ssh-keygen DSA keys longer than 1024 bit

Darren Tucker dtucker at zip.com.au
Fri Oct 4 00:59:03 EST 2013


On Thu, Oct 03, 2013 at 01:53:37PM +0300, Silviu Vlasceanu wrote:
> Hi,
> 
> Why is there still a limit on the length of a DSA key generated by
> ssh-keygen? I mean that ssh-keygen only expects 1024 as key length, or
> fails. Here is the code excerpt that enforces the limitation:
> 
> if (type == KEY_DSA && *bitsp != 1024)
>     fatal("DSA keys must be 1024 bits");
> 
> Commenting these two lines allows the generation of, say, 2048 bit DSA keys
> that work just fine with sshd.
> 
> The only reason that I could previously find is that 1024 is imposed by
> FIPS 186-2, but the current FIPS 186-3 allows for larger DSA keys.

FIPS 186-3 also specifies which hash algorithms are permitted for those
larger DSA key lengths (section 4.2).  You might want to compare those
with the hash (note: singular) specified by RFC 4253.

> In light of the NIST SP800-131A guide that recommends 2048 as a minimum for
> DSA key length, can anyone please explain me why the limitation still
> exists in current openssh (6.3p1)? Is there a legal constraint?

It's specification constraint.  The intersection of what's permitted by
FIPS 186-3 and RFC 4253 is DSA keys of exactly 1024 bits (which is
coincidentally what ssh-keygen currently does).

For further information see https://bugzilla.mindrot.org/show_bug.cgi?id=1647

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list