ojarva
commented
8 years ago @FirefighterBlu3 you're right about this. Can you provide DSA public keys generated with these parameters, and I'll add tests and proper validation for those?
Closed FirefighterBlu3 closed 8 years ago
ojarva
commented
8 years ago @FirefighterBlu3 you're right about this. Can you provide DSA public keys generated with these parameters, and I'll add tests and proper validation for those?
ojarva
commented
8 years ago Actually, it seems OpenSSH only allows N=160, so I'm going with that. If you can provide different DSA key that OpenSSH accepts, I'll add it to tests and fix the code as well.
2048 and 3072 keys should work now, though.
ojarva
commented
8 years ago Even more curiously, DSA keys from 512 to 16383bits work just fine with the latest OpenSSH, as long as N=160. Obviously doesn't mean using 512bit DSA key is a good idea.
our current FIPS standard for DSA keys allows for (p,q) pairs of:
L = 1024, N = 160 L = 2048, N = 224 L = 2048, N = 256 L = 3072, N = 256
SSHKeys currently enforces 1024 bits which isn't accurate. The vast majority of SSH keys are created with ssh-keygen which enforces 1024 bits for DSA keys, however, keys are easily made with other software and as long as the math is correct, the key will work with SSH