Do you support RSA 2048 Bits key in SFTP ?

+1 vote
asked Oct 31, 2016 by Nayan (200 points)

Hi,

Do you guys support RSA 2048 key for SFTP Connection? Looks like there is no place to set Key Bitness so just wondering if its auto detect or only RSA 1024 Bit key supported? Many times we have requirement to encrypt sensitive data using 2048 Bit key.

Applies to: Rebex SFTP

1 Answer

0 votes
answered Oct 31, 2016 by Lukas Pokorny (94,710 points)
edited Dec 20, 2016 by Lukas Pokorny

We support ssh-rsa and ssh-rsa-sha256@ssh.com host key ciphers, and both of these support RSA keys of any size - it's up to the server maintainers which key size they choose when generating the key (most servers are kept with default settings, which are usually reasonable unless the server software is outdated).

Since Rebex SFTP 2016 R3, you can easily specify minimum allowed RSA key size. To only allow 2048-bit RSA keys, do this:

client.Settings.SshParameters.MinimumRsaHostKeySize = 2048;

Alternatively, check the key size yourself after Sftp object's Connect method has succeeded, but before calling the Login method:

int keySize = client.ServerKey.KeySize;

However, I have to stress that checking the key size alone is useless - anyone can generate a 2048-bit RSA key (or longer). SFTP/SSH clients must always make sure to check the actual server key as well. (Checking its fingerprint at first connect and keeping the key at the client for subsequent connections is sufficient in most scenarios).


Note: RFC 4432 defined rsa1024-sha1 and rsa2048-sha256 ciphers which define a slightly-modified RSA host key ciphers with minimum key size of 1024 or 2048 bits. However, most SSH servers either don't support these at all, or don't enable them by default. If your SFTP/SSH server supports `rsa2048-sha2561 and you would like to add support for it, please let us know - we would gladly add it.

...