From owner-freebsd-questions  Sun May 28  8:56:27 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from Samizdat.uucom.com (samizdat.uucom.com [198.202.217.54])
	by hub.freebsd.org (Postfix) with ESMTP id 120D537B8BB
	for <questions@freebsd.org>; Sun, 28 May 2000 08:56:22 -0700 (PDT)
	(envelope-from cshenton@uucom.com)
Received: (from cshenton@localhost)
	by Samizdat.uucom.com (8.9.3/8.9.3) id LAA12723;
	Sun, 28 May 2000 11:56:20 -0400 (EDT)
To: questions@freebsd.org
Subject: 4.0-STABLE Secure: ssh limited to 1024 bits by RSAREF
From: Chris Shenton <cshenton@uucom.com>
Date: 28 May 2000 11:56:20 -0400
Message-ID: <lfhfbi653v.fsf@Samizdat.uucom.com>
Lines: 42
User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.4
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I just did a make world from last nights 4.0 Secure CVSup.
One site I'm trying to "ssh" to a system running F-Secure's SSH daemon
with a host key that's 1152 bits, but /usr/bin/ssh can't connect
because the RSAREF limits me to 1024 bits:

 SSH Version OpenSSH-1.2.2, protocol version 1.5.
 Compiled with SSL.
 debug: Reading configuration data /etc/ssh/ssh_config
 debug: Applying options for *
 debug: ssh_connect: getuid 0 geteuid 0 anon 0
 debug: Connecting to XXX.XXX.com [###.###.###.###] port 22.
 debug: Allocated local port 918.
 debug: Connection established.
 debug: Remote protocol version 1.5, remote software version 1.3.5 F-SECURE SSH
 debug: Waiting for server public key.
 debug: Received server public key (1152 bits) and host key (1024 bits).
 debug: Host 'XXX.XXX.com' is known and matches the host key.
 rsa_private_encrypt() failed: RSAREF cannot handle keys larger than 1024 bits.
 debug: Calling cleanup 0x8052dbc(0x0)


File /usr/src/crypto/openssh/rsa.c contains the bit:

    if (BN_num_bits(key->n) > 1024 && RSA_libversion() == RSALIB_RSAREF)
	fatal("rsa_private_encrypt() failed: RSAREF cannot handle keys larger than 1024 bits.");

but I haven't been able to trace back to find where the function and
constant are defined.


Before doing the "make world", in /etc/defaults/make.conf I set:

 RSAREF= NO
 USA_RESIDENT= NO

hoping to get linkage with a non-crippled RSA implementation. It
appears this hasn't helped. 


How can I recompile ssh in the system to get larger key support? 

Thanks.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message