From ce321d8a30a81222d11a4c27fd353804a9afecd3 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 3 Oct 2005 18:11:24 +1000 Subject: - djm@cvs.openbsd.org 2005/09/13 23:40:07 [sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c] ensure that stdio fds are attached; ok deraadt@ --- ssh-keygen.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'ssh-keygen.c') diff --git a/ssh-keygen.c b/ssh-keygen.c index b17851946..92803da45 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.128 2005/07/17 07:17:55 djm Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.129 2005/09/13 23:40:07 djm Exp $"); #include #include @@ -1018,6 +1018,9 @@ main(int ac, char **av) extern int optind; extern char *optarg; + /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ + sanitise_stdfd(); + __progname = ssh_get_progname(av[0]); SSLeay_add_all_algorithms(); -- cgit v1.2.3 From 3f54a9f5b7978e8e7085f86722bc2704f7fab2e2 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 5 Nov 2005 14:52:18 +1100 Subject: - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2005/10/07 11:13:57 [ssh-keygen.c] change DSA default back to 1024, as it's defined for 1024 bits only and this causes interop problems with other clients. moreover, in order to improve the security of DSA you need to change more components of DSA key generation (e.g. the internal SHA1 hash); ok deraadt --- ChangeLog | 12 +++++++++++- ssh-keygen.c | 12 +++++++++--- 2 files changed, 20 insertions(+), 4 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index cf8031250..10c031042 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +20051105 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2005/10/07 11:13:57 + [ssh-keygen.c] + change DSA default back to 1024, as it's defined for 1024 bits only + and this causes interop problems with other clients. moreover, + in order to improve the security of DSA you need to change more + components of DSA key generation (e.g. the internal SHA1 hash); + ok deraadt + 20051102 - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup(). Reported by olavi at ipunplugged.com and antoine.brodin at laposte.net @@ -3130,4 +3140,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3926 2005/11/01 22:07:31 dtucker Exp $ +$Id: ChangeLog,v 1.3927 2005/11/05 03:52:18 djm Exp $ diff --git a/ssh-keygen.c b/ssh-keygen.c index 92803da45..89686f5ac 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.129 2005/09/13 23:40:07 djm Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.130 2005/10/07 11:13:57 markus Exp $"); #include #include @@ -35,8 +35,10 @@ RCSID("$OpenBSD: ssh-keygen.c,v 1.129 2005/09/13 23:40:07 djm Exp $"); #endif #include "dns.h" -/* Number of bits in the RSA/DSA key. This value can be changed on the command line. */ -u_int32_t bits = 2048; +/* Number of bits in the RSA/DSA key. This value can be set on the command line. */ +#define DEFAULT_BITS 2048 +#define DEFAULT_BITS_DSA 1024 +u_int32_t bits = 0; /* * Flag indicating that we just want to change the passphrase. This can be @@ -1217,6 +1219,8 @@ main(int ac, char **av) out_file, strerror(errno)); return (1); } + if (bits == 0) + bits = DEFAULT_BITS; if (gen_candidates(out, memory, bits, start) != 0) fatal("modulus candidate generation failed\n"); @@ -1258,6 +1262,8 @@ main(int ac, char **av) } if (!quiet) printf("Generating public/private %s key pair.\n", key_type_name); + if (bits == 0) + bits = (type == KEY_DSA) ? DEFAULT_BITS_DSA : DEFAULT_BITS; private = key_generate(type, bits); if (private == NULL) { fprintf(stderr, "key_generate failed"); -- cgit v1.2.3 From 15d72a00a3cd922f284b8a779a955733f487450f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 5 Nov 2005 15:07:33 +1100 Subject: - stevesk@cvs.openbsd.org 2005/10/14 02:17:59 [ssh-keygen.c ssh.c sshconnect2.c] no trailing "\n" for log functions; ok djm@ --- ChangeLog | 5 ++++- ssh-keygen.c | 6 +++--- ssh.c | 8 ++++---- sshconnect2.c | 4 ++-- 4 files changed, 13 insertions(+), 10 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 2479962b3..82b793f89 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,9 @@ - stevesk@cvs.openbsd.org 2005/10/13 22:24:31 [auth2-gss.c gss-genr.c gss-serv.c monitor.c] KNF; ok djm@ + - stevesk@cvs.openbsd.org 2005/10/14 02:17:59 + [ssh-keygen.c ssh.c sshconnect2.c] + no trailing "\n" for log functions; ok djm@ 20051102 - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup(). @@ -3166,4 +3169,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3934 2005/11/05 04:07:05 djm Exp $ +$Id: ChangeLog,v 1.3935 2005/11/05 04:07:33 djm Exp $ diff --git a/ssh-keygen.c b/ssh-keygen.c index 89686f5ac..040813c5a 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.130 2005/10/07 11:13:57 markus Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.131 2005/10/14 02:17:59 stevesk Exp $"); #include #include @@ -1222,7 +1222,7 @@ main(int ac, char **av) if (bits == 0) bits = DEFAULT_BITS; if (gen_candidates(out, memory, bits, start) != 0) - fatal("modulus candidate generation failed\n"); + fatal("modulus candidate generation failed"); return (0); } @@ -1245,7 +1245,7 @@ main(int ac, char **av) out_file, strerror(errno)); } if (prime_test(in, out, trials, generator_wanted) != 0) - fatal("modulus screening failed\n"); + fatal("modulus screening failed"); return (0); } diff --git a/ssh.c b/ssh.c index 2c2b680a2..e51ead726 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.251 2005/09/19 15:42:44 jmc Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.252 2005/10/14 02:17:59 stevesk Exp $"); #include #include @@ -1013,7 +1013,7 @@ ssh_control_listener(void) fatal("ControlPath too long"); if ((control_fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) - fatal("%s socket(): %s\n", __func__, strerror(errno)); + fatal("%s socket(): %s", __func__, strerror(errno)); old_umask = umask(0177); if (bind(control_fd, (struct sockaddr*)&addr, addr_len) == -1) { @@ -1022,12 +1022,12 @@ ssh_control_listener(void) fatal("ControlSocket %s already exists", options.control_path); else - fatal("%s bind(): %s\n", __func__, strerror(errno)); + fatal("%s bind(): %s", __func__, strerror(errno)); } umask(old_umask); if (listen(control_fd, 64) == -1) - fatal("%s listen(): %s\n", __func__, strerror(errno)); + fatal("%s listen(): %s", __func__, strerror(errno)); set_nonblock(control_fd); } diff --git a/sshconnect2.c b/sshconnect2.c index ee7932d68..adf967281 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.142 2005/08/30 22:08:05 djm Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.143 2005/10/14 02:17:59 stevesk Exp $"); #include "openbsd-compat/sys-queue.h" @@ -702,7 +702,7 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) packet_check_eom(); - debug("Server GSSAPI Error:\n%s\n", msg); + debug("Server GSSAPI Error:\n%s", msg); xfree(msg); xfree(lang); } -- cgit v1.2.3 From 788f212aed68781efe7aa80e625c5f8cd4d98100 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 5 Nov 2005 15:14:59 +1100 Subject: - djm@cvs.openbsd.org 2005/10/30 08:52:18 [clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c] [ssh.c sshconnect.c sshconnect1.c sshd.c] no need to escape single quotes in comments, no binary change --- ChangeLog | 6 +++++- clientloop.c | 4 ++-- packet.c | 4 ++-- serverloop.c | 4 ++-- session.c | 6 +++--- ssh-agent.c | 4 ++-- ssh-keygen.c | 4 ++-- ssh.c | 6 +++--- sshconnect.c | 4 ++-- sshconnect1.c | 8 ++++---- sshd.c | 6 +++--- 11 files changed, 30 insertions(+), 26 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 85a2545cc..9adfbb7b1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -71,6 +71,10 @@ - jmc@cvs.openbsd.org 2005/10/30 08:43:47 [ssh_config.5] remove trailing whitespace; + - djm@cvs.openbsd.org 2005/10/30 08:52:18 + [clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c] + [ssh.c sshconnect.c sshconnect1.c sshd.c] + no need to escape single quotes in comments, no binary change 20051102 - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup(). @@ -3204,4 +3208,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3944 2005/11/05 04:13:49 djm Exp $ +$Id: ChangeLog,v 1.3945 2005/11/05 04:14:59 djm Exp $ diff --git a/clientloop.c b/clientloop.c index b267fa142..001c8f119 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.144 2005/10/14 02:29:37 stevesk Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.145 2005/10/30 08:52:17 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -113,7 +113,7 @@ extern char *host; static volatile sig_atomic_t received_window_change_signal = 0; static volatile sig_atomic_t received_signal = 0; -/* Flag indicating whether the user\'s terminal is in non-blocking mode. */ +/* Flag indicating whether the user's terminal is in non-blocking mode. */ static int in_non_blocking_mode = 0; /* Common data for the client loop code. */ diff --git a/packet.c b/packet.c index 70e0110cb..db2aa2411 100644 --- a/packet.c +++ b/packet.c @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: packet.c,v 1.119 2005/07/28 17:36:22 markus Exp $"); +RCSID("$OpenBSD: packet.c,v 1.120 2005/10/30 08:52:17 djm Exp $"); #include "openbsd-compat/sys-queue.h" @@ -572,7 +572,7 @@ packet_send1(void) buffer_clear(&outgoing_packet); /* - * Note that the packet is now only buffered in output. It won\'t be + * Note that the packet is now only buffered in output. It won't be * actually sent until packet_write_wait or packet_write_poll is * called. */ diff --git a/serverloop.c b/serverloop.c index 17608c238..208f7e1e9 100644 --- a/serverloop.c +++ b/serverloop.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.119 2005/10/10 10:23:08 djm Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.120 2005/10/30 08:52:17 djm Exp $"); #include "xmalloc.h" #include "packet.h" @@ -548,7 +548,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) * If we have no separate fderr (which is the case when we have a pty * - there we cannot make difference between data sent to stdout and * stderr), indicate that we have seen an EOF from stderr. This way - * we don\'t need to check the descriptor everywhere. + * we don't need to check the descriptor everywhere. */ if (fderr == -1) fderr_eof = 1; diff --git a/session.c b/session.c index 5e6627cb0..7863aa15f 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.187 2005/10/10 10:23:08 djm Exp $"); +RCSID("$OpenBSD: session.c,v 1.188 2005/10/30 08:52:17 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1419,7 +1419,7 @@ child_close_fds(void) endpwent(); /* - * Close any extra open file descriptors so that we don\'t have them + * Close any extra open file descriptors so that we don't have them * hanging around in clients. Note that we want to do this after * initgroups, because at least on Solaris 2.3 it leaves file * descriptors open. @@ -1554,7 +1554,7 @@ do_child(Session *s, const char *command) } #endif - /* Change current directory to the user\'s home directory. */ + /* Change current directory to the user's home directory. */ if (chdir(pw->pw_dir) < 0) { fprintf(stderr, "Could not chdir to home directory %s: %s\n", pw->pw_dir, strerror(errno)); diff --git a/ssh-agent.c b/ssh-agent.c index 6f0ba130d..a69c25eec 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -35,7 +35,7 @@ #include "includes.h" #include "openbsd-compat/sys-queue.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.123 2005/09/13 23:40:07 djm Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.124 2005/10/30 08:52:18 djm Exp $"); #include #include @@ -355,7 +355,7 @@ process_remove_identity(SocketEntry *e, int version) if (id != NULL) { /* * We have this key. Free the old key. Since we - * don\'t want to leave empty slots in the middle of + * don't want to leave empty slots in the middle of * the array, we actually free the key there and move * all the entries between the empty slot and the end * of the array. diff --git a/ssh-keygen.c b/ssh-keygen.c index 040813c5a..915d5580b 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.131 2005/10/14 02:17:59 stevesk Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.132 2005/10/30 08:52:18 djm Exp $"); #include #include @@ -1274,7 +1274,7 @@ main(int ac, char **av) if (!have_identity) ask_filename(pw, "Enter file in which to save the key"); - /* Create ~/.ssh directory if it doesn\'t already exist. */ + /* Create ~/.ssh directory if it doesn't already exist. */ snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR); if (strstr(identity_file, dotsshdir) != NULL && stat(dotsshdir, &st) < 0) { diff --git a/ssh.c b/ssh.c index 7e8bc1f24..2227755cd 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.253 2005/10/30 04:03:24 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.254 2005/10/30 08:52:18 djm Exp $"); #include #include @@ -698,7 +698,7 @@ again: /* * Now that we are back to our own permissions, create ~/.ssh - * directory if it doesn\'t already exist. + * directory if it doesn't already exist. */ snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir, strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); if (stat(buf, &st) < 0) @@ -810,7 +810,7 @@ static void check_agent_present(void) { if (options.forward_agent) { - /* Clear agent forwarding if we don\'t have an agent. */ + /* Clear agent forwarding if we don't have an agent. */ if (!ssh_agent_present()) options.forward_agent = 0; } diff --git a/sshconnect.c b/sshconnect.c index d8cfd35b3..2245a8af6 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.169 2005/10/15 15:28:12 stevesk Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.170 2005/10/30 08:52:18 djm Exp $"); #include @@ -603,7 +603,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, file_key = key_new(host_key->type); /* - * Check if the host key is present in the user\'s list of known + * Check if the host key is present in the user's list of known * hosts or in the systemwide list. */ host_file = user_hostfile; diff --git a/sshconnect1.c b/sshconnect1.c index bd05723c7..440d7c5bd 100644 --- a/sshconnect1.c +++ b/sshconnect1.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.61 2005/06/17 02:44:33 djm Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.62 2005/10/30 08:52:18 djm Exp $"); #include #include @@ -84,7 +84,7 @@ try_agent_authentication(void) /* Wait for server's response. */ type = packet_read(); - /* The server sends failure if it doesn\'t like our key or + /* The server sends failure if it doesn't like our key or does not support RSA authentication. */ if (type == SSH_SMSG_FAILURE) { debug("Server refused our key."); @@ -215,8 +215,8 @@ try_rsa_authentication(int idx) type = packet_read(); /* - * The server responds with failure if it doesn\'t like our key or - * doesn\'t support RSA authentication. + * The server responds with failure if it doesn't like our key or + * doesn't support RSA authentication. */ if (type == SSH_SMSG_FAILURE) { debug("Server refused our key."); diff --git a/sshd.c b/sshd.c index 4b5f89e2a..f0fdf5a83 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.316 2005/10/30 08:29:29 dtucker Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.317 2005/10/30 08:52:18 djm Exp $"); #include #include @@ -1682,10 +1682,10 @@ main(int ac, char **av) verbose("Connection from %.500s port %d", remote_ip, remote_port); /* - * We don\'t want to listen forever unless the other side + * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is * cleared after successful authentication. A limit of zero - * indicates no limit. Note that we don\'t set the alarm in debugging + * indicates no limit. Note that we don't set the alarm in debugging * mode; it is just annoying to have the server exit just when you * are about to discover the bug. */ -- cgit v1.2.3 From f14be5ce03b0a40857f381819436602fa67c4d75 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 5 Nov 2005 15:15:49 +1100 Subject: - djm@cvs.openbsd.org 2005/10/31 11:12:49 [ssh-keygen.1 ssh-keygen.c] generate a protocol 2 RSA key by default --- ChangeLog | 5 ++++- ssh-keygen.1 | 5 ++++- ssh-keygen.c | 9 ++++----- 3 files changed, 12 insertions(+), 7 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index d6c114c74..e16e8c753 100644 --- a/ChangeLog +++ b/ChangeLog @@ -78,6 +78,9 @@ - dtucker@cvs.openbsd.org 2005/10/31 06:15:04 [sftp.c] Fix sorting with "ls -1" command. From Robert Tsai, "looks right" deraadt@ + - djm@cvs.openbsd.org 2005/10/31 11:12:49 + [ssh-keygen.1 ssh-keygen.c] + generate a protocol 2 RSA key by default 20051102 - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup(). @@ -3211,4 +3214,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.3946 2005/11/05 04:15:23 djm Exp $ +$Id: ChangeLog,v 1.3947 2005/11/05 04:15:49 djm Exp $ diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 5454d00ce..2c952ba71 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.69 2005/06/08 03:50:00 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.70 2005/10/31 11:12:49 djm Exp $ .\" .\" -*- nroff -*- .\" @@ -118,6 +118,9 @@ keys for use by SSH protocol version 2. The type of key to be generated is specified with the .Fl t option. +If invoked without any arguments, +.Nm +will generate a RSA key for use in SSH protocol 2 connections. .Pp .Nm is also used to generate groups for use in Diffie-Hellman group diff --git a/ssh-keygen.c b/ssh-keygen.c index 915d5580b..7f9c7fd1a 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.132 2005/10/30 08:52:18 djm Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.133 2005/10/31 11:12:49 djm Exp $"); #include #include @@ -1251,10 +1251,9 @@ main(int ac, char **av) arc4random_stir(); - if (key_type_name == NULL) { - printf("You must specify a key type (-t).\n"); - usage(); - } + if (key_type_name == NULL) + key_type_name = "rsa"; + type = key_type_from_name(key_type_name); if (type == KEY_UNSPEC) { fprintf(stderr, "unknown key type %s\n", key_type_name); -- cgit v1.2.3 From 9f647335d21daf0bf23257e47be98b3e18219b63 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 28 Nov 2005 16:41:46 +1100 Subject: [ssh-keygen.1 ssh-keygen.c] Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2, increase minumum RSA key size to 768 bits and update man page to reflect these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com), ok djm@, grudging ok deraadt@. --- ChangeLog | 9 ++++++++- ssh-keygen.1 | 6 +++--- ssh-keygen.c | 6 ++++-- 3 files changed, 15 insertions(+), 6 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index fb7004a94..97be30611 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,13 @@ 20051128 - (dtucker) [regress/yes-head.sh] Work around breakage caused by some versions of GNU head. Based on patch from zappaman at buraphalinux.org + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2005/11/28 05:16:53 + [ssh-keygen.1 ssh-keygen.c] + Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2, + increase minumum RSA key size to 768 bits and update man page to reflect + these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com), + ok djm@, grudging ok deraadt@. 20051126 - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer, @@ -3362,4 +3369,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4009 2005/11/28 05:41:03 dtucker Exp $ +$Id: ChangeLog,v 1.4010 2005/11/28 05:41:46 dtucker Exp $ diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 348a49ce2..ab16bcd77 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.71 2005/10/31 19:55:25 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.72 2005/11/28 05:16:53 dtucker Exp $ .\" .\" -*- nroff -*- .\" @@ -190,9 +190,9 @@ command. Show the bubblebabble digest of specified private or public key file. .It Fl b Ar bits Specifies the number of bits in the key to create. -Minimum is 512 bits. +For RSA keys, the minimum size is 768 bits and the default is 2048 bits. Generally, 2048 bits is considered sufficient. -The default is 2048 bits. +DSA keys must be exactly 1024 bits as specified by FIPS 186-2. .It Fl C Ar comment Provides a new comment. .It Fl c diff --git a/ssh-keygen.c b/ssh-keygen.c index 7f9c7fd1a..b4c651d22 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.133 2005/10/31 11:12:49 djm Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.134 2005/11/28 05:16:53 dtucker Exp $"); #include #include @@ -1046,7 +1046,7 @@ main(int ac, char **av) "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) { switch (opt) { case 'b': - bits = strtonum(optarg, 512, 32768, &errstr); + bits = strtonum(optarg, 768, 32768, &errstr); if (errstr) fatal("Bits has bad value %s (%s)", optarg, errstr); @@ -1259,6 +1259,8 @@ main(int ac, char **av) fprintf(stderr, "unknown key type %s\n", key_type_name); exit(1); } + if (type == KEY_DSA && bits != 1024) + fatal("DSA keys must be 1024 bits"); if (!quiet) printf("Generating public/private %s key pair.\n", key_type_name); if (bits == 0) -- cgit v1.2.3 From 660c3405f95fa3f1169cbeaba2bc74a37bcbea9e Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Mon, 28 Nov 2005 17:45:32 -0800 Subject: - (tim) [ssh-keygen.c] Move DSA length test after setting default when bits == 0. --- ChangeLog | 6 +++++- ssh-keygen.c | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index c8c053f6d..1be6498d9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20051129 + - (tim) [ssh-keygen.c] Move DSA length test after setting default when + bits == 0. + 20051128 - (dtucker) [regress/yes-head.sh] Work around breakage caused by some versions of GNU head. Based on patch from zappaman at buraphalinux.org @@ -3375,4 +3379,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4012 2005/11/28 11:28:59 dtucker Exp $ +$Id: ChangeLog,v 1.4013 2005/11/29 01:45:32 tim Exp $ diff --git a/ssh-keygen.c b/ssh-keygen.c index b4c651d22..3a6174ac1 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1259,12 +1259,12 @@ main(int ac, char **av) fprintf(stderr, "unknown key type %s\n", key_type_name); exit(1); } - if (type == KEY_DSA && bits != 1024) - fatal("DSA keys must be 1024 bits"); if (!quiet) printf("Generating public/private %s key pair.\n", key_type_name); if (bits == 0) bits = (type == KEY_DSA) ? DEFAULT_BITS_DSA : DEFAULT_BITS; + if (type == KEY_DSA && bits != 1024) + fatal("DSA keys must be 1024 bits"); private = key_generate(type, bits); if (private == NULL) { fprintf(stderr, "key_generate failed"); -- cgit v1.2.3 From 3af2ac56a28dd49226388505b5ebbfc778335f9c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 29 Nov 2005 13:10:24 +1100 Subject: - dtucker@cvs.openbsd.org 2005/11/29 02:04:55 [ssh-keygen.c] Populate default key sizes before checking them; from & ok tim@ --- ChangeLog | 6 +++++- ssh-keygen.c | 6 +++--- 2 files changed, 8 insertions(+), 4 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 1be6498d9..3ce14070f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,10 @@ 20051129 - (tim) [ssh-keygen.c] Move DSA length test after setting default when bits == 0. + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2005/11/29 02:04:55 + [ssh-keygen.c] + Populate default key sizes before checking them; from & ok tim@ 20051128 - (dtucker) [regress/yes-head.sh] Work around breakage caused by some @@ -3379,4 +3383,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4013 2005/11/29 01:45:32 tim Exp $ +$Id: ChangeLog,v 1.4014 2005/11/29 02:10:24 dtucker Exp $ diff --git a/ssh-keygen.c b/ssh-keygen.c index 3a6174ac1..64fadc7a1 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.134 2005/11/28 05:16:53 dtucker Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.135 2005/11/29 02:04:55 dtucker Exp $"); #include #include @@ -1259,12 +1259,12 @@ main(int ac, char **av) fprintf(stderr, "unknown key type %s\n", key_type_name); exit(1); } - if (!quiet) - printf("Generating public/private %s key pair.\n", key_type_name); if (bits == 0) bits = (type == KEY_DSA) ? DEFAULT_BITS_DSA : DEFAULT_BITS; if (type == KEY_DSA && bits != 1024) fatal("DSA keys must be 1024 bits"); + if (!quiet) + printf("Generating public/private %s key pair.\n", key_type_name); private = key_generate(type, bits); if (private == NULL) { fprintf(stderr, "key_generate failed"); -- cgit v1.2.3