SSH DSA logins on crank.
david at lang.hm
david at lang.hm
Wed May 21 13:47:57 EDT 2008
On Wed, 21 May 2008, Chris Ball wrote:
> Hi,
>
> > So DSA is a no-go from now until the end of time?
>
> I'm open to debate on that, though many systems have made that decision;
> debian.org and freedesktop.org are no longer allowing DSA logins, for
> example. (I'm curious to hear reasons for wanting to use DSA keys,
> now that the RSA patents have expired.)
one reason would be that DSA is more secure then RSA. If you have a copy
of the secret key from one end of the conversation and they are using RSA
you can decrypt the communication, with DSA you cannot do so. There are
several products on the market that take advantage of this fact and have
you load your keys on a seperate box that then intercepts the
communication to your webservers and decrypts the traffic (either inline
or from a tap). With these products you have to configure your webservers
to refuse DSA and only do RSA becouse with DSA they cannot decrypt the
traffic.
David Lang
> > By the way, will remaining and new RSA keys be tested for bad
> > randomness?
>
> Yes. We have the openssh-blacklist package installed, which contains
> keyhashes of all possible weak keys and disallows logins using them.
>
> - Chris.
>
More information about the Devel
mailing list