Description of problem: For security reasons, customer requests a check of SSH key size (i.e.: number of bits used to create the key) when a new public key is added using the "Settings" web page for a user. This should be a configurable parameter that can be set to the customers requirements for minimum key size. Version-Release number of selected component (if applicable): OSE 2.2.x How reproducible: 100% - no such functionality exists today Steps to Reproduce: N/A Actual results: Current SSH keys are not being checked for minimum (bit) size Expected results: Perform a check of public key added to ensure it meets minimum size requirements Additional info: Patch is already developed and ready. The implementation uses a configurable broker.conf option: MINIMUM_SSH_KEY_SIZE="ssh-rsa|2048 ssh-dss|1024" ... this format follows existing configuration options and allow for a list of valid values for future additions of other key types as well.
Created a PR for the proposed changes - it can be found here: https://github.com/openshift/origin-server/pull/6078
*** Bug 1194200 has been marked as a duplicate of this bug. ***
I believe this made it into devenv_5471 When I was testing I set this value in /etc/openshift/broker-dev.conf MINIMUM_SSH_KEY_SIZE="ssh-rsa|1024 ssh-dss|1024"
Check on puddle [2.2.5/2015-03-17.1] 1.generate different size key #ssh-keygen -b 1024 -f rsa_1024 #ssh-keygen -b 4096 -f rsa_4096 #ssh-keygen -f rsa_2048 #ssh-keygen -f dsa_1024 -t dsa 2.setup with user #rhc setup -l xiaom 3.add all keys generate in the step 1 #keys="rsa_1024 rsa_4096 rsa_2048 dsa_1024" # for key in $keys;do echo $key; set -x; rhc sshkey add $key $key.pub -l xiaom;done 4.list all keys All keys are added successfully 5.delete all keys #for key in $(rhc sshkey list -l xiaom|grep type|awk '{print $1}');do rhc sshkey remove $key -l xiaom;done 6. configure the mininum key size, and restart the openshift-broker #vim /etc/openshift/broker.conf MINIMUM_SSH_KEY_SIZE="ssh-rsa|2048 ssh-dss|1024" #service openshift-broker restart 7. add all keys #rhc sshkey add $key_name $keyfile dsa_1024 pass rsa_4096 pass rsa_1024 fail (Invalid RSA key size. Must be greater or equal to 2048.) rsa_2048 pass 8. delete all keys 9.configure the mininum key size, and restart the openshift-broker #vim /etc/openshift/broker.conf MINIMUM_SSH_KEY_SIZE="ssh-rsa|4097 ssh-dss|1025" #service openshift-broker restart 10. add all keys dsa_1024 fail (Invalid DSA key size. Must be greater or equal to 1025.) rsa_4096 fail (Invalid RSA key size. Must be greater or equal to 4097.) rsa_1024 fail (Invalid RSA key size. Must be greater or equal to 4097.) rsa_2048 fail (Invalid RSA key size. Must be greater or equal to 4097.) 11.configure the mininum key size, and restart the openshift-broker #vim /etc/openshift/broker.conf MINIMUM_SSH_KEY_SIZE="ssh-rsa|4095 ssh-dss|1023" #service openshift-broker restart 12. add all keys dsa_1024 pass rsa_4096 pass rsa_1024 fail (Invalid RSA key size. Must be greater or equal to 4095.) rsa_2048 fail (Invalid RSA key size. Must be greater or equal to 4095.) 13. delete all keys 14. rhc setup -l xiaom fail to add default key 15. .configure the mininum key size, and restart the openshift-broker #vim /etc/openshift/broker.conf MINIMUM_SSH_KEY_SIZE="ssh-dsa|2048" #service openshift-broker restart 16. add all keys dsa_1024 fail (Invalid DSA key size. Must be greater or equal to 2048.) rsa_4096 pass rsa_1024 pass rsa_2048 pass 17. configure the mininum key size, and restart the openshift-broker #vim /etc/openshift/broker.conf MINIMUM_SSH_KEY_SIZE="ssh-rsa|1023 ssh-dss|2048" #service openshift-broker restart 18. delete all keys all keys can be deleted.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0779.html