Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Infrastructure (http://www.linux-archive.org/fedora-infrastructure/)
-   -   Please restore ssh-dsa (was: cvs: Permission denied (publickey).) (http://www.linux-archive.org/fedora-infrastructure/147890-please-restore-ssh-dsa-cvs-permission-denied-publickey.html)

Axel Thimm 08-24-2008 08:37 AM

Please restore ssh-dsa (was: cvs: Permission denied (publickey).)
 
On Sat, Aug 23, 2008 at 04:37:13PM -0500, Jeffrey Ollie wrote:
> 2008/8/23 Axel Thimm <Axel.Thimm@atrpms.net>:
> > On Sat, Aug 23, 2008 at 04:06:07PM -0500, Jeffrey Ollie wrote:
> >> 2008/8/23 Axel Thimm <Axel.Thimm@atrpms.net>:
> >> >
> >> > I saw that some people are using CVS again, so I tried as well, but I
> >> > got:
> >> >
> >> > athimm@devel(1012):/home/.../smart/devel$ cvs up
> >> > Permission denied (publickey).
> >> > cvs [update aborted]: end of file from server (consult above messages if any)
> >> >
> >> > I have a new FAS password, all certs updated, I even checked the cvs
> >> > procedures for newbies on fpo, but I had no luck. What am I doing
> >> > wrong?
> >>
> >> Did you upload a new SSH public key?
> >
> > It won't let me:
> >
> > Error!
> >
> > The following error(s) have occured with your request:
> >
> > * ssh_key: Error - Not a valid RSA SSH key: ssh-dss ...
> >
> > Have DSA keys now been banned?
>
> Yes.
>
> > Why?
>
> The primary reason is that it's nearly impossible to tell if the key
> was generated on a Debian system with the compromised OpenSSL
> versions.

That's overreacting. What happens if Gentoo makes a similar mistake
with RSA keys, will we ban them, too? DSA is a decent technology.

> I've heard rumblings that DSA keys are weaker for other reasons, but
> I've not seen any good explanations.

Hearsay, your honour! On the contrary, I've heard that DSA gathers at
1024 bits at least as much entropy as RSA with 2048, and DSA was the
recommended "new" algorithm half a decade ago. Currently RSA and DSA
are equal up.

Please restore the possibility to use DSA. People doing so are
knowledgable enough (DSA is not the default with ssh-keygen) to have
dealt with any keys they may have created on Debian systems during the
time window their rnd gen was bad. If they haven't you won't save them
anyway.

> In any case, it's probably a good idea to regenerate your SSH keys
> every now and then, I know I had been using mine FAR too long.

There are different opinions on this as well. If you access several
dozens of systems scattered world-wide in differently administered
environments you will be glad not to have to change the keys that
often and to use only a few keys, and not one for every host.
--
Axel.Thimm at ATrpms.net
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list


All times are GMT. The time now is 02:37 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.