SSH DSA logins on crank.
Carl-Daniel Hailfinger
c-d.hailfinger.devel.2006 at gmx.net
Fri May 23 13:17:32 EDT 2008
Hi,
On 23.05.2008 17:16, Holger Levsen wrote:
> On Wednesday 21 May 2008 16:06, Chris Ball wrote:
>
>> Yes. We have the openssh-blacklist package installed, which contains
>> keyhashes of all possible weak keys and disallows logins using them.
>>
>
> AFAIK not all possible weak keys, but only for the most popular arches and
> (definitly only) the popular key lengths.
>
Holger is right about the blacklist being a useful strict subset of all
weak keys.
The good news is that ssh_keygen only allows 1024 bit DSA keys (the man
page says: "DSA keys must be exactly 1024 bits as specified by FIPS
186-2.").
Regards,
Carl-Daniel
More information about the Devel
mailing list