ssh-keygen DSA keylenght limit
Darren Tucker
dtucker at zip.com.au
Tue Nov 5 22:23:39 EST 2013
On Tue, Nov 05, 2013 at 11:57:04AM +0100, Aaron Zauner wrote:
> I am wondering as to why there is a 1024 bit limitation in the
> `ssh-keygen` tool up until the current CVS version.
[...]
It's deliberate. RFC4253 requires the use of SHA1 for DSA keys and
FIPS-186-3 requires the use of a longer hash than SHA1 for keys larger
than 1024 bits. The only way to comply with both is to allow only
keys that are 1024 bits.
See https://bugzilla.mindrot.org/show_bug.cgi?id=1647 for further info.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list