How to fix ssh host key not a multiple of 256

[rrrevin]

When using SecureCRT (version 9.2+), part of being FIPS compliant is that the ssh key of the host being connected to, must be a multiple of 256. To be clear, I'm refering to the HOST key on the router itself, not the key used by the client to connect. Out of the box default for Merlin is not the case(?). This is the error when connecting:

The client has disconnected from the server. Reason: The server's host key failed to verify.
This problem is most likely caused by the server's host key being a bit size that is not a multiple of 256.
For information about possible solutions to this issue, please visit the following website: https://www.vandyke.com/support/possible-host-key-failure-due-to-key-size.html

How can I change the router ssh key to be a mutipleof 256. I'm not familier with dropbear at all, nor Merlin's implementation of it.

BTW, IMHO, SecureCRT is the best dam ssh client, period. I've used them all. Version 9.2 adds RDP capabilities.
If anyone feels like testing, there is a trial version of secureCRT available from VanDyke.

 

[RMerlin]

They're all multiples of 256 bits already.

DSA: 1024-bit
ECDSA: 256-bit
RSA: 2048 bit
ED25519: 256 bit

 

[rrrevin]

How can I check the sizes of the keys, and/or regenerate them to make sure?
Update: I figured out up to update the keys and force the sizes you mentioned above. Do I have to restart the router for them to take effect?

cd /jffs/.ssh
dropbearkey -t dss -f dropbear_dss_host_key -s 1024
dropbearkey -t ecdsa -f dropbear_ecdsa_host_key -s 256
dropbearkey -t ed25519 -f dropbear_ed25519_host_key -s 256
dropbearkey -t rsa -f dropbear_rsa_host_key -s 2048

 

[rrrevin]

The above worked and I had to restart the router for it to take effect.

Seems I have been using host keys that were fairly old.. back from 2018. Looks like the default sizes from back then were not what they are today. These are the sizes of the old keys:

dropbear_dss_host_key 1024
dropbear_ecdsa_host_key 521
dropbear_ed25519_host_key 256
dropbear_rsa_host_key 1040

Hope this helps someone else..

 

[RMerlin]

It's possible that dropbear changed the default size over the years.

A simpler method to regenerate them is to simply remove the files, then either disable/enable ssh, or reboot. They will automatically be generated when SSH is started if they don't already exist.

 

[Martinski]

...
These are the sizes of the old keys:

dropbear_dss_host_key 1024
dropbear_ecdsa_host_key 521
dropbear_ed25519_host_key 256

In both Dropbear & OpenSSH, the dss (aka "dsa") keys have a fixed size of 1024 bits. Note that as a general rule, dss keys are considered weak and no longer recommended in more secure environments.

The ed25519 keys have a fixed size of 256 bits.

Valid key sizes for ecdsa are 256, 384 & 521, so I doubt that the 521 key size was a problem for FIPS compliance.

dropbear_rsa_host_key 1040

This was the most likely cause of the error you got, so the only one that needed fixing.