https://bugzilla.mindrot.org/show_bug.cgi?id=3975

            Bug ID: 3975
           Summary: ssh-keygen.1 documents the -a KDF rounds default as
                    16, but sshkey.c defines DEFAULT_ROUNDS as 24
           Product: Portable OpenSSH
           Version: 10.4p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: ssh-keygen
          Assignee: [email protected]
          Reporter: [email protected]

Version:
OpenSSH portable 10.4p1 (on Debian, source via `apt source
openssh-client`).
openssh-portable master also shows DEFAULT_ROUNDS 24 as of 2026-07-06:
https://github.com/openssh/openssh-portable/blob/c10e04980300eab089f71aaada8b28fd878ee729/ssh-keygen.1#L292
https://github.com/openssh/openssh-portable/blob/c10e04980300eab089f71aaada8b28fd878ee729/sshkey.c#L75

Description:
ssh-keygen.1 states that the -a default is 16 rounds, but sshkey.c
defines
DEFAULT_ROUNDS as 24.

Both facts below come from the same 10.4p1 source tree. I wrote a small
script:
```bash
#!/bin/bash
set -euo pipefail
tmpdir=$(mktemp -d)
cleanup() { rm -rf "$tmpdir"; }
trap cleanup EXIT
cd "$tmpdir"
apt source openssh-client
cd openssh-*/
grep -nHE 'default is [0-9]+ rounds' ssh-keygen.1
grep -nHE '^#define\s+DEFAULT_ROUNDS\s+[0-9]+' *.c
```
Output on Debian:
```text
ssh-keygen.1:288:The default is 16 rounds.
sshkey.c:75:#define     DEFAULT_ROUNDS          24
```
So a key generated with a passphrase and no explicit -a is encrypted
at 24 rounds (sshkey_private_to_blob2 substitutes DEFAULT_ROUNDS when
the
caller passes none), while ssh-keygen.1 tells the user it is 16.

Proposed fix:
Update "The default is 16 rounds." in ssh-keygen.1 to 24.

Proposed diff (against openssh-portable master):
```diff
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 33f78fe39..23c87bc86 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -289,7 +289,7 @@ When saving a private key, this option specifies
the number of KDF
 rounds used.
 Higher numbers result in slower passphrase verification and increased
 resistance to brute-force password cracking (should the keys be
stolen).
-The default is 16 rounds.
+The default is 24 rounds.
 .It Fl B
 Show the bubblebabble digest of specified private or public key file.
 .It Fl b Ar bits
```

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

Reply via email to