Re: Accepted openssh-blacklist 0.3 (source all)
On Wed, May 21, 2008 at 05:42:43AM -0400, Simon Valiquette wrote:
> Kees Cook un jour écrivit:
>> On Wed, May 21, 2008 at 07:07:34AM +0200, Vincent Bernat wrote:
>> I could be mistaken, but prior to openssl breaking, ssh-keygen stopped
>> allowing dsa 2048 keys, which means there wasn't a way to generate bad
> It didn't before. At least not directly from ssh-keygen.
> It is so because It won't be standard compliant (the standard specify
> that DSA must be 1024 bits). I don't know if OpenSSH will accept longer
> keylength (some implementation will certainly refuse It).
> Personnally, in situation when I really care, I like to simply disable
> DSA from sshd_config and remove the shorter key from /etc/ssh/
Sure, I think that's the best overall solution. :)
>> $ ssh-keygen -t dsa -b 2048
>> DSA keys must be 1024 bits
> I think It is possible to generate them with openssl.
> It is normaly used to generate X.509 certficates, but I think you can
> also get It to generate keys in the proper format for SSH. In any case,
> It can generate 2048 DSA keys or even longer ones if needed.
Right, of course. However, due to their different paths to generate
keys, ssh-keygen and openssl generate different keys for the same pid,
type, size, arch. So, for the case of openssh-blacklist, there's no
such thing as a "bad" DSA-2048 ssh key. (Certainly there are bad
openssl DSA-2048 keys, but they are different.)
Kees Cook @outflux.net