From owner-freebsd-security  Thu Aug 29  6:59:18 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 46C0C37B400; Thu, 29 Aug 2002 06:59:16 -0700 (PDT)
Received: from patrocles.silby.com (d140.as15.nwbl0.wi.voyager.net [169.207.136.78])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 6F66843E42; Thu, 29 Aug 2002 06:59:14 -0700 (PDT)
	(envelope-from silby@silby.com)
Received: from patrocles.silby.com (localhost [127.0.0.1])
	by patrocles.silby.com (8.12.5/8.12.5) with ESMTP id g7TE34rA052614;
	Thu, 29 Aug 2002 09:03:04 -0500 (CDT)
	(envelope-from silby@silby.com)
Received: from localhost (silby@localhost)
	by patrocles.silby.com (8.12.5/8.12.5/Submit) with ESMTP id g7TE2xZ7052611;
	Thu, 29 Aug 2002 09:03:00 -0500 (CDT)
X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs
Date: Thu, 29 Aug 2002 09:02:59 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Colin Percival <Colin_Percival@sfu.ca>
Cc: veedee@c7.campus.utcluj.ro, <freebsd-security@FreeBSD.ORG>,
	<des@FreeBSD.ORG>
Subject: Re: 1024 bit key considered insecure (sshd)
In-Reply-To: <5.0.2.1.1.20020828132755.0284b2a8@popserver.sfu.ca>
Message-ID: <20020829084153.B52019-100000@patrocles.silby.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


On Wed, 28 Aug 2002, Colin Percival wrote:

>    When I brought this up earlier
> (http://groups.google.com/groups?threadm=5.0.2.1.1.20020326024955.02392830%40popserver.sfu.ca)
> there was a concern about breaking v1 clients using the RSAREF library.
>
> Colin Percival

Note that the 1024 bit host key is not what people should be worrying so
much about.  Due to the RSAREF limitations, it could not be increased in
size much (if at all), and changing host keys is really more of a security
risk than sticking with existing 1024 bit ones.

What this thread should be about are the 768 bit session keys, regenerated
once/hour.  This key is probably what a passive attacker would be
attempting to break, and it should be safe to change it to 892 bits
without breaking anything.  If you set it to values larger than that,
sshd appears to round up to 1152, which I believe is too large for RSAREF
to handle.

I would go ahead and make such a change to the default sshd_config, but
I'm unfamiliar with the procedures relating to changes in contributed
code... des, would you be willing to make such a change?

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message