FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 08-23-2008, 09:32 PM
Axel Thimm
 
Default cvs: Permission denied (publickey).

On Sat, Aug 23, 2008 at 04:06:07PM -0500, Jeffrey Ollie wrote:
> 2008/8/23 Axel Thimm <Axel.Thimm@atrpms.net>:
> >
> > I saw that some people are using CVS again, so I tried as well, but I
> > got:
> >
> > athimm@devel(1012):/home/.../smart/devel$ cvs up
> > Permission denied (publickey).
> > cvs [update aborted]: end of file from server (consult above messages if any)
> >
> > I have a new FAS password, all certs updated, I even checked the cvs
> > procedures for newbies on fpo, but I had no luck. What am I doing
> > wrong?
>
> Did you upload a new SSH public key?

It won't let me:

Error!

The following error(s) have occured with your request:

* ssh_key: Error - Not a valid RSA SSH key: ssh-dss ...

Have DSA keys now been banned? Why?
--
Axel.Thimm at ATrpms.net
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-23-2008, 09:37 PM
"Jeffrey Ollie"
 
Default cvs: Permission denied (publickey).

2008/8/23 Axel Thimm <Axel.Thimm@atrpms.net>:
> On Sat, Aug 23, 2008 at 04:06:07PM -0500, Jeffrey Ollie wrote:
>> 2008/8/23 Axel Thimm <Axel.Thimm@atrpms.net>:
>> >
>> > I saw that some people are using CVS again, so I tried as well, but I
>> > got:
>> >
>> > athimm@devel(1012):/home/.../smart/devel$ cvs up
>> > Permission denied (publickey).
>> > cvs [update aborted]: end of file from server (consult above messages if any)
>> >
>> > I have a new FAS password, all certs updated, I even checked the cvs
>> > procedures for newbies on fpo, but I had no luck. What am I doing
>> > wrong?
>>
>> Did you upload a new SSH public key?
>
> It won't let me:
>
> Error!
>
> The following error(s) have occured with your request:
>
> * ssh_key: Error - Not a valid RSA SSH key: ssh-dss ...
>
> Have DSA keys now been banned?

Yes.

> Why?

The primary reason is that it's nearly impossible to tell if the key
was generated on a Debian system with the compromised OpenSSL
versions. I've heard rumblings that DSA keys are weaker for other
reasons, but I've not seen any good explanations.

In any case, it's probably a good idea to regenerate your SSH keys
every now and then, I know I had been using mine FAR too long.

--
Jeff Ollie

"You know, I used to think it was awful that life was so unfair. Then
I thought, wouldn't it be much worse if life were fair, and all the
terrible things that happen to us come because we actually deserve
them? So, now I take great comfort in the general hostility and
unfairness of the universe."

-- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon"

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-23-2008, 11:09 PM
"Stephen John Smoogen"
 
Default cvs: Permission denied (publickey).

On Sat, Aug 23, 2008 at 3:37 PM, Jeffrey Ollie <jeff@ocjtech.us> wrote:
> 2008/8/23 Axel Thimm <Axel.Thimm@atrpms.net>:
>> On Sat, Aug 23, 2008 at 04:06:07PM -0500, Jeffrey Ollie wrote:
>>> 2008/8/23 Axel Thimm <Axel.Thimm@atrpms.net>:
>>> >
>>> > I saw that some people are using CVS again, so I tried as well, but I
>>> > got:
>>> >
>>> > athimm@devel(1012):/home/.../smart/devel$ cvs up
>>> > Permission denied (publickey).
>>> > cvs [update aborted]: end of file from server (consult above messages if any)
>>> >
>>> > I have a new FAS password, all certs updated, I even checked the cvs
>>> > procedures for newbies on fpo, but I had no luck. What am I doing
>>> > wrong?
>>>
>>> Did you upload a new SSH public key?
>>
>> It won't let me:
>>
>> Error!
>>
>> The following error(s) have occured with your request:
>>
>> * ssh_key: Error - Not a valid RSA SSH key: ssh-dss ...
>>
>> Have DSA keys now been banned?
>
> Yes.
>
>> Why?
>
> The primary reason is that it's nearly impossible to tell if the key
> was generated on a Debian system with the compromised OpenSSL
> versions. I've heard rumblings that DSA keys are weaker for other
> reasons, but I've not seen any good explanations.
>

There are several mathematical weaknesses in DSA keys that were
outlined during the OpenSSL problems. I believe the main one is that
the DSA signature can give away the private key.





--
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-24-2008, 12:21 AM
"Jeffrey Ollie"
 
Default cvs: Permission denied (publickey).

On Sat, Aug 23, 2008 at 6:09 PM, Stephen John Smoogen <smooge@gmail.com> wrote:
>
> There are several mathematical weaknesses in DSA keys that were
> outlined during the OpenSSL problems. I believe the main one is that
> the DSA signature can give away the private key.

I've heard that too, but I haven't found papers or anything that
discusses the matter in more detail. Anyone have any pointers?

--
Jeff Ollie

"You know, I used to think it was awful that life was so unfair. Then
I thought, wouldn't it be much worse if life were fair, and all the
terrible things that happen to us come because we actually deserve
them? So, now I take great comfort in the general hostility and
unfairness of the universe."

-- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon"

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 08-24-2008, 11:20 AM
Till Maas
 
Default cvs: Permission denied (publickey).

On Sat August 23 2008, Jeffrey Ollie wrote:
> 2008/8/23 Axel Thimm <Axel.Thimm@atrpms.net>:

> > Have DSA keys now been banned?
>
> Yes.
>
> > Why?
>
> The primary reason is that it's nearly impossible to tell if the key
> was generated on a Debian system with the compromised OpenSSL

This is also true for RSA keys.

> versions. I've heard rumblings that DSA keys are weaker for other
> reasons, but I've not seen any good explanations.

| In addition, any DSA key must be considered compromised if it has been used
| on a machine with a 'bad' OpenSSL. Simply using a 'strong' DSA key (i.e.,
| generated with a 'good' OpenSSL) to make a connection from such a machine
| may have compromised it. This is due to an 'attack' on DSA that allows the
| secret key to be found if the nonce used in the signature is known or
| reused.
http://wiki.debian.org/SSLkeys#head-d841ac769390d013577ce3fd2be24b8cf5a74cfb

If you look at the descriptions of the dsa signing algorithm, e.g. in the
handbook of applied cryptography[1], you notice, that there is a random
parameter that is meant to kept secret.


Regards,
Till

[1] http://www.cacr.math.uwaterloo.ca/hac/about/chap11.pdf
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 

Thread Tools




All times are GMT. The time now is 07:54 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org