reset ssh keys, even if only a public key in fedora?
Simo Sorce
ssorce at redhat.com
Tue Aug 19 18:30:50 UTC 2008
On Tue, 2008-08-19 at 10:40 -0500, Jon Ciesla wrote:
> > Hi.
> >
> > On Tue, 19 Aug 2008 11:32:14 -0400, Simo Sorce wrote:
> >
> >> DSA keys can be compromised if the server you connect to is
> >> compromised. See discussions about the recent openssl debacle for
> >> debian.
> >
> > Which kind of invalidates the whole "public key" concept, doesn't it?
>
> :) Yup.
>
> > Not wanting to start a new discussion about this, but the fact that
> > (some) debian-created keys were weak (and thus crackable) wasn't the
> > servers fault, but the fault of the client that generated the key in
> > the first place (unless I'm getting something seriously wrong).
>
> Correct. It was also server keys, but that wouldn't compromise your own
> client key, just the security of the server's key. To crack the
> encryption, you still need wither the private key or a lot of time and PCU
> cycles. The debian issue simply reduced the number of CPU cycles.
As far as I know a compromised server key can make it much easier to
compromise a client key if this key is DSA.
I know no more crypto details, someone that knows them could comment
further.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the devel
mailing list