3127 – Show a meaningful error message when key size is less than 1024 bits

Bug 3127 - Show a meaningful error message when key size is less than 1024 bits

Summary: Show a meaningful error message when key size is less than 1024 bits

Status:	NEW

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh-keygen (show other bugs)
Version:	7.6p1
Hardware:	All All

Importance:	P5 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-02-29 22:56 AEDT by Petr Bodnar
Modified:	2020-02-29 23:09 AEDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Petr Bodnar 2020-02-29 22:56:59 AEDT

This relates to bug 2666. As written in the release notes of OpenSSH, this changed and is hard-coded in the version 7.6:

  Refuse RSA keys <1024 bits in length and improve reporting for keys that do not meet this requirement.

Still, even in the latest version 8.2p1, all that is returned from the `ssh-keygen -lf id_rsa.pub` command when a key size is less than 1024 bits is this:

  id_rsa.pub is not a public key file

In order not to mislead / confuse users, please show a message like this instead:

  id_rsa.pub is not a supported public key file because its size is less than 1024 bits

BTW It is also not clear what is the reason for not showing the hash of the key by the `ssh-keygen` command - isn't the command able to calculate hashes of any RSA key? Shouldn't the key refusal happen only at commands where it really matters?

Environment: Tested with OpenSSH in Cygwin, Windows as well as in Git.

Comment 1 Petr Bodnar 2020-02-29 23:09:38 AEDT

Note: By hash, I mean fingerprint.

Also note that the limit doesn't seem to be documented, or at least I can't find a note on it at official https://man.openbsd.org/ssh-keygen, other than at the "-b" switch which only describes key creation though.