1024-bit RSA keys in danger of compromise

[Kevin Steves]

On Thu, 28 Mar 2002, Lucky Green wrote:
:Which brings me to an issue that I hope may be on-topic to this mailing
:list: I would like to be able to enforce that the keys my users can use
:to authenticate themselves to my sshd to be of a minimum size. Is there
:a config option to sshd that will reject user keys below a minimum size?
:I didn't see anything in the man pages or my first go through the code.

no config option, but this change will be in the next release:

RCS file: /usr/OpenBSD/cvs/src/usr.bin/ssh/auth-rsa.c,v
retrieving revision 1.53
retrieving revision 1.54
diff -u -r1.53 -r1.54
--- src/usr.bin/ssh/auth-rsa.c	2002/03/25 09:21:13	1.53
+++ src/usr.bin/ssh/auth-rsa.c	2002/03/26 23:13:03	1.54
@@ -14,7 +14,7 @@
  */

 #include "includes.h"
-RCSID("$OpenBSD: auth-rsa.c,v 1.53 2002/03/25 09:21:13 markus Exp $");
+RCSID("$OpenBSD: auth-rsa.c,v 1.54 2002/03/26 23:13:03 markus Exp $");

 #include <openssl/rsa.h>
 #include <openssl/md5.h>
@@ -77,6 +77,13 @@
 	u_char buf[32], mdbuf[16];
 	MD5_CTX md;
 	int len;
+
+	/* don't allow short keys */
+	if (BN_num_bits(key->rsa->n) < 768) {
+		error("auth_rsa_verify_response: n too small: %d bits",
+		    BN_num_bits(key->rsa->n));
+		return (0);
+	}

 	/* The response is MD5 of decrypted challenge plus session id. */
 	len = BN_num_bytes(challenge);