From 01178d1eef6618f95e87b5548509cf12c740a9e6 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Thu, 2 May 2024 16:16:48 +0200 Subject: [PATCH] Make default key sizes configurable in sshd-keygen Resolves: RHEL-26454 Signed-off-by: Zoltan Fridrich --- openssh.spec | 2 ++ sshd-keygen | 12 +++++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/openssh.spec b/openssh.spec index e682f3e..4a8b521 100644 --- a/openssh.spec +++ b/openssh.spec @@ -804,6 +804,8 @@ test -f %{sysconfig_anaconda} && \ * Thu May 02 2024 Zoltan Fridrich - 8.7p1-40 - Correctly audit hostname and IP address Resolves: RHEL-22316 +- Make default key sizes configurable in sshd-keygen + Resolves: RHEL-26454 * Wed Apr 24 2024 Dmitry Belyavskiy - 8.7p1-39 - Use FIPS-compatible API for key derivation diff --git a/sshd-keygen b/sshd-keygen index 141814c..0fd2a53 100644 --- a/sshd-keygen +++ b/sshd-keygen @@ -9,8 +9,14 @@ case $KEYTYPE in if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then exit 0 fi ;; - "rsa") ;; # always ok - "ecdsa") ;; + "rsa") + if [[ ! -z $SSH_RSA_BITS ]]; then + SSH_KEYGEN_OPTIONS="-b $SSH_RSA_BITS" + fi ;; # always ok + "ecdsa") + if [[ ! -z $SSH_ECDSA_BITS ]]; then + SSH_KEYGEN_OPTIONS="-b $SSH_ECDSA_BITS" + fi ;; *) # wrong argument exit 12 ;; esac @@ -25,7 +31,7 @@ fi rm -f $KEY{,.pub} # create new keys -if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then +if ! $KEYGEN -q -t $KEYTYPE $SSH_KEYGEN_OPTIONS -f $KEY -C '' -N '' >&/dev/null; then exit 1 fi