Please restore ssh-dsa (was: cvs: Permission denied (publickey).)

Stephen John Smoogen smooge at
Sun Aug 24 15:39:15 UTC 2008

2008/8/24 Axel Thimm <Axel.Thimm at>:
>> On Sat, Aug 23, 2008 at 04:37:13PM -0500, Jeffrey Ollie wrote:
>> > The primary reason is that it's nearly impossible to tell if the key
>> > was generated on a Debian system with the compromised OpenSSL
>> > versions.
> OK, I checked and it is far from impossible. After all the bug was
> that there are only 32k possible keys per arch/size/type - Debian has
> even issued blacklists for all keys of typical und some untypical
> sizes like 1024/2048/1023/2047/4096/8192 and for some sizes they even
> packaged it up, see
> If there is paranoia floating around, then why not use that blacklist
> in Fedora/RHEL as well instead of nuking all DSA keys and still
> allowing the bad RSA keys?

All RSA keys were nuked too.

> And if your are really paranoic then one can package up these
> blacklists for general use by Fedora/RHEL's openssh. I don't know if
> openssh has a blacklist-reject ability already coded in, though.

No it does not.

Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

More information about the Fedora-infrastructure-list mailing list