Make default key sizes configurable in sshd-keygen

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
2024-05-09 17:08:11 +02:00 · 2024-05-09 17:08:11 +02:00 · d23ed33031
commit d23ed33031
parent 2e80dd6896
3 changed files with 13 additions and 3 deletions
--- a/openssh.spec
+++ b/openssh.spec
@ -744,6 +744,7 @@ test -f %{sysconfig_anaconda} && \
 %changelog
 * Thu May 09 2024 Zoltan Fridrich <zfridric@redhat.com> - 9.6p1-1.3
 - Correctly audit hostname and IP address (RHEL-22316)
 - Make default key sizes configurable in sshd-keygen (RHEL-26454)
 * Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.6p1-1.2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
--- a/12
+++ b/12
@ -9,8 +9,14 @@ case $KEYTYPE in
 		if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then
 			exit 0
 		fi ;;
-	"rsa") ;; # always ok
+	"rsa")
-	"ecdsa") ;;
+		if [[ ! -z $SSH_RSA_BITS  ]]; then
 			SSH_KEYGEN_OPTIONS="-b $SSH_RSA_BITS"
 		fi ;; # always ok
 	"ecdsa") 
 		if [[ ! -z $SSH_ECDSA_BITS  ]]; then
 			SSH_KEYGEN_OPTIONS="-b $SSH_ECDSA_BITS"
 		fi ;;
 	*) # wrong argument
 		exit 12 ;;
 esac
@ -25,7 +31,7 @@ fi
 rm -f $KEY{,.pub}
 # create new keys
-if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then
+if ! $KEYGEN -q -t $KEYTYPE $SSH_KEYGEN_OPTIONS -f $KEY -C '' -N '' >&/dev/null; then
 	exit 1
 fi
--- a/sshd.sysconfig
+++ b/sshd.sysconfig
@ -5,3 +5,6 @@
 # example using  systemctl enable sshd-keygen@dsa.service  to allow creation
 # of DSA key or  systemctl mask sshd-keygen@rsa.service  to disable RSA key
 # creation.
 #SSH_RSA_BITS=3072
 #SSH_ECDSA_BITS=256