Ubuntu
openssh package

Consider setting ServerKeyBits 768 to 1024

Bug #1244272 reported by ScottMiller
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Debian)
Fix Released
Unknown
openssh (Ubuntu)
Fix Released
Medium
Colin Watson

Bug Description

Ubuntu 13.10 has the following setting:

/etc/ssh/sshd_config

ServerKeyBits 768

Would it be possible to make the default 1024 to add more security benefit:

ServerKeyBits 1024

1024 is the default in the upstream openssh project and the value used by other mainstream distros.

http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config&sektion=5

"
ServerKeyBits
             Defines the number of bits in the ephemeral protocol version 1
             server key. The minimum value is 512, and the default is 1024.

"

$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=13.10
DISTRIB_CODENAME=saucy
DISTRIB_DESCRIPTION="Ubuntu 13.10"

$ dpkg -s openssh-server
Package: openssh-server
Status: install ok installed
Priority: optional
Section: net
Installed-Size: 760
Maintainer: Ubuntu Developers <email address hidden>
Architecture: amd64
Multi-Arch: foreign
Source: openssh
Version: 1:6.2p2-6
Replaces: openssh-client (<< 1:3.8.1p1-11), ssh, ssh-krb5
Provides: ssh-server

Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

I've checked and it looks like this also applies to Debian. I have filed a bug there.

Changed in openssh (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Bug Watch Updater (bug-watch-updater)
Changed in openssh (Debian):
status: Unknown → New
Revision history for this message
Colin Watson (cjwatson) wrote :

Fixed for my next upload, although note that this setting only applies to SSH protocol version 1 which is disabled by default anyway and not normally recommended, so the practical effect on security of most systems is minimal.

Changed in openssh (Ubuntu):
status: Triaged → Fix Committed
assignee: nobody → Colin Watson (cjwatson)
Bug Watch Updater (bug-watch-updater)
Changed in openssh (Debian):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:6.4p1-2

---------------
openssh (1:6.4p1-2) unstable; urgency=high

  * Increase ServerKeyBits value in package-generated sshd_config to 1024
    (closes: #727622, LP: #1244272).
  * Restore patch to disable OpenSSL version check (closes: #732940).

 -- Colin Watson <email address hidden> Mon, 23 Dec 2013 10:44:04 +0000

Changed in openssh (Ubuntu):
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in openssh (Debian):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.