Re: Settable minimum RSA key sizes on the client end for legacy devices.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

You can use openssl to generate a shorter key:

	$ openssl genprsa -out key.pem 768
	$ ssh-keygen -y -f key.pem > key.pub # optional to get public key
This works with a 768-bit RSA key (client: OpenSSH_7.2p2, OpenSSL 1.0.2g; server: OpenSSH_7.2p2, OpenSSL 1.0.2g) but not a 256-bit RSA key: I can generate the shorter key but the server requires a minimum of 768-bits. 

Hope this helps.



-------- Forwarded Message --------
Subject: Settable minimum RSA key sizes on the client end for legacy devices. 
Date: 	Wed, 25 Dec 2019 21:02:36 -0600
From: 	Steve Sether <steve@xxxxxxxxxx>
To: 	openssh-unix-dev@xxxxxxxxxxx
Recently I tried to turn on SSH on my 12 year old APC-UPS.  I soon discovered that I couldn't connect to it because my newer version of openssh doesn't support RSA key sizes below 1024 bits.
I'd rather not dredge up a big fight, but I _would_ like to express a desire for some form of overriding the minimum key size.  Basically I've had to turn on telnet access again, lowering security.  The HTTPS protocol options on the device are old enough that no modern browser will connect to it either.  So essentially I'm left at going back to the mid 90s and use telnet, or HTTP to connect to this device.
To me, not providing a way to over-ride the minimum key size is just a bit heavy-handed.  The vendor doesn't support this device anymore, and it's failed all attempts at replacing the 768 bit key with a 1024 bit one.  The firmware is upgraded to the last release in 2010. I understand that a 768 bit RSA key was factored 10 years ago, though with a very large computing effort, so it's vulnerable to a pretty expensive attack.
I note that other legacy, potentially insecure options are supported via configuration changes. https://www.openssh.com/legacy.html Why isn't the same true for a minimum key size?  This device isn't exactly ancient at around 12 years old and a 10 year old firmware.  I'd imagine there's other hardware that has limited support for ssh key sizes that the current openssh won't connect to anymore. 

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux