reset ssh keys, even if only a public key in fedora?
Tomas Mraz
tmraz at redhat.com
Tue Aug 26 07:56:34 UTC 2008
On Tue, 2008-08-19 at 11:32 -0400, Simo Sorce wrote:
> On Tue, 2008-08-19 at 16:04 +0200, Patrice Dumas wrote:
> > Hello,
> >
> > I just received the reset password mail, and it asks me to reset my ssh
> > key by doing ssh-keygen. However, if I recall well I only uploaded my
> > public key to the fedora server. Why would I want to reset my key pair?
> >
> > Maybe I am not one of the users who should reset their key, but I am
> > almost sure that I sent the public key to the fedora server, and it
> > seems to me that it is used for cvs access. So it is unclear if
> > I 'do not use a SSH key in the Fedora Account System'.
> >
> > Am I missing something? Can anybody clarify?
>
> DSA keys can be compromised if the server you connect to is compromised.
> See discussions about the recent openssl debacle for debian.
This is wrong. Your DSA private key is compromised if you used it for
signing on a client with broken RNG. The server just verifies a
signature so it cannot compromise the private key this way.
> If your key is an RSA one, to date it seem you shouldn't have problems
> even if a peer server is compromised as long as your private key was not
> directly exposed.
Yes, secrecy of the private key in RSA signature generation doesn't
depend on good RNG. (It of course depends on other things but good RNG
is not required.)
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the fedora-devel-list
mailing list