Colin Percival
To Unsubscribe: send mail to majo...@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
> Is there any other reason for not changing the default key size?
>
> Colin Percival
Versions of ssh which use RSAREF (those compiled before the patent ended,
basically) can't handle keys over 1024 bits in length, IIRC. Hence, you'd
have to be very careful when bumping up the size of sshv1 keys on a system
which may have old clients connection.
However, I think it _would_ be safe to bump up the sshv1 session key from
768 to the largest possible key < 1024 bits in the default options. (I
would say 1024 bits, but I believe that there's also some stipulation that
host key length != session key length.)
Mike "Silby" Silbersack
> However, I think it _would_ be safe to bump up the sshv1 session key
> from 768 to the largest possible key < 1024 bits in the default
> options. (I would say 1024 bits, but I believe that there's also some
> stipulation that host key length != session key length.)
This is correct - a 1024-bit hostkey causes sessions keys to be 1152-bits
which will break rsaref-based clients. An 896-bit hostkey yields the
desired 1024-bit session keys.
Of course rsaref is old, buggy, copyright-encumbered, and ought not be
used anymore under any circumstances.
-Jason
-----------------------------------------------------------------------
I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
-- Mike Godwin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQE8oFIjswXMWWtptckRAmnWAKDyY2LJeg04Ufj6sOSTuOibPzK2qQCfTu00
dMf+5M+dGdwOqp8SbhtyZS4=
=b/im
-----END PGP SIGNATURE-----
On a system where security is of any concern whatsoever, why would telnet
be available in the first place?
--
Beware! To touch these wires is instant death. Anyone found doing so
will be prosecuted. -Sign at a railroad station
> Some systems (like the SparcStation 5 that serves DNS, DHCP and NTP
> requests from my home network) are too slow for the algorithms used by
> ssh2.
It's perfectly acceptable on our IPX. The session takes a few seconds
to start, and the keys took a long time to generate, but once
authenticated there does not seem to be much difference to me. (In
fact, `cat /etc/termcap' takes consistently twice as long using v1 as
v2.)
-GAWollman
Well, for one, the fact that you can't copy from one remote host to
another.
DES
--
Dag-Erling Smorgrav - d...@ofug.org
interresting. i observe a similar behaviour on my router (intel pentium
60, 4.4-stable 12/6/2001, ssh 2.0 20011202, protocol v2).
generation of the server key takes ages (~3+ minutes)...
regards,
/k
--
> The idea that Bill Gates has appeared like a knight in shining armour
> to lead all customers out of a mire of technological chaos neatly ignores
> the fact that it was he who, by peddling second-rate technology, led them
> into it in the first place. --Douglas Adams in Guardian, August 25, 1995
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46
My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/
Please do not remove my address from To: and Cc: fields in mailing lists. 10x
Correct. Remember though that the original post was that scp man page is
not clear enough. I just tried to show that it is quite clear and
correct. Setting the keys correctly is another matter, but my opinion is
that it is quite clear too for people who read documentation carefully.
Also, the first person in the quote above doesn't claim that copy has
to be over the middle machine. But again, you pointed correctly that if
these two machines do not allow direct connection to each other then the
copying wouldn't work. I don't think scp man page wanted to imply that
it would.
--
Zvezdan Petkovic <zve...@cs.wm.edu>
http://www.cs.wm.edu/~zvezdan/