Generated keys are considered "weak" by github.com

[doherty]

I generated an RSA 2048 key following the instructions at Using PIV for SSH through PKCS11, e.g.

yubico-piv-tool -s 9a -a generate -k$key --pin-policy=once --touch-policy=always --algorithm=RSA2048 -o public.pem
yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S "/[email protected]/" -i public.pem -o cert.pem
yubico-piv-tool -a import-certificate -s 9a -i cert.pem  -k$key
ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -e

When adding this key to github, it is rejected:

Key is weak. GitHub recommends using ssh-keygen to generate a RSA key of at least 2048 bits.

The same is true if using the GUI wrapper YubiKey PIV Manager.

However, generating and importing my own, the key is accepted:

ssh-keygen -t rsa -b 2048 -C "[email protected]"
yubico-piv-tool -s 9a -a import-key -k$key --pin-policy=once --touch-policy=always -i id_rsa_2.pem
openssl rsa -in id_rsa_2 -out id_rsa_2.pem -outform pem
yubico-piv-tool -s 9a -a import-key -k$key --pin-policy=once --touch-policy=always -i id_rsa_2.pem
yubico-piv-tool -a verify-pin -a selfsign-certificate -s 9a -S '/[email protected]/' -i id_rsa_2.pub.pkcs8 -o cert.pem
yubico-piv-tool -a import-certificate -s 9a -i cert.pem -k$key
ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -e

[doherty]

Is github detecting keys affected by ysa-2017-01? (as a side note, how does one subscribe to yubico's security advisory notifications, like [email protected]?)

[klali]

Yes, blocking generation of weak keys is happening, see cd11196 thanks for reminding us about pkcs11 though.

For notifications there is https://www.yubico.com/support/security-advisories/ but we plan to do better shortly.

[klali]

version 1.4.4 blocking key generation for these keys has been released.