Legacy option for key length?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



All,

I occasionally manage some APC PDU devices. I manage them via a VPN, which enforces super-heavy crypto, and their access is restricted to only jumphosts and the VPN. Basically, the only time you need to log into these is when you go to reboot something that's down.

Their web UI with SSL doesn't work with modern browsers.
Their CPU is...tiny, and their SSHd implementation is...old (and, I believe, proprietary).

I think it defaults to RSA768, and even then, takes a good 15 seconds to let you log in.

When trying to SSH to them most recently from a recent copy of MacOS, I got the "Invalid Key Length" error.

I googled around for the release note and the source code commit that had produced this, and then tried looking for workarounds here: https://www.openssh.com/legacy.html

After all, since the OpenSSH devs think carefully enough to have a page that documents legacy options, for sure they thought of one for this case too, right? It doesn't seem so.

My workaround was, insanely, to fire up a VM with an older version of an OS with an older openSSH client.

So...

Why not make minimum key length a tunable, just as the other options are?

In this way, sites with a more strict policy could actually specify it (i.e. RSA2048 or better)

Perhaps if you're dead-set on this being so dangerous, you could make it so that you could specify a command-line option to accept a lower value one time, but you're perhaps not able to override it via the config.

Thanks,

-Dan

--

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux