[Bug 2897] Short RSA key in RevokedKeys prevents everyone from logging in

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Sep 21 13:32:31 AEST 2018


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
             Status|NEW                         |ASSIGNED
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
                 CC|                            |djm at mindrot.org,
                   |                            |dtucker at dtucker.net
   Attachment #3178|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 3178
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3178&action=edit
ignore invalid key length errors in sshkey_in_file()

This silently ignores SSH_ERR_KEY_LENGTH errors in sshkey_in_file().

This function is currently used in two places: revocation and listing
CA keys.

Ignoring SSH_ERR_KEY_LENGTH is safe in the CA path because we'd never
accept one of those keys as a CA key.

Ignoring the error in the revocation path is safe because we refuse
those keys for authentication too. IMO it's worth allowing revoked keys
lists with invalid short keys present as it supports sharing revocation
lists between different OpenSSH versions (some of which may not ban
short keys).

You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list