[Bug 2897] New: Short RSA key in RevokedKeys prevents everyone from logging in
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Aug 21 09:59:49 AEST 2018
https://bugzilla.mindrot.org/show_bug.cgi?id=2897
Bug ID: 2897
Summary: Short RSA key in RevokedKeys prevents everyone from
logging in
Product: Portable OpenSSH
Version: 7.6p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: colin at colincoghill.com
We make use of the RevokedKeys feature to list some old keys that we
don't want people able to use any more. Included in this list are some
RSA keys <1024 bits in length. They're insecure, which is why we revoke
them explicitly.
When sshd tries to read the RevokedKeys file it errors on the short key
and as a result refuses to let anyone log in. I presume this is related
to such keys no longer being accepted for authentication.
7.5p1 works fine
7.6p1 errors
logs:
sshd[22012]: error: Error checking authentication key RSA
SHA256:xxxxxxxxxxxxxxxxxxxxxx in revoked keys file
/etc/ssh/revoked_keys: Invalid key length
We have fixed this for our case by removing the revoked short keys, but
since the effect at the time was to lock us out of a server purely as a
result of upgrading openssh-server, I wanted to make a note that it
could be quite a bad situation for some folk.
Ideally having an unacceptable key in RevokedKeys shouldn't prevent all
logins. It's a place where insecure keys *should* be listed.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list