Legacy option for key length?

[Damien Miller]

On Fri, 29 Dec 2017, Daniel Kahn Gillmor wrote:

> On Thu 2017-12-28 21:31:28 -0800, Dan Mahoney (Gushi) wrote:
> > Why not make minimum key length a tunable, just as the other options are?
> 
> Because the goal of building secure software is to make it easy to
> answer the question "are you using it securely?"

This is a nice summation of our approach. It's the same reason we've
never implemented the null cipher and also one of the reasons we removed
SSHv1.

We try to balance compatibility with avoiding danger. This is why it's
still possible to explicitly enable (weak, but AFAIK not broken) DSA
keys if you need them, but RSA768 has actually been demonstrated to be
broken with an academic team factoring a key back in 2009 at a work
factor that is easily reachable by a medium botnet or cloud service.
Adding a switch to turn these back on would be IMO irresponsible.

If you think this is overly parentalistic and that an experienced
admin is the one best equipped to assess risk, then I'd direct said
experienced admin to the the SSH_RSA_MINIMUM_MODULUS_SIZE definition in
sshkey.h that they can adjust themselves.

-d