Settable minimum RSA key sizes on the client end for legacy devices.
Stuart Henderson
stu at spacehopper.org
Thu Dec 26 23:35:21 AEDT 2019
On 2019/12/25 21:02, Steve Sether wrote:
> Basically I've had to turn on telnet access again, lowering security.
Does it really lower security? The very old embedded OS is not going to
be secure anyway, this type of device should only be used on a trusted
private network. (New embedded OS are often not much better so I'd take
the same view there).
The RNG used to generate the key is probably rubbish too - I don't expect
there to be all that much entropy in those 768 bits..
Not being able to use ssh is an annoyance but there are trade-offs to be
made when using old hardware. The way I deal with these is to use telnet
from a console server / "jump box" which itself runs modern sshd.
> To me, not providing a way to over-ride the minimum key size is just a bit
> heavy-handed. The vendor doesn't support this device anymore, and it's
> failed all attempts at replacing the 768 bit key with a 1024 bit one.
The APC devices I used struggled with even a 768-bit key, I suspect
handling numbers 2^256 times larger will be too hard on the CPU.
> I note that other legacy, potentially insecure options are supported via
> configuration changes. https://www.openssh.com/legacy.html
Most of these (though not ssh-dss) relate to per-session keying.
I think you can get away with a bit more weakness there (which would
have to be attacked while the session is active and before rekeying)
whereas short host keys are more of a long term risk.
Note that other things were removed with no fallback available (also
with good reason) - SSH1 for example.
> Why isn't the
> same true for a minimum key size? This device isn't exactly ancient at
> around 12 years old and a 10 year old firmware. I'd imagine there's other
> hardware that has limited support for ssh key sizes that the current
> openssh won't connect to anymore.
The other place I've seen it is on old switches but there is usually
less reason to keep them than old power control hardware.
> I'd rather not dredge up a big fight, but I _would_ like to express a
> desire for some form of overriding the minimum key size.
This can be done by recompiling if necessary. This restriction has been
a pain for me at times but honestly I think it's for the best that it's
been done.
More information about the openssh-unix-dev
mailing list