From 26e0cef07b04479537c971dec898741df1290fe5 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Mon, 25 Mar 2019 16:19:44 +0000
Subject: upstream: Expand comment to document rationale for default key

sizes. "seems worthwhile" deraadt.

OpenBSD-Commit-ID: 72e5c0983d7da1fb72f191870f36cb58263a2456
---
 ssh-keygen.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

(limited to 'ssh-keygen.c')

diff --git a/ssh-keygen.c b/ssh-keygen.c
index 5d256a159..3898b281e 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.328 2019/03/25 15:49:00 dtucker Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.329 2019/03/25 16:19:44 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -68,8 +68,15 @@
 #endif
 
 /*
- * Default number of bits in the RSA/DSA key.  This value can be overridden
- * on the command line.
+ * Default number of bits in the RSA, DSA and ECDSA keys.  These value can be
+ * overridden on the command line.
+ *
+ * These values, with the exception of DSA, provide security equivalent to at
+ * least 128 bits of security according to NIST Special Publication 800-57:
+ * Recommendation for Key Management Part 1 rev 4 section 5.6.1.
+ * For DSA it (and FIPS-186-4 section 4.2) specifies that the only size for
+ * which a 160bit hash is acceptable is 1kbit, and since ssh-dss specifies only
+ * SHA1 we limit the DSA key size 1k bits.
  */
 #define DEFAULT_BITS		3072
 #define DEFAULT_BITS_DSA	1024
-- 
cgit v1.2.3