From owner-freebsd-security Fri Jul 26 7:50: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 242E437B400 for ; Fri, 26 Jul 2002 07:50:01 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id A326743E5E for ; Fri, 26 Jul 2002 07:50:00 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 82DC2535C; Fri, 26 Jul 2002 16:49:54 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Tony Finch Cc: freebsd-security@freebsd.org Subject: Re: ssh host key inconsistency References: <20020726135837.A7551@chiark.greenend.org.uk> <20020726145249.B7551@chiark.greenend.org.uk> From: Dag-Erling Smorgrav Date: 26 Jul 2002 16:49:53 +0200 In-Reply-To: <20020726145249.B7551@chiark.greenend.org.uk> Message-ID: Lines: 15 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Tony Finch writes: > In that case, how about this? (And what is the reasoning for not using > both the RSA and DSA keys?) According to the draft standard, RSA is deprecated and DSA is the preferred cipher. There's also a POLA issue; previous FreeBSD releases have used only DSA, and enabling RSA would cause spurious "unknown host key" warnings (OpenSSH prefers RSA to DSA when both are available, so the DSA key would be ignored) The patch looks good. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message