On Thursday 22 September 2016 08:06:34 Lars Noodén wrote: > On 09/22/2016 02:09 PM, Gene Heskett wrote: > > On Thursday 22 September 2016 03:44:28 Lars Noodén wrote: > > ... > > >> As far as the key choices go, DSA is considered deprecated, at > >> least in the more recent versions: > >> > >> "Support for ssh-dss, ssh-dss-cert-* host and user keys > >> will be run-time disabled by default" > >> - http://www.openssh.com/txt/release-6.9 > >> > >> So that leaves RSA if you have old versions of the OpenSSH server > >> to deal with. Probably 2048 bits or more is good for a while. > >> Otherwise, consider Ed25519. > > > > This I am not familiar with. Is there an explanatory url? > > Well, it was officially turned off in 7.0, just like warned above: > > http://www.openssh.com/txt/release-7.0 > > and there was a bit of discussion around the net like this one: > > http://meyering.net/nuke-your-DSA-keys/ > > But as far as explanations go, that's like the others I've seen to > phase out any remaining DSA use due to weaknesses. The articles I've > seen are either cryptographer level (and thus beyond me) or very > generic, but the there are multiple problems with DSA at this point. > > Ed25519 claims these benefits: > > https://ed25519.cr.yp.to/ > > OpenSSH 6.5 or later will support it. Wheezy had 6.0 (but 6.6 is in > the backports), and Jessia has 6.7, and Stretch is getting 7.3. The > release notes for 6.5 just mention that it is "better" for security > and performance.
And I am on wheezy yet, because it Just Works, so I have 6.6p1-4bpo70+1, presumably with a bunch of patches. So there is no way to easily determine what patches have been applied. I don't see a ChangeLog in any of those packages. 30 lashes with a wet noodle on whoever made the call to leave out the ChangeLog's. Sigh... > Regards, > Lars Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene>