Increasing the minimum key size at runtime

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,

I need to implement a company policy of requiring a minimum key size that
is estimated to be secure for the next X years (see keylength.com
estimates). For that we would need to reject authentication with keys that
do not meet the key length size which is necessarily higher than the
minimum hard-coded in the most recent OpenSSH release today.

I have already read the whole thread "Settable minimum RSA key sizes on the
client end for legacy devices." (
https://marc.info/?t=157733023300001&r=1&w=2) so I believe I understand the
arguments made there about *lowering* the minimum. However, I'm talking
about *increasing* the minimum at runtime.

a) Is there an argument to be made against a feature like this?

b) Can this be done today?

I've given some thought to using AuthorizedKeysCommand in combination with
a hard-coded non-existent value for AuthorizedKeysFile. Setting
AuthorizedKeysFile to /dev/null and setting up AuthorizedKeysCommand to
look at the user's actual authorized_keys file, filtering out keys not
fulfilling the policy sounds like it could work?

-- Irfan
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux