At Nicira, we are experimenting with the idea of converting XAPI SSL keys to SSH keys. In some cases this might be convenient for giving XenServers access to remote resources without distributing a second set of keys.
OpenSSH, however, refuses to accept RSA keys shorter than 768 bits for use in authentication. So this change is necessary, to make XAPI generate keys longer than the current default of 512 bits.
Additionally, RSA says "512-bit keys no longer provide sufficient security for anything more than very short-term security needs"
(http://www.rsa.com/rsalabs/node.asp?id=2218), so this change seems like a good idea in any case.
Increasing the key length makes generating the key at installation time take a bit longer, but the difference is not significant:
on my desktop, "openssl genrsa 512" takes about 10 ms and "openssl genrsa 1024" takes about 100 ms.
Signed-off-by: Ben Pfaff <blp@nicira.com>
CN = ${CN}
@eof
-openssl genrsa > privkey.rsa
+openssl genrsa 1024 > privkey.rsa
openssl req -batch -new -x509 -key privkey.rsa -days 3650 -config config -out cert.csr
openssl dhparam 512 > dh.pem
projects / xcp / xen-api.git / commitdiff