setting minimum size of accepted rsa key
5,589
In modern sshd versions (newer than when the question was asked), you can use an AuthorizedKeysCommand to fetch the user's public keys. The usual reason to use this, is to fetch keys from some central storage (ldap, mysql...). But you can also use this to filter the user's keys. You should also set AuthorizedKeys file to none to avoid a fallback to the unfiltered keys.
Related videos on Youtube
Author by
Admin
Updated on September 17, 2022Comments
-
Admin over 1 year
Is there a way to set the minimum size accepted by sshd as an RSA public key?
I want to restrict users to using RSA keys that are generated with ssh-keygen -b 8196 or greater.
I didn't see any option in sshd_config. There is a ServerKeyBits option, but that seems to apply only for SSHv1.
-
Admin over 13 years8000 bit minimum? Aren't you slightly overdoing it? If you're using 2000 bits or more it's very unlikely that the keylength is the critical part of your security. Implementation faults are much more dangerous.
-
Admin over 13 yearsYes - and don't forget - this is only the number of bits for the public/private keypair. The actual data stream is only encrypted with something like AES-128 or AES-256, maximum.
-
-
Gilles 'SO- stop being evil' over 13 years@Ichimonji10: Is there really a way to do this through PAM? As far as I can tell, no PAM module has access to the key used for authentication (auth modules aren't used for public key authentication, and account modules don't know about authentication anyway).