Make default key sizes configurable in sshd-keygen

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
This commit is contained in:
Zoltan Fridrich 2024-05-09 17:08:11 +02:00
parent 2e80dd6896
commit d23ed33031
3 changed files with 13 additions and 3 deletions

View File

@ -744,6 +744,7 @@ test -f %{sysconfig_anaconda} && \
%changelog %changelog
* Thu May 09 2024 Zoltan Fridrich <zfridric@redhat.com> - 9.6p1-1.3 * Thu May 09 2024 Zoltan Fridrich <zfridric@redhat.com> - 9.6p1-1.3
- Correctly audit hostname and IP address (RHEL-22316) - Correctly audit hostname and IP address (RHEL-22316)
- Make default key sizes configurable in sshd-keygen (RHEL-26454)
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.6p1-1.2 * Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 9.6p1-1.2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild

View File

@ -9,8 +9,14 @@ case $KEYTYPE in
if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then if [[ -r "$FIPS" && $(cat $FIPS) == "1" ]]; then
exit 0 exit 0
fi ;; fi ;;
"rsa") ;; # always ok "rsa")
"ecdsa") ;; if [[ ! -z $SSH_RSA_BITS ]]; then
SSH_KEYGEN_OPTIONS="-b $SSH_RSA_BITS"
fi ;; # always ok
"ecdsa")
if [[ ! -z $SSH_ECDSA_BITS ]]; then
SSH_KEYGEN_OPTIONS="-b $SSH_ECDSA_BITS"
fi ;;
*) # wrong argument *) # wrong argument
exit 12 ;; exit 12 ;;
esac esac
@ -25,7 +31,7 @@ fi
rm -f $KEY{,.pub} rm -f $KEY{,.pub}
# create new keys # create new keys
if ! $KEYGEN -q -t $KEYTYPE -f $KEY -C '' -N '' >&/dev/null; then if ! $KEYGEN -q -t $KEYTYPE $SSH_KEYGEN_OPTIONS -f $KEY -C '' -N '' >&/dev/null; then
exit 1 exit 1
fi fi

View File

@ -5,3 +5,6 @@
# example using systemctl enable sshd-keygen@dsa.service to allow creation # example using systemctl enable sshd-keygen@dsa.service to allow creation
# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key # of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key
# creation. # creation.
#SSH_RSA_BITS=3072
#SSH_ECDSA_BITS=256