NetBSD Problem Report #47540

From www@NetBSD.org  Thu Feb  7 14:06:40 2013
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	by www.NetBSD.org (Postfix) with ESMTP id 6DCA763EF79
	for <gnats-bugs@gnats.NetBSD.org>; Thu,  7 Feb 2013 14:06:40 +0000 (UTC)
Message-Id: <20130207140639.B4B1C63EF79@www.NetBSD.org>
Date: Thu,  7 Feb 2013 14:06:39 +0000 (UTC)
From: m4j0rd0m0@gmail.com
Reply-To: m4j0rd0m0@gmail.com
To: gnats-bugs@NetBSD.org
Subject: No DSA key files generated when ssh_keygen_flags != "-b 1024" in rc.conf
X-Send-Pr-Version: www-1.0

>Number:         47540
>Category:       bin
>Synopsis:       No DSA key files generated when ssh_keygen_flags != "-b 1024" in rc.conf
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          closed
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 07 14:10:00 +0000 2013
>Closed-Date:    Thu Feb 07 21:24:53 +0000 2013
>Last-Modified:  Tue Aug 15 05:40:02 +0000 2017
>Originator:     Felix Deichmann
>Release:        6.0.1
>Organization:
>Environment:
NetBSD bla.invalid 6.0.1 NetBSD 6.0.1 (GENERIC) amd64
>Description:
When ssh_keygen_flags is set to a value other than "-b 1024" in rc.conf, /etc/rc.d/sshd fails to generate the DSA key files.

According to ssh-keygen(1), "DSA keys must be exactly 1024 bits as specified by FIPS 186-2". ssh-keygen won't create DSA key files with "-b" values other than 1024.

As another effect, /etc/rc.d/sshd will repeatedly try to recreate all keys when not all key files (e. g. the DSA key files) are present, each time started.

DSA key generation should be fixed to 1024 bit keys (-b 1024), as it is already done for ECDSA keys (fixed value of 521) in /etc/rc.d/sshd.
>How-To-Repeat:
Delete all key files in /etc/ssh and set ssh_keygen_flags="-b 4096" in rc.conf. When executing "/etc/rc.d/sshd start" to generate new key files, the DSA key files will not be created anymore.
>Fix:
In /etc/rc.d/sshd, replace the line containing

/usr/bin/ssh-keygen -t dsa -b ${ssh_keygen_flags} \

with

/usr/bin/ssh-keygen -t dsa -b 1024 \

>Release-Note:

>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/47540 CVS commit: src/etc/rc.d
Date: Thu, 7 Feb 2013 14:32:20 -0500

 Module Name:	src
 Committed By:	christos
 Date:		Thu Feb  7 19:32:19 UTC 2013

 Modified Files:
 	src/etc/rc.d: sshd

 Log Message:
 PR/47540: Felix Deichmann: DSA keys can only be 1024 bits.


 To generate a diff of this commit:
 cvs rdiff -u -r1.21 -r1.22 src/etc/rc.d/sshd

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Thu, 07 Feb 2013 21:24:53 +0000
State-Changed-Why:
christos fixed it, thanks!


From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/47540 CVS commit: [netbsd-6] src/etc/rc.d
Date: Tue, 15 Aug 2017 05:35:01 +0000

 Module Name:	src
 Committed By:	snj
 Date:		Tue Aug 15 05:35:01 UTC 2017

 Modified Files:
 	src/etc/rc.d [netbsd-6]: sshd

 Log Message:
 Pull up following revision(s) (requested by mrg in ticket #1468):
 	etc/rc.d/sshd: revision 1.22-1.23
 PR/47540: Felix Deichmann: DSA keys can only be 1024 bits.
 --
 Add new keytype, replace duplicated code with loop


 To generate a diff of this commit:
 cvs rdiff -u -r1.21 -r1.21.4.1 src/etc/rc.d/sshd

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/47540 CVS commit: [netbsd-6-1] src/etc/rc.d
Date: Tue, 15 Aug 2017 05:36:09 +0000

 Module Name:	src
 Committed By:	snj
 Date:		Tue Aug 15 05:36:08 UTC 2017

 Modified Files:
 	src/etc/rc.d [netbsd-6-1]: sshd

 Log Message:
 Pull up following revision(s) (requested by mrg in ticket #1468):
 	etc/rc.d/sshd: revision 1.22
 	etc/rc.d/sshd: revision 1.23
 PR/47540: Felix Deichmann: DSA keys can only be 1024 bits.
 --
 Add new keytype, replace duplicated code with loop


 To generate a diff of this commit:
 cvs rdiff -u -r1.21 -r1.21.12.1 src/etc/rc.d/sshd

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/47540 CVS commit: [netbsd-6-0] src/etc/rc.d
Date: Tue, 15 Aug 2017 05:38:29 +0000

 Module Name:	src
 Committed By:	snj
 Date:		Tue Aug 15 05:38:29 UTC 2017

 Modified Files:
 	src/etc/rc.d [netbsd-6-0]: sshd

 Log Message:
 Pull up following revision(s) (requested by mrg in ticket #1468):
 	etc/rc.d/sshd: revision 1.22
 	etc/rc.d/sshd: revision 1.23
 PR/47540: Felix Deichmann: DSA keys can only be 1024 bits.
 --
 Add new keytype, replace duplicated code with loop


 To generate a diff of this commit:
 cvs rdiff -u -r1.21 -r1.21.10.1 src/etc/rc.d/sshd

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.