On Thu 2015-01-08 09:15:20 -0500, Fedor Brunner wrote: > ssh-keygen.c contains condition > > else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) > fatal("Key must at least be 768 bits"); > > Please increase the minimal RSA key length. > > > https://eprint.iacr.org/2010/006 > This paper reports on the factorization of the 768-bit number RSA-768 by > the number field sieve factoring method This seems to still be the case: https://anongit.mindrot.org/openssh.git/tree/ssh-keygen.c#n216 a minimum of 1024 bits would still be low, but it would be better than 768. Arguably, modern SSH clients and servers shouldn't even accept 768-bit keys, let alone generate them. Is there interest upstream in raising this floor? --dkg _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev