Codeberg/Community
54
325
Fork
You've already forked Community
12

ssh: 2048-bit RSA key rejected #1990

Closed
opened 2025年06月17日 00:06:39 +02:00 by jch · 5 comments

Comment

Hi,

I just tried to send a patch to a project on Codeberg. Apparently I need to do a pull request, the process is a little more involved than I'd like (why can't I just use git send-email), but fine, I forked the project, and pointed a git remote at the fork.

I then tried to authorise my ssh key. Codeberg replied:

Cannot verify your SSH key: key length is not enough: got 2048, needs 3071

I'm just as paranoid as the next guy, but, as far as I know, cracking a 2048-bit key is not feasible with current technology. So now I'm back to using passwords (over HTTPS), which is a less secure alternative.

Please allow 2048-bit ssh RSA keys.

### Comment Hi, I just tried to send a patch to a project on Codeberg. Apparently I need to do a pull request, the process is a little more involved than I'd like (why can't I just use `git send-email`), but fine, I forked the project, and pointed a git remote at the fork. I then tried to authorise my ssh key. Codeberg replied: > Cannot verify your SSH key: key length is not enough: got 2048, needs 3071 I'm just as paranoid as the next guy, but, as far as I know, cracking a 2048-bit key is not feasible with current technology. So now I'm back to using passwords (over HTTPS), which is a less secure alternative. Please allow 2048-bit ssh RSA keys.

It's not that easy to revert this change, the reasoning for it is given at forgejo/forgejo#4586 (comment).

It's not that easy to revert this change, the reasoning for it is given at https://codeberg.org/forgejo/forgejo/issues/4586#issuecomment-2107226.

My private SSH key is also stored on a hardware device. This is the only thing that keeps me from migriting to Codeberg. When I was just about to start the migration again today, I remembered that I tried this a few weeks ago and failed at exactly this point.

One commit in the Forgejo ticket says it is just a setting for the server: forgejo/forgejo#4586 (comment)

My private SSH key is also stored on a hardware device. This is the only thing that keeps me from migriting to Codeberg. When I was just about to start the migration again today, I remembered that I tried this a few weeks ago and failed at exactly this point. One commit in the Forgejo ticket says it is just a setting for the server: https://codeberg.org/forgejo/forgejo/issues/4586#issuecomment-2107226

I am also of the opinion that this is rather annoying, and it keeps me from migrating.
My SSH key is on a hardware device and I can not easily get the key size bigger.

I do not think that this has a meaningful security benefit, as this will just cause me to use HTTP-auth when needing to use Codeberg and will otherwise just keep me on GitHub, where they accept my SSH-key.

According to https://forgejo.org/docs/latest/admin/config-cheat-sheet/#ssh-minimum-key-sizes-sshminimum_key_sizes this seems to be a configuration option

I am also of the opinion that this is rather annoying, and it keeps me from migrating. My SSH key is on a hardware device and I can not easily get the key size bigger. I do not think that this has a meaningful security benefit, as this will just cause me to use HTTP-auth when needing to use Codeberg and will otherwise just keep me on GitHub, where they accept my SSH-key. According to https://forgejo.org/docs/latest/admin/config-cheat-sheet/#ssh-minimum-key-sizes-sshminimum_key_sizes this seems to be a configuration option
Author
Copy link

I do not think that this has a meaningful security benefit,

Oh, it's definitely security theatre. The NSA agent who asks his boss for 68 billion years of CPU time so he can crack my RSA-2048 key is most probably going to end up with a compulsory psychiatric evaluation.

> I do not think that this has a meaningful security benefit, Oh, it's definitely security theatre. The NSA agent who asks his boss for 68 billion years of CPU time so he can crack my RSA-2048 key is most probably going to end up with a compulsory psychiatric evaluation.

Hi, we briefly discussed this again internally and 2048-bit RSA keys are no longer rejected.

Hi, we briefly discussed this again internally and 2048-bit RSA keys are no longer rejected.
Sign in to join this conversation.
No Branch/Tag specified
main
No results found.
Labels
Clear labels
accessibility

Reduces accessibility and is thus a "bug" for certain user groups on Codeberg.
bug

Something is not working the way it should. Does not concern outages.
bug
infrastructure
Errors evidently caused by infrastructure malfunctions or outages
Codeberg

This issue involves Codeberg's downstream modifications and settings and/or Codeberg's structures.
contributions welcome

Please join the discussion and consider contributing a PR!
docs

No bug, but an improvement to the docs or UI description will help
duplicate

This issue or pull request already exists
enhancement

New feature
infrastructure

Involves changes to the server setups, use `bug/infrastructure` for infrastructure-related user errors.
legal

An issue directly involving legal compliance
licence / ToS

involving questions about the ToS, especially licencing compliance
please chill
we are volunteers
Please consider editing your posts and remember that there is a human on the other side. We get that you are frustrated, but it's harder for us to help you this way.
public relations

Things related to Codeberg's external communication
question

More information is needed
question
user support
This issue contains a clearly stated problem. However, it is not clear whether we have to fix anything on Codeberg's end, but we're helping them fix it and/or find the cause.
s/Forgejo

Related to Forgejo. Please also check Forgejo's issue tracker.
s/Forgejo/migration

Migration related issues in Forgejo
s/Pages

Issues related to the Codeberg Pages feature
s/Weblate

Issue is related to the Weblate instance at https://translate.codeberg.org
s/Woodpecker

Woodpecker CI related issue
security

involves improvements to the sites security
service

Add a new service to the Codeberg ecosystem (instead of implementing into Gitea)
upstream

An open issue or pull request to an upstream repository to fix this issue (partially or completely) exists (i.e. Gitea, Forgejo, etc.)
wontfix

Codeberg's current set of contributors are not planning to spend time on delegating this issue.
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
4 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Codeberg/Community#1990
Reference in a new issue
Codeberg/Community
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?