Mailing List Archive

RSA key configuration limitations
Dear colleagues,

There is a need to increase RSA key requirements to make the installations
more secure. Just updating the default compiled-in value isn't an option
because it may significantly break legacy systems compatibility. This PR
[1] introduces a new configuration option MinRSABits to be managed for
security's sake.

If this approach is OK for upstream, please let me know and I will improve
this PR according to the feedback.

[1] https://github.com/openssh/openssh-portable/pull/325

--
Dmitry Belyavskiy
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: RSA key configuration limitations [ In reply to ]
On Fri, Jun 10, 2022 at 10:50 AM Dmitry Belyavskiy <dbelyavs@redhat.com> wrote:
>
> Dear colleagues,
>
> There is a need to increase RSA key requirements to make the installations
> more secure. Just updating the default compiled-in value isn't an option
> because it may significantly break legacy systems compatibility. This PR
> [1] introduces a new configuration option MinRSABits to be managed for
> security's sake.

Document it, in plain language, and make it clear how to revert the
change for specific targets. I went *nuts* recently because the CIS
published release of RHEL 8 does not permit the older protocol
specifically labeled "ssh-rsa" for public authentication, and it
breaks SSH key based access to the Azure DevOps git server.

> If this approach is OK for upstream, please let me know and I will improve
> this PR according to the feedback.
>
> [1] https://github.com/openssh/openssh-portable/pull/325
>
> --
> Dmitry Belyavskiy
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: RSA key configuration limitations [ In reply to ]
On 10.06.22 16:50, Dmitry Belyavskiy wrote:
> There is a need to increase RSA key requirements to make the installations
> more secure. Just updating the default compiled-in value isn't an option
> because it may significantly break legacy systems compatibility. This PR
> [1] introduces a new configuration option MinRSABits to be managed for
> security's sake.
>
> If this approach is OK for upstream, please let me know and I will improve
> this PR according to the feedback.

I realize that with the *current* selection of algorithms available in
OpenSSH, fine-grained control of minimum key size almost(!) is an
RSA-only topic, but nonetheless I wonder whether newly-defined config
syntax thereto should be aimed at extensibility to other cryptalgorithms ...

Regards,
--
Jochen Bern
Systemingenieur

Binect GmbH
Re: RSA key configuration limitations [ In reply to ]
On 13/06/2022 09:29, Jochen Bern wrote:
> I realize that with the *current* selection of algorithms available in
> OpenSSH, fine-grained control of minimum key size almost(!) is an
> RSA-only topic, but nonetheless I wonder whether newly-defined config
> syntax thereto should be aimed at extensibility to other
> cryptalgorithms ...

Or in retrospect, would it have been better to define the RSA algorithms
with key size baked in?

rsa1024-sha2-256
rsa1536-sha2-256
rsa2048-sha2-256

etc

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: RSA key configuration limitations [ In reply to ]
On 13.06.22 17:35, Brian Candler wrote:
> Or in retrospect, would it have been better to define the RSA algorithms
> with key size baked in?
>
> rsa1024-sha2-256
> rsa1536-sha2-256
> rsa2048-sha2-256

Have fun writing a config that disables all(!) the keys with less than,
say, 2 kbit ...

https://en.wikipedia.org/wiki/RSA_numbers

... "min=2048" is a tad more concise.

Regards,
--
Jochen Bern
Systemingenieur

Binect GmbH
Re: RSA key configuration limitations [ In reply to ]
On Mon, Jun 13, 2022 at 10:32 AM Jochen Bern <Jochen.Bern@binect.de> wrote:

> On 10.06.22 16:50, Dmitry Belyavskiy wrote:
> > There is a need to increase RSA key requirements to make the
> installations
> > more secure. Just updating the default compiled-in value isn't an option
> > because it may significantly break legacy systems compatibility. This PR
> > [1] introduces a new configuration option MinRSABits to be managed for
> > security's sake.
> >
> > If this approach is OK for upstream, please let me know and I will
> improve
> > this PR according to the feedback.
>
> I realize that with the *current* selection of algorithms available in
> OpenSSH, fine-grained control of minimum key size almost(!) is an
> RSA-only topic, but nonetheless I wonder whether newly-defined config
> syntax thereto should be aimed at extensibility to other cryptalgorithms
> ...
>

It's not a problem to implement similar parameters for DH, EC and DSA, but
does it really make sense?

--
Dmitry Belyavskiy
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: RSA key configuration limitations [ In reply to ]
On 14.06.22 22:25, Dmitry Belyavskiy wrote:
> On Mon, Jun 13, 2022 at 10:32 AM Jochen Bern <Jochen.Bern@binect.de> wrote:
>> I realize that with the *current* selection of algorithms available in
>> OpenSSH, fine-grained control of minimum key size almost(!) is an
>> RSA-only topic, but nonetheless I wonder whether newly-defined config
>> syntax thereto should be aimed at extensibility to other cryptalgorithms
>> ...
>
> It's not a problem to implement similar parameters for DH, EC and DSA, but
> does it really make sense?

Does that imply that it will still not make sense for the Next Evolution
Encryption/Decryption Algorithm of Novel Keylengths Erratic (NEE/DANKE)?

Regards,
--
Jochen Bern
Systemingenieur

Binect GmbH
Re: RSA key configuration limitations [ In reply to ]
On Mon, Jun 13, 2022 at 4:34 AM Jochen Bern <Jochen.Bern@binect.de> wrote:

> On 10.06.22 16:50, Dmitry Belyavskiy wrote:
>
> > There is a need to increase RSA key requirements to make the
> > installations more secure. Just updating the default compiled-in
> > value isn't an option because it may significantly break legacy
> > systems compatibility. This PR [1] introduces a new configuration
> > option MinRSABits to be managed for security's sake.
> >
> > If this approach is OK for upstream, please let me know and I will
> > improve this PR according to the feedback.
>
> I realize that with the *current* selection of algorithms available
> in OpenSSH, fine-grained control of minimum key size almost(!) is an
> RSA-only topic, but nonetheless I wonder whether newly-defined
> config syntax thereto should be aimed at extensibility to other
> cryptalgorithms ...

That ship sailed long ago:

$ grep SSH_RSA_MINIMUM_MODULUS_SIZE sshkey.h
#define SSH_RSA_MINIMUM_MODULUS_SIZE 1024

It’s not worth it to attempt to refactor this approach, as with both
the ecdsa family and ed25519, the cipher name specifies the security
strength.

Dmitry’s merge request both defaults MinRSABits to
SSH_RSA_MINIMUM_MODULUS_SIZE, and prohibits setting MinRSABits to
anything less than SSH_RSA_MINIMUM_MODULUS_SIZE. So unless the
administrator specifically sets MinRSABits to something greater than
1024, it will not change the behavior of OpenSSH. It also documents
MinRSABits in the man pages, and includes MinRSABits in “ssh -G”
output. All of this seems perfectly reasonable.

NIST Special Publication 800-131A (1) prohibits the use of RSA keys
with len(n) < 2048 for all uses but legacy digital signature
verification, and an increasing number of sites (including ours) must
comply with NIST SP 800-131A. Having the MinRSABits option would make
our lives easier with respect to compliance.

(1) https://doi.org/10.6028/NIST.SP.800-131Ar2
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: RSA key configuration limitations [ In reply to ]
On Wed, Jun 15, 2022 at 5:33 AM James Ralston <ralston@pobox.com> wrote:

> On Mon, Jun 13, 2022 at 4:34 AM Jochen Bern <Jochen.Bern@binect.de> wrote:
>
> > On 10.06.22 16:50, Dmitry Belyavskiy wrote:
> >
> > > There is a need to increase RSA key requirements to make the
> > > installations more secure. Just updating the default compiled-in
> > > value isn't an option because it may significantly break legacy
> > > systems compatibility. This PR [1] introduces a new configuration
> > > option MinRSABits to be managed for security's sake.
> > >
> > > If this approach is OK for upstream, please let me know and I will
> > > improve this PR according to the feedback.
> >
> > I realize that with the *current* selection of algorithms available
> > in OpenSSH, fine-grained control of minimum key size almost(!) is an
> > RSA-only topic, but nonetheless I wonder whether newly-defined
> > config syntax thereto should be aimed at extensibility to other
> > cryptalgorithms ...
>
> That ship sailed long ago:
>
> $ grep SSH_RSA_MINIMUM_MODULUS_SIZE sshkey.h
> #define SSH_RSA_MINIMUM_MODULUS_SIZE 1024
>
> It’s not worth it to attempt to refactor this approach, as with both
> the ecdsa family and ed25519, the cipher name specifies the security
> strength.
>
> Dmitry’s merge request both defaults MinRSABits to
> SSH_RSA_MINIMUM_MODULUS_SIZE, and prohibits setting MinRSABits to
> anything less than SSH_RSA_MINIMUM_MODULUS_SIZE. So unless the
> administrator specifically sets MinRSABits to something greater than
> 1024, it will not change the behavior of OpenSSH. It also documents
> MinRSABits in the man pages, and includes MinRSABits in “ssh -G”
> output. All of this seems perfectly reasonable.
>

I also need to adjust tests.


> NIST Special Publication 800-131A (1) prohibits the use of RSA keys
> with len(n) < 2048 for all uses but legacy digital signature
> verification, and an increasing number of sites (including ours) must
> comply with NIST SP 800-131A. Having the MinRSABits option would make
> our lives easier with respect to compliance.
>
> (1) https://doi.org/10.6028/NIST.SP.800-131Ar2


Yes, and this was a part of my (unwritten) rationale :)

--
Dmitry Belyavskiy
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: RSA key configuration limitations [ In reply to ]
I've fixed the known failure and kindly ask to rerun the GitHub CI for
https://github.com/openssh/openssh-portable/pull/325 and approve the PR in
general.

On Thu, Jun 16, 2022 at 9:31 AM Dmitry Belyavskiy <dbelyavs@redhat.com>
wrote:

>
>
> On Wed, Jun 15, 2022 at 5:33 AM James Ralston <ralston@pobox.com> wrote:
>
>> On Mon, Jun 13, 2022 at 4:34 AM Jochen Bern <Jochen.Bern@binect.de>
>> wrote:
>>
>> > On 10.06.22 16:50, Dmitry Belyavskiy wrote:
>> >
>> > > There is a need to increase RSA key requirements to make the
>> > > installations more secure. Just updating the default compiled-in
>> > > value isn't an option because it may significantly break legacy
>> > > systems compatibility. This PR [1] introduces a new configuration
>> > > option MinRSABits to be managed for security's sake.
>> > >
>> > > If this approach is OK for upstream, please let me know and I will
>> > > improve this PR according to the feedback.
>> >
>> > I realize that with the *current* selection of algorithms available
>> > in OpenSSH, fine-grained control of minimum key size almost(!) is an
>> > RSA-only topic, but nonetheless I wonder whether newly-defined
>> > config syntax thereto should be aimed at extensibility to other
>> > cryptalgorithms ...
>>
>> That ship sailed long ago:
>>
>> $ grep SSH_RSA_MINIMUM_MODULUS_SIZE sshkey.h
>> #define SSH_RSA_MINIMUM_MODULUS_SIZE 1024
>>
>> It’s not worth it to attempt to refactor this approach, as with both
>> the ecdsa family and ed25519, the cipher name specifies the security
>> strength.
>>
>> Dmitry’s merge request both defaults MinRSABits to
>> SSH_RSA_MINIMUM_MODULUS_SIZE, and prohibits setting MinRSABits to
>> anything less than SSH_RSA_MINIMUM_MODULUS_SIZE. So unless the
>> administrator specifically sets MinRSABits to something greater than
>> 1024, it will not change the behavior of OpenSSH. It also documents
>> MinRSABits in the man pages, and includes MinRSABits in “ssh -G”
>> output. All of this seems perfectly reasonable.
>>
>
> I also need to adjust tests.
>
>
>> NIST Special Publication 800-131A (1) prohibits the use of RSA keys
>> with len(n) < 2048 for all uses but legacy digital signature
>> verification, and an increasing number of sites (including ours) must
>> comply with NIST SP 800-131A. Having the MinRSABits option would make
>> our lives easier with respect to compliance.
>>
>> (1) https://doi.org/10.6028/NIST.SP.800-131Ar2
>
>
> Yes, and this was a part of my (unwritten) rationale :)
>
> --
> Dmitry Belyavskiy
>


--
Dmitry Belyavskiy
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: RSA key configuration limitations [ In reply to ]
Any feedback please? The CI failures on Github seem irrelevant.

On Thu, Jun 23, 2022 at 2:12 PM Dmitry Belyavskiy <dbelyavs@redhat.com>
wrote:

> I've fixed the known failure and kindly ask to rerun the GitHub CI for
> https://github.com/openssh/openssh-portable/pull/325 and approve the PR
> in general.
>
> On Thu, Jun 16, 2022 at 9:31 AM Dmitry Belyavskiy <dbelyavs@redhat.com>
> wrote:
>
>>
>>
>> On Wed, Jun 15, 2022 at 5:33 AM James Ralston <ralston@pobox.com> wrote:
>>
>>> On Mon, Jun 13, 2022 at 4:34 AM Jochen Bern <Jochen.Bern@binect.de>
>>> wrote:
>>>
>>> > On 10.06.22 16:50, Dmitry Belyavskiy wrote:
>>> >
>>> > > There is a need to increase RSA key requirements to make the
>>> > > installations more secure. Just updating the default compiled-in
>>> > > value isn't an option because it may significantly break legacy
>>> > > systems compatibility. This PR [1] introduces a new configuration
>>> > > option MinRSABits to be managed for security's sake.
>>> > >
>>> > > If this approach is OK for upstream, please let me know and I will
>>> > > improve this PR according to the feedback.
>>> >
>>> > I realize that with the *current* selection of algorithms available
>>> > in OpenSSH, fine-grained control of minimum key size almost(!) is an
>>> > RSA-only topic, but nonetheless I wonder whether newly-defined
>>> > config syntax thereto should be aimed at extensibility to other
>>> > cryptalgorithms ...
>>>
>>> That ship sailed long ago:
>>>
>>> $ grep SSH_RSA_MINIMUM_MODULUS_SIZE sshkey.h
>>> #define SSH_RSA_MINIMUM_MODULUS_SIZE 1024
>>>
>>> It’s not worth it to attempt to refactor this approach, as with both
>>> the ecdsa family and ed25519, the cipher name specifies the security
>>> strength.
>>>
>>> Dmitry’s merge request both defaults MinRSABits to
>>> SSH_RSA_MINIMUM_MODULUS_SIZE, and prohibits setting MinRSABits to
>>> anything less than SSH_RSA_MINIMUM_MODULUS_SIZE. So unless the
>>> administrator specifically sets MinRSABits to something greater than
>>> 1024, it will not change the behavior of OpenSSH. It also documents
>>> MinRSABits in the man pages, and includes MinRSABits in “ssh -G”
>>> output. All of this seems perfectly reasonable.
>>>
>>
>> I also need to adjust tests.
>>
>>
>>> NIST Special Publication 800-131A (1) prohibits the use of RSA keys
>>> with len(n) < 2048 for all uses but legacy digital signature
>>> verification, and an increasing number of sites (including ours) must
>>> comply with NIST SP 800-131A. Having the MinRSABits option would make
>>> our lives easier with respect to compliance.
>>>
>>> (1) https://doi.org/10.6028/NIST.SP.800-131Ar2
>>
>>
>> Yes, and this was a part of my (unwritten) rationale :)
>>
>> --
>> Dmitry Belyavskiy
>>
>
>
> --
> Dmitry Belyavskiy
>


--
Dmitry Belyavskiy
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: RSA key configuration limitations [ In reply to ]
On Tue, 28 Jun 2022, Dmitry Belyavskiy wrote:

> Any feedback please? The CI failures on Github seem irrelevant.

We'll get to it - please be patient
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev