diff options
-rw-r--r-- | ssh-keygen.1 | 6 | ||||
-rw-r--r-- | ssh-keygen.c | 6 | ||||
-rw-r--r-- | ssh.h | 4 | ||||
-rw-r--r-- | sshd.8 | 17 | ||||
-rw-r--r-- | sshd.c | 6 | ||||
-rw-r--r-- | sshd_config.5 | 6 |
6 files changed, 21 insertions, 24 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 9b93666c9..8c3317be7 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.125 2015/02/24 15:24:05 naddy Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.126 2015/07/03 03:49:45 djm Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -35,7 +35,7 @@ | |||
35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
37 | .\" | 37 | .\" |
38 | .Dd $Mdocdate: February 24 2015 $ | 38 | .Dd $Mdocdate: July 3 2015 $ |
39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -244,7 +244,7 @@ This option specifies the number of primality tests to perform. | |||
244 | Show the bubblebabble digest of specified private or public key file. | 244 | Show the bubblebabble digest of specified private or public key file. |
245 | .It Fl b Ar bits | 245 | .It Fl b Ar bits |
246 | Specifies the number of bits in the key to create. | 246 | Specifies the number of bits in the key to create. |
247 | For RSA keys, the minimum size is 768 bits and the default is 2048 bits. | 247 | For RSA keys, the minimum size is 1024 bits and the default is 2048 bits. |
248 | Generally, 2048 bits is considered sufficient. | 248 | Generally, 2048 bits is considered sufficient. |
249 | DSA keys must be exactly 1024 bits as specified by FIPS 186-2. | 249 | DSA keys must be exactly 1024 bits as specified by FIPS 186-2. |
250 | For ECDSA keys, the | 250 | For ECDSA keys, the |
diff --git a/ssh-keygen.c b/ssh-keygen.c index b546366f1..ea5f1e49e 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.275 2015/07/03 03:43:18 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.276 2015/07/03 03:49:45 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -217,8 +217,8 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp) | |||
217 | fatal("key bits exceeds maximum %d", maxbits); | 217 | fatal("key bits exceeds maximum %d", maxbits); |
218 | if (type == KEY_DSA && *bitsp != 1024) | 218 | if (type == KEY_DSA && *bitsp != 1024) |
219 | fatal("DSA keys must be 1024 bits"); | 219 | fatal("DSA keys must be 1024 bits"); |
220 | else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) | 220 | else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 1024) |
221 | fatal("Key must at least be 768 bits"); | 221 | fatal("Key must at least be 1024 bits"); |
222 | else if (type == KEY_ECDSA && sshkey_ecdsa_bits_to_nid(*bitsp) == -1) | 222 | else if (type == KEY_ECDSA && sshkey_ecdsa_bits_to_nid(*bitsp) == -1) |
223 | fatal("Invalid ECDSA key length - valid lengths are " | 223 | fatal("Invalid ECDSA key length - valid lengths are " |
224 | "256, 384 or 521 bits"); | 224 | "256, 384 or 521 bits"); |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh.h,v 1.79 2010/06/25 07:14:46 djm Exp $ */ | 1 | /* $OpenBSD: ssh.h,v 1.80 2015/07/03 03:49:45 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -93,7 +93,7 @@ | |||
93 | #endif | 93 | #endif |
94 | 94 | ||
95 | /* Minimum modulus size (n) for RSA keys. */ | 95 | /* Minimum modulus size (n) for RSA keys. */ |
96 | #define SSH_RSA_MINIMUM_MODULUS_SIZE 768 | 96 | #define SSH_RSA_MINIMUM_MODULUS_SIZE 1024 |
97 | 97 | ||
98 | /* Listen backlog for sshd, ssh-agent and forwarding sockets */ | 98 | /* Listen backlog for sshd, ssh-agent and forwarding sockets */ |
99 | #define SSH_LISTEN_BACKLOG 128 | 99 | #define SSH_LISTEN_BACKLOG 128 |
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd.8,v 1.279 2015/05/01 07:11:47 djm Exp $ | 36 | .\" $OpenBSD: sshd.8,v 1.280 2015/07/03 03:49:45 djm Exp $ |
37 | .Dd $Mdocdate: May 1 2015 $ | 37 | .Dd $Mdocdate: July 3 2015 $ |
