All,
I occasionally manage some APC PDU devices. I manage them via a VPN,
which enforces super-heavy crypto, and their access is restricted to only
jumphosts and the VPN. Basically, the only time you need to log into
these is when you go to reboot something that's down.
Their web UI with SSL doesn't work with modern browsers.
Their CPU is...tiny, and their SSHd implementation is...old (and, I
believe, proprietary).
I think it defaults to RSA768, and even then, takes a good 15 seconds to
let you log in.
When trying to SSH to them most recently from a recent copy of MacOS, I
got the "Invalid Key Length" error.
I googled around for the release note and the source code commit that had
produced this, and then tried looking for workarounds here:
https://www.openssh.com/legacy.html
After all, since the OpenSSH devs think carefully enough to have a page
that documents legacy options, for sure they thought of one for this case
too, right? It doesn't seem so.
My workaround was, insanely, to fire up a VM with an older version of an
OS with an older openSSH client.
So...
Why not make minimum key length a tunable, just as the other options are?
In this way, sites with a more strict policy could actually specify it
(i.e. RSA2048 or better)
Perhaps if you're dead-set on this being so dangerous, you could make it
so that you could specify a command-line option to accept a lower value
one time, but you're perhaps not able to override it via the config.
Thanks,
-Dan
--
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev