diff options
author | Darren Tucker <dtucker@cvs.openbsd.org> | 2005-11-28 05:16:54 +0000 |
---|---|---|
committer | Darren Tucker <dtucker@cvs.openbsd.org> | 2005-11-28 05:16:54 +0000 |
commit | 7582675987160293966e1d800da2d51a9a5379ad (patch) | |
tree | b6e040050e215df73ca693cb79a97e650125995f | |
parent | 88b37724a86db20d598121aaa25be3b8a3675efa (diff) |
Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2,
increase minumum RSA key size to 768 bits and update man page to reflect
these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com),
ok djm@, grudging ok deraadt@.
-rw-r--r-- | usr.bin/ssh/ssh-keygen.1 | 6 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-keygen.c | 6 |
2 files changed, 7 insertions, 5 deletions
diff --git a/usr.bin/ssh/ssh-keygen.1 b/usr.bin/ssh/ssh-keygen.1 index 348a49ce278..ab16bcd7773 100644 --- a/usr.bin/ssh/ssh-keygen.1 +++ b/usr.bin/ssh/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.71 2005/10/31 19:55:25 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.72 2005/11/28 05:16:53 dtucker Exp $ .\" .\" -*- nroff -*- .\" @@ -190,9 +190,9 @@ command. Show the bubblebabble digest of specified private or public key file. .It Fl b Ar bits Specifies the number of bits in the key to create. -Minimum is 512 bits. +For RSA keys, the minimum size is 768 bits and the default is 2048 bits. Generally, 2048 bits is considered sufficient. -The default is 2048 bits. +DSA keys must be exactly 1024 bits as specified by FIPS 186-2. .It Fl C Ar comment Provides a new comment. .It Fl c diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c index a830f54ce11..89c0cf079b1 100644 --- a/usr.bin/ssh/ssh-keygen.c +++ b/usr.bin/ssh/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.133 2005/10/31 11:12:49 djm Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.134 2005/11/28 05:16:53 dtucker Exp $"); #include <openssl/evp.h> #include <openssl/pem.h> @@ -1041,7 +1041,7 @@ main(int ac, char **av) "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) { switch (opt) { case 'b': - bits = strtonum(optarg, 512, 32768, &errstr); + bits = strtonum(optarg, 768, 32768, &errstr); if (errstr) fatal("Bits has bad value %s (%s)", optarg, errstr); @@ -1254,6 +1254,8 @@ main(int ac, char **av) fprintf(stderr, "unknown key type %s\n", key_type_name); exit(1); } + if (type == KEY_DSA && bits != 1024) + fatal("DSA keys must be 1024 bits"); if (!quiet) printf("Generating public/private %s key pair.\n", key_type_name); if (bits == 0) |