Please restore ssh-dsa (was: cvs: Permission denied (publickey).)

Axel Thimm Axel.Thimm at
Sun Aug 24 13:36:56 UTC 2008

> On Sat, Aug 23, 2008 at 04:37:13PM -0500, Jeffrey Ollie wrote:
> > The primary reason is that it's nearly impossible to tell if the key
> > was generated on a Debian system with the compromised OpenSSL
> > versions.

OK, I checked and it is far from impossible. After all the bug was
that there are only 32k possible keys per arch/size/type - Debian has
even issued blacklists for all keys of typical und some untypical
sizes like 1024/2048/1023/2047/4096/8192 and for some sizes they even
packaged it up, see

If there is paranoia floating around, then why not use that blacklist
in Fedora/RHEL as well instead of nuking all DSA keys and still
allowing the bad RSA keys?

And if your are really paranoic then one can package up these
blacklists for general use by Fedora/RHEL's openssh. I don't know if
openssh has a blacklist-reject ability already coded in, though.
Axel.Thimm at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <>

More information about the Fedora-infrastructure-list mailing list