https://bugzilla.mindrot.org/show_bug.cgi?id=2897
Bug ID: 2897
Summary: Short RSA key in RevokedKeys prevents everyone from
logging in
Product: Portable OpenSSH
Version: 7.6p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: sshd
Assignee: [email protected]
Reporter: [email protected]
We make use of the RevokedKeys feature to list some old keys that we
don't want people able to use any more. Included in this list are some
RSA keys <1024 bits in length. They're insecure, which is why we revoke
them explicitly.
When sshd tries to read the RevokedKeys file it errors on the short key
and as a result refuses to let anyone log in. I presume this is related
to such keys no longer being accepted for authentication.
7.5p1 works fine
7.6p1 errors
logs:
sshd[22012]: error: Error checking authentication key RSA
SHA256:xxxxxxxxxxxxxxxxxxxxxx in revoked keys file
/etc/ssh/revoked_keys: Invalid key length
We have fixed this for our case by removing the revoked short keys, but
since the effect at the time was to lock us out of a server purely as a
result of upgrading openssh-server, I wanted to make a note that it
could be quite a bad situation for some folk.
Ideally having an unacceptable key in RevokedKeys shouldn't prevent all
logins. It's a place where insecure keys *should* be listed.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
