From 85bd3fb890e1d53919cd64bb3f7c9500e717e6a4 Mon Sep 17 00:00:00 2001 From: Robin Kloppe Date: Sun, 20 Aug 2023 16:57:27 +0200 Subject: [PATCH] Expanded minimum RSA Keylength to 3072 German Federal Office for Information Security requests in its technical guideline BSI TR-02102-1 RSA Keylength not shorter than 3000bits starting 2024, in the year 2023 3000bits as a recommendation. Gitea should request longer RSA Keys by default in favor of security and drop old clients which do not support shorter keys. --- custom/conf/app.example.ini | 2 +- docs/content/administration/config-cheat-sheet.en-us.md | 2 +- docs/content/administration/config-cheat-sheet.zh-cn.md | 2 +- modules/setting/ssh.go | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index cfaf91cddb7f2..f4ae8e75cf782 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -1339,7 +1339,7 @@ LEVEL = Info ;; Define allowed algorithms and their minimum key length (use -1 to disable a type) ;ED25519 = 256 ;ECDSA = 256 -;RSA = 2047 ; we allow 2047 here because an otherwise valid 2048 bit RSA key can be reported as having 2047 bit length +;RSA = 3071 ; we allow 3071 here because an otherwise valid 3072 bit RSA key can be reported as having 3071 bit length ;DSA = -1 ; set to 1024 to switch on ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; diff --git a/docs/content/administration/config-cheat-sheet.en-us.md b/docs/content/administration/config-cheat-sheet.en-us.md index 71ae4f2e30bd2..eaa19d2d397f2 100644 --- a/docs/content/administration/config-cheat-sheet.en-us.md +++ b/docs/content/administration/config-cheat-sheet.en-us.md @@ -681,7 +681,7 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type - `ED25519`: **256** - `ECDSA`: **256** -- `RSA`: **2047**: We set 2047 here because an otherwise valid 2048 RSA key can be reported as 2047 length. +- `RSA`: **3071**: We set 3071 here because an otherwise valid 3072 RSA key can be reported as 3071 length. - `DSA`: **-1**: DSA is now disabled by default. Set to **1024** to re-enable but ensure you may need to reconfigure your SSHD provider ## Webhook (`webhook`) diff --git a/docs/content/administration/config-cheat-sheet.zh-cn.md b/docs/content/administration/config-cheat-sheet.zh-cn.md index 87e45aa6934d0..39121908c21a2 100644 --- a/docs/content/administration/config-cheat-sheet.zh-cn.md +++ b/docs/content/administration/config-cheat-sheet.zh-cn.md @@ -648,7 +648,7 @@ Gitea 创建以下非唯一队列: - `ED25519`:**256** - `ECDSA`:**256** -- `RSA`:**2047**:我们在这里设置为2047,因为一个其他方面有效的2048 RSA密钥可能被报告为2047长度。 +- `RSA`:**3071**:我们在这里设置为2047,因为一个其他方面有效的3072 RSA密钥可能被报告为3071长度。 - `DSA`:**-1**:默认情况下禁用DSA。设置为**1024**以重新启用,但请注意可能需要重新配置您的SSHD提供者 ## Webhook (`webhook`) diff --git a/modules/setting/ssh.go b/modules/setting/ssh.go index bbb7f5ab6cdad..ea387e521fad5 100644 --- a/modules/setting/ssh.go +++ b/modules/setting/ssh.go @@ -60,7 +60,7 @@ var SSH = struct { ServerMACs: []string{"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1"}, KeygenPath: "", MinimumKeySizeCheck: true, - MinimumKeySizes: map[string]int{"ed25519": 256, "ed25519-sk": 256, "ecdsa": 256, "ecdsa-sk": 256, "rsa": 2047}, + MinimumKeySizes: map[string]int{"ed25519": 256, "ed25519-sk": 256, "ecdsa": 256, "ecdsa-sk": 256, "rsa": 3071}, ServerHostKeys: []string{"ssh/gitea.rsa", "ssh/gogs.rsa"}, AuthorizedKeysCommandTemplate: "{{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}", PerWriteTimeout: PerWriteTimeout,