[prev in list] [next in list] [prev in thread] [next in thread]
List: openssh-bugs
Subject: [Bug 2897] New: Short RSA key in RevokedKeys prevents everyone from logging in
From: bugzilla-daemon () bugzilla ! mindrot ! org
Date: 2018-08-20 23:59:49
Message-ID: bug-2897-705 () https ! bugzilla ! mindrot ! org/
[Download RAW message or body]
https://bugzilla.mindrot.org/show_bug.cgi?id=2897
Bug ID: 2897
Summary: Short RSA key in RevokedKeys prevents everyone from
logging in
Product: Portable OpenSSH
Version: 7.6p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: unassigned-bugs@mindrot.org
Reporter: colin@colincoghill.com
We make use of the RevokedKeys feature to list some old keys that we
don't want people able to use any more. Included in this list are some
RSA keys <1024 bits in length. They're insecure, which is why we revoke
them explicitly.
When sshd tries to read the RevokedKeys file it errors on the short key
and as a result refuses to let anyone log in. I presume this is related
to such keys no longer being accepted for authentication.
7.5p1 works fine
7.6p1 errors
logs:
sshd[22012]: error: Error checking authentication key RSA
SHA256:xxxxxxxxxxxxxxxxxxxxxx in revoked keys file
/etc/ssh/revoked_keys: Invalid key length
We have fixed this for our case by removing the revoked short keys, but
since the effect at the time was to lock us out of a server purely as a
result of upgrading openssh-server, I wanted to make a note that it
could be quite a bad situation for some folk.
Ideally having an unacceptable key in RevokedKeys shouldn't prevent all
logins. It's a place where insecure keys *should* be listed.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic