On Thursday 22 September 2016 08:06:34 Lars Noodén wrote:

> On 09/22/2016 02:09 PM, Gene Heskett wrote:
> > On Thursday 22 September 2016 03:44:28 Lars Noodén wrote:
> ...
> >> As far as the key choices go, DSA is considered deprecated, at
> >> least in the more recent versions:
> >>
> >>    "Support for ssh-dss, ssh-dss-cert-* host and user keys
> >>    will be run-time disabled by default"
> >>     - http://www.openssh.com/txt/release-6.9
> >>
> >> So that leaves RSA if you have old versions of the OpenSSH server
> >> to deal with.  Probably 2048 bits or more is good for a while.
> >> Otherwise, consider Ed25519.
> >
> > This I am not familiar with. Is there an explanatory url?
> Well, it was officially turned off in 7.0, just like warned above:
> http://www.openssh.com/txt/release-7.0
> and there was a bit of discussion around the net like this one:
> http://meyering.net/nuke-your-DSA-keys/
> But as far as explanations go, that's like the others I've seen to
> phase out any remaining DSA use due to weaknesses.  The articles I've
> seen are either cryptographer level (and thus beyond me) or very
> generic, but the there are multiple problems with DSA at this point.
> Ed25519 claims these benefits:
> https://ed25519.cr.yp.to/
> OpenSSH 6.5 or later will support it.  Wheezy had 6.0 (but 6.6 is in
> the backports), and Jessia has 6.7, and Stretch is getting 7.3.  The
> release notes for 6.5 just mention that it is "better" for security
> and performance.

And I am on wheezy yet, because it Just Works, so I have 6.6p1-4bpo70+1, 
presumably with a bunch of patches.  So there is no way to easily 
determine what patches have been applied. I don't see a ChangeLog in any 
of those packages. 30 lashes with a wet noodle on whoever made the call 
to leave out the ChangeLog's.  Sigh...

> Regards,
> Lars

Cheers, Gene Heskett
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

Reply via email to