From 3ddb700f9083d818d226e0b4684242772afd6d4f Mon Sep 17 00:00:00 2001 From: moltenbit Date: Thu, 5 Mar 2026 08:28:05 +0100 Subject: [PATCH] Make RSA key size requirement optional Make RSA key size requirement optional and added explanation. --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 41956dc..d33897e 100644 --- a/README.md +++ b/README.md @@ -518,6 +518,8 @@ SSH is a door into your server. This is especially true if you are opening ports **Note**: SSH does not like duplicate contradicting settings. For example, if you have `ChallengeResponseAuthentication no` and then `ChallengeResponseAuthentication yes`, SSH will respect the first one and ignore the second. Your `/etc/ssh/sshd_config` file may already have some of the settings/lines below. To avoid issues you will need to manually go through your `/etc/ssh/sshd_config` file and address any duplicate contradicting settings. + **Note:** If you are running OpenSSH 9.1 or later, uncomment the `RequiredRSASize 3072` line in the configuration below. This enforces a minimum RSA key size of 3072 bits and will reject smaller RSA keys during authentication. This only affects RSA keys. If you use ED25519 or ECDSA keys, you are not affected. You can check your key type and size with `ssh-keygen -l -f ~/.ssh/id_rsa`. On older OpenSSH versions, leave the line commented out as it will prevent sshd from starting. + ``` ######################################################################################################## # start settings from https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67 as of 2019-01-01 @@ -585,7 +587,7 @@ SSH is a door into your server. This is especially true if you are opening ports # OpenSSH 9.1 and later # Enforce a minimum RSA key size of 3072 bits # https://www.keylength.com/en/compare/ - RequiredRSASize 3072 + # RequiredRSASize 3072 # https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/115 HashKnownHosts yes