[Nix-dev] SECURITY: default SSH host keys are weak
Eelco Dolstra
eelco.dolstra at logicblox.com
Fri Aug 23 20:40:11 CEST 2013
Hi,
On 23/08/13 20:29, phreedom at yandex.ru wrote:
>>> I has been brought to our attention that the host keys created by the
>>> default SSH daemon configuration are too weak.
>>
>> Citation needed please. According to who are DSA keys bad? OpenSSH's own
>> "make host-key" installs a DSA key (in addition to RSA and ECDSA keys).
>
> Section 2.1: 1024bit keys should be phased out by 2010
> http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_PART3_key-management_Dec2009.pdf
>
> More recent revision 5.6.2: lists 1024bit DSA/RSA as weak:
> http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
That they deprecate generation of new 1024-bit DSA keys doesn't seem enough
reason for us to print dire security warnings on the console. That's really
something you should discuss with upstream. They're the crypto experts.
--
Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
More information about the nix-dev
mailing list