[Bug 2897] New: Short RSA key in RevokedKeys prevents everyone from logging in

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Aug 21 09:59:49 AEST 2018


https://bugzilla.mindrot.org/show_bug.cgi?id=2897

            Bug ID: 2897
           Summary: Short RSA key in RevokedKeys prevents everyone from
                    logging in
           Product: Portable OpenSSH
           Version: 7.6p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: colin at colincoghill.com

We make use of the RevokedKeys feature to list some old keys that we
don't want people able to use any more. Included in this list are some
RSA keys <1024 bits in length. They're insecure, which is why we revoke
them explicitly.

When sshd tries to read the RevokedKeys file it errors on the short key
and as a result refuses to let anyone log in. I presume this is related
to such keys no longer being accepted for authentication.

7.5p1 works fine
7.6p1 errors

logs:

sshd[22012]: error: Error checking authentication key RSA
SHA256:xxxxxxxxxxxxxxxxxxxxxx in revoked keys file
/etc/ssh/revoked_keys: Invalid key length


We have fixed this for our case by removing the revoked short keys, but
since the effect at the time was to lock us out of a server purely as a
result of upgrading openssh-server, I wanted to make a note that it
could be quite a bad situation for some folk.

Ideally having an unacceptable key in RevokedKeys shouldn't prevent all
logins. It's a place where insecure keys *should* be listed.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list