Date: Tue, 26 Mar 2002 18:26:14 -0600 (CST) From: Mike Silbersack <silby@silby.com> To: "Karsten W. Rohrbach" <karsten@rohrbach.de> Cc: Colin Percival <colin.percival@wadham.ox.ac.uk>, <freebsd-security@freebsd.org> Subject: Re: It's time for those 2048-, 3072-, and 4096-bit keys? Message-ID: <20020326182003.F15545-100000@patrocles.silby.com> In-Reply-To: <20020326185714.F22539@mail.webmonster.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 26 Mar 2002, Karsten W. Rohrbach wrote: > Mike Silbersack(silby@silby.com)@2002.03.26 03:47:49 +0000: > > > > Versions of ssh which use RSAREF (those compiled before the patent ended, > > basically) can't handle keys over 1024 bits in length, IIRC. Hence, you'd > > have to be very careful when bumping up the size of sshv1 keys on a system > > which may have old clients connection. > > shouldn't the v1 protocol be killed anyway? ;-) i guess in the states > you still got a lot of rsa driven clients, eh? in case of field > upgradeability of the clients, i would switch to v2 (which actually is > what i did on several public systems) and the users are very happy about > the new features (like twofish, etc) that it gives them. > > /k Yes, upgrading clients to v2 would be best. However, I don't think that locking out v1 users would be the best way to achieve that. The most likely result of doing so would be people falling back to telnet. I'm not too concerned about the v1 keylength, as it is obsolete. I'll look into what it would take to change the default one of these days when I have time. What does slightly concern me is the RSA usage in sshv2 which has appeared recently. Increasing the keylength for those uses seems like a good idea in the long run. However, I haven't even looked at the keylengths used in that case yet; they may already be more than long enough. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020326182003.F15545-100000>