Hi, is there any reason why we use dsa on some machines [1] as only way? Mostly i find out that pple already have generated rsa keys and when going throught ebuild quiz [2] they ask me if they can use it or they have to generate dsa key. Will be really nice if we could choose if use any of them. Cheers [1] - http://www.gentoo.org/proj/en/infrastructure/cvs-sshkeys.xml [2] - http://www.gentoo.org/proj/en/devrel/quiz/ebuild-quiz.txt
You don't have to use DSA keys if you don't want to. DSA was only documented as it has faster decryption routines.
Should we just specific minimum key-length for both types? ECC keys aren't far away in OpenSSH either.
DSA only allows for the creation of 1024 bit keys. I would like to propose we abandon the DSA recommendation. It should be required to create at least 2048 bit keys, with 4096 bits recommended (for new developers). At the same time we can contact developers with existing low-length keys to get those upgraded as well.
I thought DSA2 keys were usable with SSH already?
I do not think it does. I could not find any mentioning in the documentation or ssh-keygen.
rbu: give me a patch for the doc, and a migration plan, and lets make it happen.
Created attachment 313373 [details, diff] cvs-sshkeys.xml.patch Here's a documentation patch recommending large RSA keys. Getting the length of each developer's key is just a matter of pulling the keys out of LDAP, and running ssh-keygen -lf tmpkey on each one. I note that there's nothing particularly interesting - mostly 1024 bit DSA keys (one 1023 bit!) with a few ECDSA.
I applied the patch. -A