OpenStack Compute (Nova)

Generated SSH key length is only 1024 bits

Reported by Zane Bitter on 2013-01-22
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Undecided
Zane Bitter

Bug Description

Nova currently generates 1024 bit RSA key pairs when generating SSH keys. According to NIST, key lengths shorter than 2048 bits have been regarded as deprecated since 2011, and will be disallowed after 2013:

http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf

Indeed, the ssh-keygen utility in recent versions of both Ubuntu and Fedora already generates 2048-bit keys by default.

Rather than force a particular key length, Nova should defer to the distro's default RSA key length in ssh-keygen, since this is more likely to be updated in accordance with the latest appropriate security advice.

Fix proposed to branch: master
Review: https://review.openstack.org/20266

Changed in nova:
assignee: nobody → Zane Bitter (zaneb)
status: New → In Progress

Reviewed: https://review.openstack.org/20266
Committed: http://github.com/openstack/nova/commit/aa3686a86f903c3b87ea73f1784117c36b2ed6fa
Submitter: Jenkins
Branch: master

commit aa3686a86f903c3b87ea73f1784117c36b2ed6fa
Author: Zane Bitter <email address hidden>
Date: Tue Jan 22 19:20:45 2013 +0100

    Don't limit SSH keys generation to 1024 bits

    Use the default bit length of the underlying ssh-keygen command
    (currently 2048) if no bit length is supplied, rather than defaulting to
    1024 bits.

    bug 1103130

    Change-Id: Iba9d378d5bf9e28663e52180ed04c31c16d08aad
    Signed-off-by: Zane Bitter <email address hidden>

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-01-23
tags: added: security
Thierry Carrez (ttx) on 2013-02-21
Changed in nova:
milestone: none → grizzly-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-04-04
Changed in nova:
milestone: grizzly-3 → 2013.1
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers