NetBSD Problem Report #47540
From www@NetBSD.org Thu Feb 7 14:06:40 2013
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
by www.NetBSD.org (Postfix) with ESMTP id 6DCA763EF79
for <gnats-bugs@gnats.NetBSD.org>; Thu, 7 Feb 2013 14:06:40 +0000 (UTC)
Message-Id: <20130207140639.B4B1C63EF79@www.NetBSD.org>
Date: Thu, 7 Feb 2013 14:06:39 +0000 (UTC)
From: m4j0rd0m0@gmail.com
Reply-To: m4j0rd0m0@gmail.com
To: gnats-bugs@NetBSD.org
Subject: No DSA key files generated when ssh_keygen_flags != "-b 1024" in rc.conf
X-Send-Pr-Version: www-1.0
>Number: 47540
>Category: bin
>Synopsis: No DSA key files generated when ssh_keygen_flags != "-b 1024" in rc.conf
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: closed
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Thu Feb 07 14:10:00 +0000 2013
>Closed-Date: Thu Feb 07 21:24:53 +0000 2013
>Last-Modified: Tue Aug 15 05:40:02 +0000 2017
>Originator: Felix Deichmann
>Release: 6.0.1
>Organization:
>Environment:
NetBSD bla.invalid 6.0.1 NetBSD 6.0.1 (GENERIC) amd64
>Description:
When ssh_keygen_flags is set to a value other than "-b 1024" in rc.conf, /etc/rc.d/sshd fails to generate the DSA key files.
According to ssh-keygen(1), "DSA keys must be exactly 1024 bits as specified by FIPS 186-2". ssh-keygen won't create DSA key files with "-b" values other than 1024.
As another effect, /etc/rc.d/sshd will repeatedly try to recreate all keys when not all key files (e. g. the DSA key files) are present, each time started.
DSA key generation should be fixed to 1024 bit keys (-b 1024), as it is already done for ECDSA keys (fixed value of 521) in /etc/rc.d/sshd.
>How-To-Repeat:
Delete all key files in /etc/ssh and set ssh_keygen_flags="-b 4096" in rc.conf. When executing "/etc/rc.d/sshd start" to generate new key files, the DSA key files will not be created anymore.
>Fix:
In /etc/rc.d/sshd, replace the line containing
/usr/bin/ssh-keygen -t dsa -b ${ssh_keygen_flags} \
with
/usr/bin/ssh-keygen -t dsa -b 1024 \
>Release-Note:
>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47540 CVS commit: src/etc/rc.d
Date: Thu, 7 Feb 2013 14:32:20 -0500
Module Name: src
Committed By: christos
Date: Thu Feb 7 19:32:19 UTC 2013
Modified Files:
src/etc/rc.d: sshd
Log Message:
PR/47540: Felix Deichmann: DSA keys can only be 1024 bits.
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/etc/rc.d/sshd
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Thu, 07 Feb 2013 21:24:53 +0000
State-Changed-Why:
christos fixed it, thanks!
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47540 CVS commit: [netbsd-6] src/etc/rc.d
Date: Tue, 15 Aug 2017 05:35:01 +0000
Module Name: src
Committed By: snj
Date: Tue Aug 15 05:35:01 UTC 2017
Modified Files:
src/etc/rc.d [netbsd-6]: sshd
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1468):
etc/rc.d/sshd: revision 1.22-1.23
PR/47540: Felix Deichmann: DSA keys can only be 1024 bits.
--
Add new keytype, replace duplicated code with loop
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.21.4.1 src/etc/rc.d/sshd
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47540 CVS commit: [netbsd-6-1] src/etc/rc.d
Date: Tue, 15 Aug 2017 05:36:09 +0000
Module Name: src
Committed By: snj
Date: Tue Aug 15 05:36:08 UTC 2017
Modified Files:
src/etc/rc.d [netbsd-6-1]: sshd
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1468):
etc/rc.d/sshd: revision 1.22
etc/rc.d/sshd: revision 1.23
PR/47540: Felix Deichmann: DSA keys can only be 1024 bits.
--
Add new keytype, replace duplicated code with loop
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.21.12.1 src/etc/rc.d/sshd
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/47540 CVS commit: [netbsd-6-0] src/etc/rc.d
Date: Tue, 15 Aug 2017 05:38:29 +0000
Module Name: src
Committed By: snj
Date: Tue Aug 15 05:38:29 UTC 2017
Modified Files:
src/etc/rc.d [netbsd-6-0]: sshd
Log Message:
Pull up following revision(s) (requested by mrg in ticket #1468):
etc/rc.d/sshd: revision 1.22
etc/rc.d/sshd: revision 1.23
PR/47540: Felix Deichmann: DSA keys can only be 1024 bits.
--
Add new keytype, replace duplicated code with loop
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.21.10.1 src/etc/rc.d/sshd
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.