Bump minimal RSA key size to 1024

Fixes: #326 Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2026-02-04 12:20:42 +09:00 · 2025-11-06 10:18:28 +01:00
parent cefc4f8c97
commit ee6e2c69e1
3 changed files with 6 additions and 6 deletions
--- a/include/libssh/pki.h
+++ b/include/libssh/pki.h
@@ -46,7 +46,7 @@
 #define MAX_PUBKEY_SIZE 0x100000 /* 1M */
 #define MAX_PRIVKEY_SIZE 0x400000 /* 4M */

-#define RSA_MIN_KEY_SIZE 768
+#define RSA_MIN_KEY_SIZE     1024
 #define RSA_DEFAULT_KEY_SIZE 3072

 #define SSH_KEY_FLAG_EMPTY   0x0
--- a/src/options.c
+++ b/src/options.c
@@ -593,10 +593,10 @@ int ssh_options_set_algo(ssh_session session,
 *              - SSH_OPTIONS_RSA_MIN_SIZE
 *                Set the minimum RSA key size in bits to be accepted by the
 *                client for both authentication and hostkey verification.
- *                The values under 768 bits are not accepted even with this
+ *                The values under 1024 bits are not accepted even with this
 *                configuration option as they are considered completely broken.
 *                Setting 0 will revert the value to defaults.
- *                Default is 1024 bits or 2048 bits in FIPS mode.
+ *                Default is 3072 bits or 2048 bits in FIPS mode.
 *                (int)

 *              - SSH_OPTIONS_IDENTITY_AGENT
@@ -2201,11 +2201,11 @@ static int ssh_bind_set_algo(ssh_bind sshbind,
 *                      - SSH_BIND_OPTIONS_RSA_MIN_SIZE
 *                        Set the minimum RSA key size in bits to be accepted by
 *                        the server for both authentication and hostkey
- *                        operations. The values under 768 bits are not accepted
+ *                        operations. The values under 1024 bits are not accepted
 *                        even with this configuration option as they are
 *                        considered completely broken. Setting 0 will revert
 *                        the value to defaults.
- *                        Default is 1024 bits or 2048 bits in FIPS mode.
+ *                        Default is 3072 bits or 2048 bits in FIPS mode.
 *                        (int)
 *
 *
--- a/src/pki.c
+++ b/src/pki.c
@@ -451,7 +451,7 @@ bool ssh_key_size_allowed_rsa(int min_size, ssh_key key)
        if (ssh_fips_mode()) {
            min_size = 2048;
        } else {
-            min_size = 1024;
+            min_size = RSA_MIN_KEY_SIZE;
        }
    }
    return (key_size >= min_size);