ssh-keygen -t dsa limited to 1024?

Kyle J. McKay mackyle at gmail.com
Tue Sep 10 18:29:22 EST 2013


Looking at ssh-keygen.c from openssh-6.2p2.tar.gz lines 186-187:

         if (type == KEY_DSA && *bitsp != 1024)
                 fatal("DSA keys must be 1024 bits");

It appears to me that ssh-keygen will only generate 1024 bit DSA keys.

Is that still current?

FIPS 186-3 (2009-06) section 4.2 and FIPS 186-4 [1] (2013-07) section  
4.2 state:

4.2 Selection of Parameter Sizes and Hash Functions for DSA
This Standard specifies the following choices for the pair L and N  
(the bit lengths of p and q,
respectively):
      L = 1024, N = 160
      L = 2048, N = 224
      L = 2048, N = 256
      L = 3072, N = 256
Federal Government entities shall generate digital signatures using  
use one or more of these
choices.

I see there is bug 1647 [2] about this.

However, RFC 6668 [3] (2012-07) added SHA-256 to the recommended list  
of data integrity functions for SSH making the L=2048,N=256 and  
L=3072,N=256 DSA choices from FIPS 186-3/186-4 standards compliant.   
It also appears that OpenSSH added support for both SHA-256 and  
SHA-512 in version 5.9p1 (2011-09).

I have updated bug 1647 with the additional information.

Are there any plans to add support for generating DSA 2048, 3072 keys?

[1] http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
[2] https://bugzilla.mindrot.org/show_bug.cgi?id=1647
[3] http://tools.ietf.org/html/rfc6668

--Kyle

P.S. What, by the way, does OpenSSH do if you have an existing DSA  
2048 or 3072 key?  (OpenSSL will generate them just fine.)


More information about the openssh-unix-dev mailing list