Re: Legacy option for key length?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



David Newall wrote:
I think a very good question which needs to be asked is, what value does disallowing shorter keys bring over severely deprecating them (i.e. allowing them by use of command argument on a per-session basis)? I cannot see a single benefit; it won't stop use of shorter keys, it will just stop use of the latest openssh.
At what point is the security hole so great that "deprecation" is no longer acceptable? I can point out 20+ year old devices still running sshv1 only protocol. Do we need to keep this complexity until that number is zero? Even though it has been broken and known insecure for decades.

And how many annoying "Do you really want to do this?" type questions do you prompt the user and assume it is "fine"?

This is an honest question as that seems to be the core of the issue. What balance between known insecure, complexity (allowing low value keys in the client, prompting the user to verify they want to do this, and disabling it in the server), and removing proven insecure features?

Ben

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux