NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

bin/47540: No DSA key files generated when ssh_keygen_flags != "-b 1024" in rc.conf

>Number:         47540
>Category:       bin
>Synopsis:       No DSA key files generated when ssh_keygen_flags != "-b 1024" 
>in rc.conf
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 07 14:10:00 +0000 2013
>Originator:     Felix Deichmann
>Release:        6.0.1
NetBSD bla.invalid 6.0.1 NetBSD 6.0.1 (GENERIC) amd64
When ssh_keygen_flags is set to a value other than "-b 1024" in rc.conf, 
/etc/rc.d/sshd fails to generate the DSA key files.

According to ssh-keygen(1), "DSA keys must be exactly 1024 bits as specified by 
FIPS 186-2". ssh-keygen won't create DSA key files with "-b" values other than 

As another effect, /etc/rc.d/sshd will repeatedly try to recreate all keys when 
not all key files (e. g. the DSA key files) are present, each time started.

DSA key generation should be fixed to 1024 bit keys (-b 1024), as it is already 
done for ECDSA keys (fixed value of 521) in /etc/rc.d/sshd.
Delete all key files in /etc/ssh and set ssh_keygen_flags="-b 4096" in rc.conf. 
When executing "/etc/rc.d/sshd start" to generate new key files, the DSA key 
files will not be created anymore.
In /etc/rc.d/sshd, replace the line containing

/usr/bin/ssh-keygen -t dsa -b ${ssh_keygen_flags} \


/usr/bin/ssh-keygen -t dsa -b 1024 \

Home | Main Index | Thread Index | Old Index