38 | .Dt SSHD 8 | 38 | .Dt SSHD 8 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -184,15 +184,12 @@ Specifies that | |||
184 | .Nm | 184 | .Nm |
185 | is being run from | 185 | is being run from |
186 | .Xr inetd 8 . | 186 | .Xr inetd 8 . |
187 | If SSH protocol 1 is enabled, | ||
187 | .Nm | 188 | .Nm |
188 | is normally not run | 189 | should not normally be run |
189 | from inetd because it needs to generate the server key before it can | 190 | from inetd because it needs to generate the server key before it can |
190 | respond to the client, and this may take tens of seconds. | 191 | respond to the client, and this may take some time. |
191 | Clients would have to wait too long if the key was regenerated every time. | 192 | Clients may have to wait too long if the key was regenerated every time. |
192 | However, with small key sizes (e.g. 512) using | ||
193 | .Nm | ||
194 | from inetd may | ||
195 | be feasible. | ||
196 | .It Fl k Ar key_gen_time | 193 | .It Fl k Ar key_gen_time |
197 | Specifies how often the ephemeral protocol version 1 server key is | 194 | Specifies how often the ephemeral protocol version 1 server key is |
198 | regenerated (default 3600 seconds, or one hour). | 195 | regenerated (default 3600 seconds, or one hour). |
@@ -287,7 +284,7 @@ used to identify the host. | |||
287 | .Pp | 284 | .Pp |
288 | Forward security for protocol 1 is provided through | 285 | Forward security for protocol 1 is provided through |
289 | an additional server key, | 286 | an additional server key, |
290 | normally 768 bits, | 287 | normally 1024 bits, |
291 | generated when the server starts. | 288 | generated when the server starts. |
292 | This key is normally regenerated every hour if it has been used, and | 289 | This key is normally regenerated every hour if it has been used, and |
293 | is never stored on disk. | 290 | is never stored on disk. |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: sshd.c,v 1.452 2015/07/03 03:47:00 djm Exp $ */ | 1 | /* $OpenBSD: sshd.c,v 1.453 2015/07/03 03:49:45 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1874,8 +1874,8 @@ main(int ac, char **av) | |||
1874 | #ifdef WITH_SSH1 | 1874 | #ifdef WITH_SSH1 |
1875 | /* Check certain values for sanity. */ | 1875 | /* Check certain values for sanity. */ |
1876 | if (options.protocol & SSH_PROTO_1) { | 1876 | if (options.protocol & SSH_PROTO_1) { |
1877 | if (options.server_key_bits < 512 || | 1877 | if (options.server_key_bits < SSH_RSA_MINIMUM_MODULUS_SIZE || |
1878 | options.server_key_bits > 32768) { | 1878 | options.server_key_bits > OPENSSL_RSA_MAX_MODULUS_BITS) { |
1879 | fprintf(stderr, "Bad server key size.\n"); | 1879 | fprintf(stderr, "Bad server key size.\n"); |
1880 | exit(1); | 1880 | exit(1); |
1881 | } | 1881 | } |
diff --git a/sshd_config.5 b/sshd_config.5 index 5ab431890..edd4cc9b9 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.204 2015/06/05 03:44:14 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.205 2015/07/03 03:49:45 djm Exp $ |
37 | .Dd $Mdocdate: June 5 2015 $ | 37 | .Dd $Mdocdate: July 3 2015 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -1343,7 +1343,7 @@ The default is | |||
1343 | This option applies to protocol version 1 only. | 1343 | This option applies to protocol version 1 only. |
1344 | .It Cm ServerKeyBits | 1344 | .It Cm ServerKeyBits |
1345 | Defines the number of bits in the ephemeral protocol version 1 server key. | 1345 | Defines the number of bits in the ephemeral protocol version 1 server key. |
1346 | The minimum value is 512, and the default is 1024. | 1346 | The default and minimum value is 1024. |
1347 | .It Cm StreamLocalBindMask | 1347 | .It Cm StreamLocalBindMask |
1348 | Sets the octal file creation mode mask | 1348 | Sets the octal file creation mode mask |
1349 | .Pq umask | 1349 | .Pq umask |