OpenSSH: how to disallow weak (<2048 bits) RSA keys
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
Are there any configs for OpenSSH server to disallow weak (e.g. <2048 bits) RSA keys? I'm aware of PubkeyAcceptedKeyTypes
which can disallow specific key types, incl. ssh-rsa
, as a whole.
ssh security configuration openssh
add a comment |Â
up vote
1
down vote
favorite
Are there any configs for OpenSSH server to disallow weak (e.g. <2048 bits) RSA keys? I'm aware of PubkeyAcceptedKeyTypes
which can disallow specific key types, incl. ssh-rsa
, as a whole.
ssh security configuration openssh
This is an interesting question.
â Pedro
Mar 1 at 21:37
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
Are there any configs for OpenSSH server to disallow weak (e.g. <2048 bits) RSA keys? I'm aware of PubkeyAcceptedKeyTypes
which can disallow specific key types, incl. ssh-rsa
, as a whole.
ssh security configuration openssh
Are there any configs for OpenSSH server to disallow weak (e.g. <2048 bits) RSA keys? I'm aware of PubkeyAcceptedKeyTypes
which can disallow specific key types, incl. ssh-rsa
, as a whole.
ssh security configuration openssh
asked Feb 25 at 14:30
nodakai
1928
1928
This is an interesting question.
â Pedro
Mar 1 at 21:37
add a comment |Â
This is an interesting question.
â Pedro
Mar 1 at 21:37
This is an interesting question.
â Pedro
Mar 1 at 21:37
This is an interesting question.
â Pedro
Mar 1 at 21:37
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
I can't see it would be run-time configurable, but you could change the compile-time definition of SSH_RSA_MINIMUM_MODULUS_SIZE
in sshkey.h
and recompile:
#define SSH_RSA_MINIMUM_MODULUS_SIZE 1024
to
#define SSH_RSA_MINIMUM_MODULUS_SIZE 2048
Either that, or just don't install keys that are shorter. It might be possible to scan the users' authorized_keys
files for keys that are shorter than that, at least if we accept the length of the encoded key as an indicator of the length of the actual key.
The encoding for a 2048 bit RSA key seems to be 372 characters long, so something like this might match shorter keys:
grep -E 'ssh-rsa [a-zA-Z0-9+/=],371( |$)' file...
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
I can't see it would be run-time configurable, but you could change the compile-time definition of SSH_RSA_MINIMUM_MODULUS_SIZE
in sshkey.h
and recompile:
#define SSH_RSA_MINIMUM_MODULUS_SIZE 1024
to
#define SSH_RSA_MINIMUM_MODULUS_SIZE 2048
Either that, or just don't install keys that are shorter. It might be possible to scan the users' authorized_keys
files for keys that are shorter than that, at least if we accept the length of the encoded key as an indicator of the length of the actual key.
The encoding for a 2048 bit RSA key seems to be 372 characters long, so something like this might match shorter keys:
grep -E 'ssh-rsa [a-zA-Z0-9+/=],371( |$)' file...
add a comment |Â
up vote
2
down vote
I can't see it would be run-time configurable, but you could change the compile-time definition of SSH_RSA_MINIMUM_MODULUS_SIZE
in sshkey.h
and recompile:
#define SSH_RSA_MINIMUM_MODULUS_SIZE 1024
to
#define SSH_RSA_MINIMUM_MODULUS_SIZE 2048
Either that, or just don't install keys that are shorter. It might be possible to scan the users' authorized_keys
files for keys that are shorter than that, at least if we accept the length of the encoded key as an indicator of the length of the actual key.
The encoding for a 2048 bit RSA key seems to be 372 characters long, so something like this might match shorter keys:
grep -E 'ssh-rsa [a-zA-Z0-9+/=],371( |$)' file...
add a comment |Â
up vote
2
down vote
up vote
2
down vote
I can't see it would be run-time configurable, but you could change the compile-time definition of SSH_RSA_MINIMUM_MODULUS_SIZE
in sshkey.h
and recompile:
#define SSH_RSA_MINIMUM_MODULUS_SIZE 1024
to
#define SSH_RSA_MINIMUM_MODULUS_SIZE 2048
Either that, or just don't install keys that are shorter. It might be possible to scan the users' authorized_keys
files for keys that are shorter than that, at least if we accept the length of the encoded key as an indicator of the length of the actual key.
The encoding for a 2048 bit RSA key seems to be 372 characters long, so something like this might match shorter keys:
grep -E 'ssh-rsa [a-zA-Z0-9+/=],371( |$)' file...
I can't see it would be run-time configurable, but you could change the compile-time definition of SSH_RSA_MINIMUM_MODULUS_SIZE
in sshkey.h
and recompile:
#define SSH_RSA_MINIMUM_MODULUS_SIZE 1024
to
#define SSH_RSA_MINIMUM_MODULUS_SIZE 2048
Either that, or just don't install keys that are shorter. It might be possible to scan the users' authorized_keys
files for keys that are shorter than that, at least if we accept the length of the encoded key as an indicator of the length of the actual key.
The encoding for a 2048 bit RSA key seems to be 372 characters long, so something like this might match shorter keys:
grep -E 'ssh-rsa [a-zA-Z0-9+/=],371( |$)' file...
answered Feb 25 at 14:51
ilkkachu
49.3k672136
49.3k672136
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f426469%2fopenssh-how-to-disallow-weak-2048-bits-rsa-keys%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
This is an interesting question.
â Pedro
Mar 1 at 21:37