Set minimal value of RSA key length via configuration option

Related: rhbz#2066882
2022-08-16 19:33:50 +02:00 · 2022-08-16 19:33:50 +02:00 · d925600c40
commit d925600c40
parent a0db6b2b7f
2 changed files with 15 additions and 0 deletions
--- a/openssh-8.7p1-minrsabits.patch
+++ b/openssh-8.7p1-minrsabits.patch
@ -262,6 +262,19 @@ index 67f8e0309..d050c1656 100644
 	if (verify_host_key(xxx_host, xxx_hostaddr, hostkey,
 	    xxx_conn_info) == -1)
 		fatal("Host key verification failed.");
+@@ -1762,6 +1762,12 @@ load_identity_file(Identity *id)
+ 			private = NULL;
+ 			quit = 1;
+ 		}
+		if (r = sshkey_check_rsa_length(private, options.rsa_min_size) != 0) {
+			debug_fr(r, "Skipping key %s", id->filename);
+			sshkey_free(private);
+			private = NULL;
+			quit = 1;
+		}
+ 		if (!quit && private != NULL && id->agent_fd == -1 &&
+ 		    !(id->key && id->isprivate))
+ 			maybe_add_key_to_agent(id->filename, private, comment,
@@ -1747,6 +1751,12 @@ pubkey_prepare(struct ssh *ssh, Authctxt *authctxt)
 		close(agent_fd);
 	} else {
--- a/openssh.spec
+++ b/openssh.spec
@ -737,6 +737,8 @@ test -f %{sysconfig_anaconda} && \
 * Tue Aug 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-22
 - Avoid spirous message on connecting to the machine with ssh-rsa keys
  Related: rhbz#2115246
+- Set minimal value of RSA key length via configuration option
+  Related: rhbz#2066882

 * Thu Aug 04 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-21
 - IBMCA workaround