From d23ed3303114ffaf4a1c1425a29722a33497ea00 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Thu, 9 May 2024 17:08:11 +0200 Subject: [PATCH] Make default key sizes configurable in sshd-keygen Signed-off-by: Zoltan Fridrich --- openssh.spec | 1 + sshd-keygen | 12 +++++++++--- sshd.sysconfig | 3 +++ 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/openssh.spec b/openssh.spec index f59b803..38863a1 100644 --- a/openssh.spec +++ b/openssh.spec @@ -744,6 +744,7 @@ test -f %{sysconfig_anaconda} && \ %changelog * Thu May 09 2024 Zoltan Fridrich - 9.6p1-1.3 - Correctly audit hostname and IP address (RHEL-22316) +- Make default key sizes configurable in sshd-keygen (RHEL-26454) * Thu Jan 25 2024 Fedora Release Engineering - 9.6p1-1.2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild diff --git a/sshd-keygen b/sshd-keygen index 170ada0..b15fc8c 100644 --- a/sshd-keygen +++ b/sshd-keygen @@ -9,8 +9,14 @@ case $KEYTYPE in if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then exit 0 fi ;; - "rsa") ;; # always ok - "ecdsa") ;; + "rsa") + if [[ ! -z $SSH_RSA_BITS ]]; then + SSH_KEYGEN_OPTIONS="-b $SSH_RSA_BITS" + fi ;; # always ok + "ecdsa") + if [[ ! -z $SSH_ECDSA_BITS ]]; then + SSH_KEYGEN_OPTIONS="-b $SSH_ECDSA_BITS" + fi ;; *) # wrong argument exit 12 ;; esac @@ -25,7 +31,7 @@ fi rm -f $KEY{,.pub} # create new keys -if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then +if ! $KEYGEN -q -t $KEYTYPE $SSH_KEYGEN_OPTIONS -f $KEY -C '' -N '' >&/dev/null; then exit 1 fi diff --git a/sshd.sysconfig b/sshd.sysconfig index a217ce7..ee44ae6 100644 --- a/sshd.sysconfig +++ b/sshd.sysconfig @@ -5,3 +5,6 @@ # example using systemctl enable sshd-keygen@dsa.service to allow creation # of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key # creation. + +#SSH_RSA_BITS=3072 +#SSH_ECDSA_BITS=256