforces super-heavy crypto, and their access is restricted to only jumphosts and the VPN. Basically, the only time you need to log into these is when you go to reboot something that's down. Their web UI with SSL doesn't work with modern browsers. Their CPU is...tiny, and their SSHd implementation

...oken passing - fixed overflow in Kerberos client code - sshd no longer auto-enables Kerberos/AFS - experimental support for privilege separation, see UsePrivilegeSeparation in sshd(8) and http://www.citi.umich.edu/u/provos/ssh/privsep.html for more information. - only accept RSA keys of size SSH_RSA_MINIMUM_MODULUS_SIZE (768) or larger Other Changes: ============== - improved smartcard support (including support for OpenSC, see www.opensc.org) - improved Kerberos support (including support for MIT-Kerberos V) - fixed stderr handling in protocol v2 - client reports failure if -R style TCP forwarding fails in prot...