On Thursday 22 September 2016 08:06:34 Lars Noodén wrote:
> On 09/22/2016 02:09 PM, Gene Heskett wrote:
> > On Thursday 22 September 2016 03:44:28 Lars Noodén wrote:
> >> As far as the key choices go, DSA is considered deprecated, at
> >> least in the more recent versions:
> >> "Support for ssh-dss, ssh-dss-cert-* host and user keys
> >> will be run-time disabled by default"
> >> - http://www.openssh.com/txt/release-6.9
> >> So that leaves RSA if you have old versions of the OpenSSH server
> >> to deal with. Probably 2048 bits or more is good for a while.
> >> Otherwise, consider Ed25519.
> > This I am not familiar with. Is there an explanatory url?
> Well, it was officially turned off in 7.0, just like warned above:
> and there was a bit of discussion around the net like this one:
> But as far as explanations go, that's like the others I've seen to
> phase out any remaining DSA use due to weaknesses. The articles I've
> seen are either cryptographer level (and thus beyond me) or very
> generic, but the there are multiple problems with DSA at this point.
> Ed25519 claims these benefits:
> OpenSSH 6.5 or later will support it. Wheezy had 6.0 (but 6.6 is in
> the backports), and Jessia has 6.7, and Stretch is getting 7.3. The
> release notes for 6.5 just mention that it is "better" for security
> and performance.
And I am on wheezy yet, because it Just Works, so I have 6.6p1-4bpo70+1,
presumably with a bunch of patches. So there is no way to easily
determine what patches have been applied. I don't see a ChangeLog in any
of those packages. 30 lashes with a wet noodle on whoever made the call
to leave out the ChangeLog's. Sigh...
Cheers, Gene Heskett
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>