Re: keys longer than 1024 bits



Ian Becker wrote:
On Wed, Sep 13, 2006 at 02:09:38PM +0000, edbch wrote:
Hello to all.
First they pardon my bad English.
I am attempted to generate keys longer than 1024 bits, but I am not obtaining. I perceived that in some machines this is possible and in others not.
It is some problem because of the operational system and some rule or because of the version of ssh? In the machines that I cannot generate these keys I use Gentoo Linux and OpenSSH_4.3p2, OpenSSL 0.9.7j. In that I can I use OpenBSD and OpenSSH_4.1, OpenSSL 0.9.7d. The command to generate the keys that I used is: ssh-keygen - t dsa - b the 2048 and message of error that I received is: DSA keys must be 1024 bits.
Somebody knows to explain me because? Debtor since now.

Eduardo

The ssh-keygen manpage says:

-b bits
Specifies the number of bits in the key to create. For RSA
keys, the minimum size is 768 bits and the default is 2048
bits.
Generally, 2048 bits is considered sufficient. DSA keys
must be
exactly 1024 bits as specified by FIPS 186-2.

DSA keys must be exactly 1024 bits, according to the standard. If you
want larger keys, you'll need to make RSA keys instead of DSA keys.


-Ian


Tanks.
The fact of the version that run in OpenBSDs to allow bigger keys would be one bug? How this would place at risk my system?

Eduardo



Relevant Pages

  • SSH RSA DSA KEYS
    ... RSA Keys are used for encryption and signing, but DSA keys are used ...
    (comp.os.linux.security)
  • Re: setting up ssh keys to copy between desktop to freenas
    ... So login as root and generate the keys as root. ... NIST suggest that RSA and DSA keys of comparable ... This assumes correct implementation, of course, which isn't a given; ...
    (uk.comp.os.linux)
  • Re: how to make the following steps into one single unix command ?
    ... because older versions of FIPS 186 didn't allow longer DSA keys. ... Specifies the number of bits in the key to create. ...
    (comp.unix.shell)
  • Re: keys longer than 1024 bits
    ... I am attempted to generate keys longer than 1024 bits, ... I perceived that in some machines this is possible and in others ... DSA keys must be 1024 bits. ... you'll need to make RSA keys instead of DSA keys. ...
    (SSH)
  • Re: SSH - securing the port
    ... > Dave Saville wrote: ... >> Turn off password checking so you have to have a known rsa key. ... > be using dsa keys. ... Why do you reccommend DSA keys? ...
    (comp.unix.solaris)