On 2008-06-04 16:59:09 +0200, Raphael Hertzog wrote: > non-default because ssh-keygen does generate 2048 bits keys for > RSA by default since quite some time and the postinst doesn't > give an explicit size when it creates the keys. > > openssh (1:4.2p1-1) unstable; urgency=low > [...] > - Increase the default size of new RSA/DSA keys generated by ssh-keygen > from 1024 to 2048 bits (closes: #181162). > [...] > -- Colin Watson <[EMAIL PROTECTED]> Wed, 14 Sep 2005 15:16:14 +0100 > > So either this key got installed/generated manually,
I didn't do anything manually concerning the keys. > or it was generated with an old SSH version running with a bad > libssl, I installed the machine on 2008-01-30 (from a CD) then upgraded to sid. The dpkg log says concerning the upgrades: 2008-01-30 23:49:03 upgrade libssl0.9.8 0.9.8c-4etch1 0.9.8g-4 2008-01-31 00:50:15 upgrade openssh-server 1:4.3p2-9 1:4.7p1-2 2008-01-31 00:50:16 upgrade openssh-client 1:4.3p2-9 1:4.7p1-2 2008-01-31 02:37:51 upgrade openssl 0.9.8c-4etch1 0.9.8g-4 1:4.3p2-9 is older than 1:4.2p1-1, so there's something strange. > or (unlikely) the key was generated normally and you simply > happen to have generated one of the bad ones. > > I don't think this bug warrants its "grave" status. But this is very confusing and I didn't know that my RSA key was compromised, in particular because the DSA key was regenerated. openssh-server should do at least something to warn the user. -- Vincent Lefèvre <[EMAIL PROTECTED]> - Web: <http://www.vinc17.org/> 100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/> Work: CR INRIA - computer arithmetic / Arenaire project (LIP, ENS-Lyon) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
