sshd doesn't seem to be able to auth a user using an rsa key of 20000 bit. 1. I generated an ssh rsa key like this: ssh-keygen -t rsa -b 20000 2. I placed the public key into another users authorized_keys file 3. I tried to ssh that user. What happens: 4. "Feb 4 23:35:50 ABOX sshd[17138]: error: RSA_public_decrypt failed: error:04067069:lib(4):func(103):reason(105)" What should happen: 4. Accepted publickey for .... ------ Use cases: 1. having an ssh key over 9000. "00:18 < Kenny> Yes, so will I, for security-measures based on DragonBall Z memes. ;)"
This is not blocked in ssh but in OpenSSL. RSA keys larger than 16384 bits are disallowed in it because of potential CPU resource overusage (effective DoS) on servers.
(In reply to comment #1) > This is not blocked in ssh but in OpenSSL. RSA keys larger than 16384 > bits are disallowed in it because of potential CPU resource overusage > (effective DoS) on servers. Oh ok that's interesting. I didn't know that. I couldn't find a size limitation anywhere (other than ssh-keygen when generating a cert).
The limitation is in OpenSSL's rsa.h (probably /usr/include/openssl/rsa.h or similar): $ grep "define.*RSA_MAX" /usr/include/openssl/rsa.h # define OPENSSL_RSA_MAX_MODULUS_BITS 16384 # define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */ If you want bigger keys, you'll need to change that and recompile OpenSSL then rebuild OpenSSH against it.
close resolved bugs now that openssh-5.9 has been released