DSA keys are not immediately rejected by ssh in workstation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Fix Released
|
Medium
|
Colin Watson |
Bug Description
I noticed today that my Ubuntu-Server was rejecting my old dsa public key by prompting me for a password anyway. This is good. However, when I went into my CentOS server, it blithely accepted the public key and I could get on without a password. It's my impression that that old public key could have been compromised, and needed to be rejected, but it needed to be rejected by the ssh on my workstation too, as otherwise I would have been able to still use it on machines other than Ubuntu-Servers. RedHat flavors it sounds like may never get around to rejecting keys in this range, so they would all be compromised. It would be very good if Ubuntu/Debian could force their workstation users to make new keys also, unless for some reason this is deemed unnecessary, in which case it is curious that Ubuntu-Server is rejecting them.
Changed in openssh: | |
importance: | Undecided → Medium |
status: | New → Triaged |
This will be done in openssh 1:4.7p1-13 (also ssh-add). Thanks for the suggestion!