diff options
-rw-r--r-- | ChangeLog | 9 | ||||
-rw-r--r-- | ssh-keygen.1 | 6 | ||||
-rw-r--r-- | ssh-keygen.c | 6 |
3 files changed, 15 insertions, 6 deletions
@@ -1,6 +1,13 @@ | |||
1 | 20051128 | 1 | 20051128 |
2 | - (dtucker) [regress/yes-head.sh] Work around breakage caused by some | 2 | - (dtucker) [regress/yes-head.sh] Work around breakage caused by some |
3 | versions of GNU head. Based on patch from zappaman at buraphalinux.org | 3 | versions of GNU head. Based on patch from zappaman at buraphalinux.org |
4 | - (dtucker) OpenBSD CVS Sync | ||
5 | - dtucker@cvs.openbsd.org 2005/11/28 05:16:53 | ||
6 | [ssh-keygen.1 ssh-keygen.c] | ||
7 | Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2, | ||
8 | increase minumum RSA key size to 768 bits and update man page to reflect | ||
9 | these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com), | ||
10 | ok djm@, grudging ok deraadt@. | ||
4 | 11 | ||
5 | 20051126 | 12 | 20051126 |
6 | - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer, | 13 | - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer, |
@@ -3362,4 +3369,4 @@ | |||
3362 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 3369 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
3363 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 3370 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
3364 | 3371 | ||
3365 | $Id: ChangeLog,v 1.4009 2005/11/28 05:41:03 dtucker Exp $ | 3372 | $Id: ChangeLog,v 1.4010 2005/11/28 05:41:46 dtucker Exp $ |
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 348a49ce2..ab16bcd77 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.71 2005/10/31 19:55:25 jmc Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.72 2005/11/28 05:16:53 dtucker Exp $ |
2 | .\" | 2 | .\" |
3 | .\" -*- nroff -*- | 3 | .\" -*- nroff -*- |
4 | .\" | 4 | .\" |
@@ -190,9 +190,9 @@ command. | |||
190 | Show the bubblebabble digest of specified private or public key file. | 190 | Show the bubblebabble digest of specified private or public key file. |
191 | .It Fl b Ar bits | 191 | .It Fl b Ar bits |
192 | Specifies the number of bits in the key to create. | 192 | Specifies the number of bits in the key to create. |
193 | Minimum is 512 bits. | 193 | For RSA keys, the minimum size is 768 bits and the default is 2048 bits. |
194 | Generally, 2048 bits is considered sufficient. | 194 | Generally, 2048 bits is considered sufficient. |
195 | The default is 2048 bits. | 195 | DSA keys must be exactly 1024 bits as specified by FIPS 186-2. |
196 | .It Fl C Ar comment | 196 | .It Fl C Ar comment |
197 | Provides a new comment. | 197 | Provides a new comment. |
198 | .It Fl c | 198 | .It Fl c |
diff --git a/ssh-keygen.c b/ssh-keygen.c index 7f9c7fd1a..b4c651d22 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -12,7 +12,7 @@ | |||
12 | */ | 12 | */ |
13 | 13 | ||
14 | #include "includes.h" | 14 | #include "includes.h" |
15 | RCSID("$OpenBSD: ssh-keygen.c,v 1.133 2005/10/31 11:12:49 djm Exp $"); | 15 | RCSID("$OpenBSD: ssh-keygen.c,v 1.134 2005/11/28 05:16:53 dtucker Exp $"); |
16 | 16 | ||
17 | #include <openssl/evp.h> | 17 | #include <openssl/evp.h> |
18 | #include <openssl/pem.h> | 18 | #include <openssl/pem.h> |
@@ -1046,7 +1046,7 @@ main(int ac, char **av) | |||
1046 | "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) { | 1046 | "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) { |
1047 | switch (opt) { | 1047 | switch (opt) { |
1048 | case 'b': | 1048 | case 'b': |
1049 | bits = strtonum(optarg, 512, 32768, &errstr); | 1049 | bits = strtonum(optarg, 768, 32768, &errstr); |
1050 | if (errstr) | 1050 | if (errstr) |
1051 | fatal("Bits has bad value %s (%s)", | 1051 | fatal("Bits has bad value %s (%s)", |
1052 | optarg, errstr); | 1052 | optarg, errstr); |
@@ -1259,6 +1259,8 @@ main(int ac, char **av) | |||
1259 | fprintf(stderr, "unknown key type %s\n", key_type_name); | 1259 | fprintf(stderr, "unknown key type %s\n", key_type_name); |
1260 | exit(1); | 1260 | exit(1); |
1261 | } | 1261 | } |
1262 | if (type == KEY_DSA && bits != 1024) | ||
1263 | fatal("DSA keys must be 1024 bits"); | ||
1262 | if (!quiet) | 1264 | if (!quiet) |
1263 | printf("Generating public/private %s key pair.\n", key_type_name); | 1265 | printf("Generating public/private %s key pair.\n", key_type_name); |
1264 | if (bits == 0) | 1266 | if (bits == 0) |