Hi, On 23/08/13 20:29, phree...@yandex.ru wrote:
>>> I has been brought to our attention that the host keys created by the >>> default SSH daemon configuration are too weak. >> >> Citation needed please. According to who are DSA keys bad? OpenSSH's own >> "make host-key" installs a DSA key (in addition to RSA and ECDSA keys). > > Section 2.1: 1024bit keys should be phased out by 2010 > http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_PART3_key-management_Dec2009.pdf > > More recent revision 5.6.2: lists 1024bit DSA/RSA as weak: > http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf That they deprecate generation of new 1024-bit DSA keys doesn't seem enough reason for us to print dire security warnings on the console. That's really something you should discuss with upstream. They're the crypto experts. -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev