[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: reset ssh keys, even if only a public key in fedora?



On Tue, 2008-08-19 at 11:32 -0400, Simo Sorce wrote:
> On Tue, 2008-08-19 at 16:04 +0200, Patrice Dumas wrote:
> > Hello,
> > 
> > I just received the reset password mail, and it asks me to reset my ssh 
> > key by doing ssh-keygen. However, if I recall well I only uploaded my 
> > public key to the fedora server. Why would I want to reset my key pair?
> > 
> > Maybe I am not one of the users who should reset their key, but I am
> > almost sure that I sent the public key to the fedora server, and it
> > seems to me that it is used for cvs access. So it is unclear if
> > I 'do not use a SSH key in the Fedora Account System'.
> > 
> > Am I missing something? Can anybody clarify?
> 
> DSA keys can be compromised if the server you connect to is compromised.
> See discussions about the recent openssl debacle for debian.

This is wrong. Your DSA private key is compromised if you used it for
signing on a client with broken RNG. The server just verifies a
signature so it cannot compromise the private key this way.

> If your key is an RSA one, to date it seem you shouldn't have problems
> even if a peer server is compromised as long as your private key was not
> directly exposed.

Yes, secrecy of the private key in RSA signature generation doesn't
depend on good RNG. (It of course depends on other things but good RNG
is not required.)

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]