Issue #4222 open

No support for ECDSA keys (BB-12110)

Kent Fredric
created an issue

My current version of OpenSSH : * OpenSSH_6.0p1-hpn13v11, OpenSSL 1.0.1c 10 May 2012

And generating a key with

{{{ ssh-keygen -t ecdsa -b 521 }}}

Generates a public key with the following leading:

{{{ ecdsa-sha2-nistp521 }}}

However, the sites public key submission field rejects my public key regardless of what I do

Comments (27)

  1. Kent Fredric reporter

    Could it be a feature request for some future time?

    I understand its probably not viable, nor a priority to support "right now", but assuming one day you upgrade your toolchain to an openssl/ssh system that does support ecdsa, it seems relatively straight forward to drop in support for it, and it would be a "nice to have" imo.

    Granted, I haven't looked at the code, and the inverse-Occams razor always applies to IT in that its always more complicated than you think. =).

  2. Winston Weinert

    This would be nice. I was also disappointed to see the web interface rejected my ECDSA key.

    Fwiw BB's sshd (OpenSSH 5.3) doesn't support ECDSA. I'm at a loss to why this is a "wontfix" issue.

  3. Berk Demir

    Maybe mark this as a feature request?

    ECDSA SSH keys are defined by RFC 5656 and since OpenSSH 5.7, it is the default key type for ssh-keygen.

    ECDSA keys are shorter than RSA and DSA keys, offering the same level of strength. A 256-bits ECDSA key is more or less equal to a 3072-bits RSA key. Computationally ECDSA is less intensive than RSA and DSA when signing but more intensive at verifying.

  4. Daniel Houck

    I also agree that this should be fixed, or at least that the "wontfix" status should be explained. It seems like it would take a relatively small amount of effort to fix and that it would provide a large benefit for this effort (even if not that large a benefit overall).

  5. Andrzej Godziuk

    Is there a chance ECDSA keys will be supported any time soon? I've phased out my RSA keys and I only need to keep one for Bitbucket which some of my clients use.

    Please, make Bitbucket support modern standards, it's 2014 and nobody uses RSA for SSH anymore.

  6. Erik van Zijst staff

    It probably shouldn't have been WONTFIX'd, as we do want to offer ECDSA keys, but this will require upgraded of part of our SSH infrastructure that is not currently being worked on. I'll reopen the issue.

  7. Log in to comment