Date: Thu, 29 Aug 2002 09:02:59 -0500 (CDT) From: Mike Silbersack <silby@silby.com> To: Colin Percival <Colin_Percival@sfu.ca> Cc: veedee@c7.campus.utcluj.ro, <freebsd-security@FreeBSD.ORG>, <des@FreeBSD.ORG> Subject: Re: 1024 bit key considered insecure (sshd) Message-ID: <20020829084153.B52019-100000@patrocles.silby.com> In-Reply-To: <5.0.2.1.1.20020828132755.0284b2a8@popserver.sfu.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 28 Aug 2002, Colin Percival wrote: > When I brought this up earlier > (http://groups.google.com/groups?threadm=5.0.2.1.1.20020326024955.02392830%40popserver.sfu.ca) > there was a concern about breaking v1 clients using the RSAREF library. > > Colin Percival Note that the 1024 bit host key is not what people should be worrying so much about. Due to the RSAREF limitations, it could not be increased in size much (if at all), and changing host keys is really more of a security risk than sticking with existing 1024 bit ones. What this thread should be about are the 768 bit session keys, regenerated once/hour. This key is probably what a passive attacker would be attempting to break, and it should be safe to change it to 892 bits without breaking anything. If you set it to values larger than that, sshd appears to round up to 1152, which I believe is too large for RSAREF to handle. I would go ahead and make such a change to the default sshd_config, but I'm unfamiliar with the procedures relating to changes in contributed code... des, would you be willing to make such a change? Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020829084153.B52019-100000>