Bugzilla – Attachment 3404 Details for
Bug 3174
Enable OpenSSH to connect older gear having limitations on host RSA key length, implemented, see the pull request.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to implement the option
Github-OpenSSH-188.diff (text/plain), 4.61 KB, created by
Antti Louko
on 2020-05-31 06:22:31 AEST
(
hide
)
Description:
Patch to implement the option
Filename:
MIME Type:
Creator:
Antti Louko
Created:
2020-05-31 06:22:31 AEST
Size:
4.61 KB
patch
obsolete
>diff --git a/readconf.c b/readconf.c >index c0595a52b..22d33181b 100644 >--- a/readconf.c >+++ b/readconf.c >@@ -173,6 +173,7 @@ typedef enum { > oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes, > oPubkeyAcceptedKeyTypes, oCASignatureAlgorithms, oProxyJump, > oSecurityKeyProvider, >+ oRSAMinimumModulusSize, > oIgnore, oIgnoredUnknownOption, oDeprecated, oUnsupported > } OpCodes; > >@@ -310,6 +311,7 @@ static struct { > { "ignoreunknown", oIgnoreUnknown }, > { "proxyjump", oProxyJump }, > { "securitykeyprovider", oSecurityKeyProvider }, >+ { "rsaminimummodulussize", oRSAMinimumModulusSize }, > > { NULL, oBadOption } > }; >@@ -1339,6 +1341,20 @@ process_config_line_depth(Options *options, struct passwd *pw, const char *host, > *log_level_ptr = (LogLevel) value; > break; > >+ case oRSAMinimumModulusSize: >+ intptr = &SSH_RSA_MINIMUM_MODULUS_SIZE; >+ arg = strdelim(&s); >+ if ((errstr = atoi_err(arg, &value)) != NULL) >+ fatal("%s line %d: integer value %s.", >+ filename, linenum, errstr); >+ if (value < SSH_RSA_MINIMUM_MODULUS_SIZE_HARD) { >+ fatal("%s line %d: RSAMinimumModulusSize unacceptably small: %d", >+ filename, linenum, value); >+ >+ } >+ SSH_RSA_MINIMUM_MODULUS_SIZE = value; >+ break; >+ > case oLogFacility: > log_facility_ptr = &options->log_facility; > arg = strdelim(&s); >@@ -2770,6 +2786,7 @@ dump_client_config(Options *o, const char *host) > dump_cfg_int(oNumberOfPasswordPrompts, o->number_of_password_prompts); > dump_cfg_int(oServerAliveCountMax, o->server_alive_count_max); > dump_cfg_int(oServerAliveInterval, o->server_alive_interval); >+ dump_cfg_int(oRSAMinimumModulusSize, SSH_RSA_MINIMUM_MODULUS_SIZE); > > /* String options */ > dump_cfg_string(oBindAddress, o->bind_address); >diff --git a/ssh-keygen.c b/ssh-keygen.c >index bdc29e00a..2c2e7500c 100644 >--- a/ssh-keygen.c >+++ b/ssh-keygen.c >@@ -210,7 +210,7 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp) > fatal("Invalid DSA key length: must be 1024 bits"); > break; > case KEY_RSA: >- if (*bitsp < SSH_RSA_MINIMUM_MODULUS_SIZE) >+ if (*bitsp < (u_int)SSH_RSA_MINIMUM_MODULUS_SIZE) > fatal("Invalid RSA key length: minimum is %d bits", > SSH_RSA_MINIMUM_MODULUS_SIZE); > else if (*bitsp > OPENSSL_RSA_MAX_MODULUS_BITS) >diff --git a/ssh.1 b/ssh.1 >index dce5f404b..2cbfc5c34 100644 >--- a/ssh.1 >+++ b/ssh.1 >@@ -542,6 +542,7 @@ For full details of the options listed below, and their possible values, see > .It RemoteCommand > .It RemoteForward > .It RequestTTY >+.It RSAMinimumModulusSize > .It SendEnv > .It ServerAliveInterval > .It ServerAliveCountMax >diff --git a/ssh_config.5 b/ssh_config.5 >index f9d55f8a2..51baf3bea 100644 >--- a/ssh_config.5 >+++ b/ssh_config.5 >@@ -1486,6 +1486,12 @@ an OpenSSH Key Revocation List (KRL) as generated by > .Xr ssh-keygen 1 . > For more information on KRLs, see the KEY REVOCATION LISTS section in > .Xr ssh-keygen 1 . >+.It Cm RSAMinimumModulusSize >+Specifies the minimum accepted RSA modulus size in different >+contexts. This is only be used with older SSH servers when it is >+impossible to have or generate longer keys for them. This should not >+be used in any other purposes except perhaps testing. There is still >+hard limit, 512. To use shorter RSA keys than that, OpenSSH must be recompiled. > .It Cm SecurityKeyProvider > Specifies a path to a library that will be used when loading any > FIDO authenticator-hosted keys, overriding the default of using >diff --git a/sshkey.c b/sshkey.c >index 1571e3d93..c1ffd08da 100644 >--- a/sshkey.c >+++ b/sshkey.c >@@ -93,6 +93,8 @@ int sshkey_private_serialize_opt(struct sshkey *key, > static int sshkey_from_blob_internal(struct sshbuf *buf, > struct sshkey **keyp, int allow_cert); > >+int SSH_RSA_MINIMUM_MODULUS_SIZE = SSH_RSA_MINIMUM_MODULUS_SIZE_DEFAULT; >+ > /* Supported key types */ > struct keytype { > const char *name; >@@ -1583,7 +1585,7 @@ rsa_generate_private_key(u_int bits, RSA **rsap) > > if (rsap == NULL) > return SSH_ERR_INVALID_ARGUMENT; >- if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE || >+ if (bits < (u_int)SSH_RSA_MINIMUM_MODULUS_SIZE || > bits > SSHBUF_MAX_BIGNUM * 8) > return SSH_ERR_KEY_LENGTH; > *rsap = NULL; >diff --git a/sshkey.h b/sshkey.h >index 9c1d4f637..aff1d8b21 100644 >--- a/sshkey.h >+++ b/sshkey.h >@@ -48,7 +48,10 @@ > # define EC_POINT void > #endif /* WITH_OPENSSL */ > >-#define SSH_RSA_MINIMUM_MODULUS_SIZE 1024 >+extern int SSH_RSA_MINIMUM_MODULUS_SIZE; >+ >+#define SSH_RSA_MINIMUM_MODULUS_SIZE_DEFAULT 1024 >+#define SSH_RSA_MINIMUM_MODULUS_SIZE_HARD 512 /* This is the hard limit for -o RSAMinimumModulusSize */ > #define SSH_KEY_MAX_SIGN_DATA_SIZE (1 << 20) > > struct sshbuf;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3404">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 3174
: 3404