10

I'am using Putty on windows with key-based authentication to access some of mine servers.

It works totally fine with ~3700-bit key, but with ~17000-bit key it thinks for like 20 seconds on client-side and then just says "Access denied" and asks for a password.

Is there any key length limit or timeout in OpenSSH for key-based authentication?

I understand that using such large keys have not much practical sence, especially when looking at these 20 seconds of calculation, just trying to solve any problems I face :-)...

BarsMonster
  • 724
  • 4
  • 12
  • 26
  • I have seen similar problems happen on some OpenSSH versions, which I worked around by using a key length which was a power of two. – kasperd Mar 24 '15 at 19:02

4 Answers4

10

At one point I looked into the source of OpenSSL for Diffie-Hellman keys, and found there was an "arbitrary" 10K limit on the size of DH keys. I changed the source for a test, and found that worked. I wrote a bug to the authors, and they replied back that it was design intent to prevent DoS by using massive keys.

Wouldn't surprise me to see something similar in OpenSSH.

Paul Holder
  • 116
  • 1
  • 2
6

There is no maximum key size or timeout defined in the protocol (or at least none that you'd be hitting), but an implementation might not support such long keys. A 20-second processing time with the private key doesn't sound high for a 17kbit RSA key. Then the server might not want to spend too much computing power on an unauthenticated user: refusing very large keys is a protection against DoS attacks.

Currently 2048 bits is considered reasonable for an RSA key; 4096 bits is higher than necessary but usually supported; beyond this you shouldn't be surprised if some programs to reject the key.

Gilles 'SO- stop being evil'
  • 9,391
  • 1
  • 33
  • 48
  • This protection looks reasonable. Is it tunable or hardcoded in the sourcecode? – BarsMonster Jul 14 '10 at 11:40
  • There's no option for this in the manual, so any limit must be in the source code. That said, I don't know if there actually is a protection, I just meant that it would be reasonable to have one. I suspect that AndreasM's answer is closer to the mark. – Gilles 'SO- stop being evil' Jul 14 '10 at 16:17
4

Were you able to generate that size of key on the intended target system? You may be running into a limit to what is supported. Rather current Centos system of mine supports a 16k maximum which seems sufficient for massive keys. You should see the maximum if you try to go above it with ssh-keygen as shown below.

[nathan@omni ~]# ssh-keygen -t rsa -b 32768
key bits exceeds maximum 16384
zaznet
  • 41
  • 1
2

The openssh Server has a LoginGraceTime setting. From the man page:

The server disconnects after this time if the user has not suc-
cessfully logged in.  If the value is 0, there is no time limit.
The default is 120 seconds.

This could be a limit that you are hitting if it is set to 20 seconds.

Wild guess: It could also be that putty itself has this limit, thinking that if the client side processing of the public key authentication takes that long, something is wrong.

AndreasM
  • 1,083
  • 8
  • 13
  • I've thought the same, and set LoginGraceTime 1200 Well, error message is in the console, so I doubt it's something in Putty... – BarsMonster Jul 14 '10 at 12:41
  • 1
    Check the server logs. With a key size like this I get: RSA_public_decrypt failed: error:04067069:lib(4):func(103):reason(105). (because of the key size apparently.) I'll try a 2^n key. – AndreasM Jul 14 '10 at 14:12
  • 1
    16384 bits seems to work. For results with 32kbits see http://www.hermann-uwe.de/blog/creating-32768-bit-rsa-keys-for-fun-and-profit :) – AndreasM Jul 14 '10 at 14:22
  • 1
    You deadly right: Found thid: sshd[1014]: error: RSA_public_decrypt failed: error:04067069:lib(4):func(103):reason(105) So this must be a bug in sshd/OpenSSL :-) – BarsMonster Jul 15 '10 at 12:55