Bug 2897

Summary: Short RSA key in RevokedKeys prevents everyone from logging in
Product: Portable OpenSSH Reporter: Colin Coghill <colin>
Component: sshdAssignee: Damien Miller <djm>
Status: CLOSED FIXED    
Severity: normal CC: djm, dtucker
Priority: P5    
Version: 7.6p1   
Hardware: Other   
OS: Linux   
Bug Depends on:    
Bug Blocks: 2893    
Attachments:
Description Flags
ignore invalid key length errors in sshkey_in_file() dtucker: ok+

Description Colin Coghill 2018-08-21 09:59:49 AEST 
We make use of the RevokedKeys feature to list some old keys that we don't want people able to use any more. Included in this list are some RSA keys <1024 bits in length. They're insecure, which is why we revoke them explicitly.

When sshd tries to read the RevokedKeys file it errors on the short key and as a result refuses to let anyone log in. I presume this is related to such keys no longer being accepted for authentication.

7.5p1 works fine
7.6p1 errors

logs:

sshd[22012]: error: Error checking authentication key RSA SHA256:xxxxxxxxxxxxxxxxxxxxxx in revoked keys file /etc/ssh/revoked_keys: Invalid key length


We have fixed this for our case by removing the revoked short keys, but since the effect at the time was to lock us out of a server purely as a result of upgrading openssh-server, I wanted to make a note that it could be quite a bad situation for some folk.

Ideally having an unacceptable key in RevokedKeys shouldn't prevent all logins. It's a place where insecure keys *should* be listed.
Comment 1 Damien Miller 2018-09-21 13:32:31 AEST 
Created attachment 3178 [details]
ignore invalid key length errors in sshkey_in_file()

This silently ignores SSH_ERR_KEY_LENGTH errors in sshkey_in_file().

This function is currently used in two places: revocation and listing CA keys.

Ignoring SSH_ERR_KEY_LENGTH is safe in the CA path because we'd never accept one of those keys as a CA key.

Ignoring the error in the revocation path is safe because we refuse those keys for authentication too. IMO it's worth allowing revoked keys lists with invalid short keys present as it supports sharing revocation lists between different OpenSSH versions (some of which may not ban short keys).
Comment 2 Damien Miller 2018-09-21 22:20:43 AEST 
Fix committed, this will be in the openssh-7.9 release
Comment 3 Damien Miller 2018-10-19 17:17:23 AEDT 
Close RESOLVED bugs with the release of openssh-8.0