Unfortunately it appears that 2048 bit RSA keys can occasionally be created in such a way that they appear to have 2047 bit length. This PR simply changes our defaults to allow these. Fix #20249 Signed-off-by: Andrew Thornton <art27@cantab.net>tags/v1.18.0-rc0
@@ -1231,7 +1231,7 @@ PATH = | |||
;; Define allowed algorithms and their minimum key length (use -1 to disable a type) | |||
;ED25519 = 256 | |||
;ECDSA = 256 | |||
;RSA = 2048 | |||
;RSA = 2047 ; we allow 2047 here because an otherwise valid 2048 bit RSA key can be reported as having 2047 bit length | |||
;DSA = -1 ; set to 1024 to switch on | |||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; |
@@ -621,7 +621,7 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type | |||
- `ED25519`: **256** | |||
- `ECDSA`: **256** | |||
- `RSA`: **2048** | |||
- `RSA`: **2047**: We set 2047 here because an otherwise valid 2048 RSA key can be reported as 2047 length. | |||
- `DSA`: **-1**: DSA is now disabled by default. Set to **1024** to re-enable but ensure you may need to reconfigure your SSHD provider | |||
## Webhook (`webhook`) |
@@ -170,7 +170,7 @@ var ( | |||
ServerMACs: []string{"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1"}, | |||
KeygenPath: "ssh-keygen", | |||
MinimumKeySizeCheck: true, | |||
MinimumKeySizes: map[string]int{"ed25519": 256, "ed25519-sk": 256, "ecdsa": 256, "ecdsa-sk": 256, "rsa": 2048}, | |||
MinimumKeySizes: map[string]int{"ed25519": 256, "ed25519-sk": 256, "ecdsa": 256, "ecdsa-sk": 256, "rsa": 2047}, | |||
ServerHostKeys: []string{"ssh/gitea.rsa", "ssh/gogs.rsa"}, | |||
AuthorizedKeysCommandTemplate: "{{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}", | |||
PerWriteTimeout: PerWriteTimeout, |