[cfarm-users] Is RSA really insecure? (was: account email address)
Jacob Bachmeyer
jcb62281 at gmail.com
Thu Dec 14 02:55:11 CET 2023
Alexandre Oliva via cfarm-users wrote:
> I had some trouble accessing gcc210 and gcc211, because openssh on my
> end wouldn't allow ssh-rsa host and authorized keys any more. I've
> (insecurely) sorted that out with:
>
> PubkeyAcceptedKeyTypes +ssh-rsa
> HostKeyAlgorithms +ssh-rsa
>
> in the host-specific part of .ssh/config, so the most immediate issue is
> solved.
This is a pet peeve of mine: unless you have a citation for an actual
viable attack on RSA as used in SSH, or perhaps on the protocol SSH uses
for RSA-based authentication, this is *not* insecure at all and those
changed defaults indicate that either OpenSSH or your distribution is
doing something stupid.
I will also note that, in light of Snowden's whistleblowing,
particularly the efforts to weaken cryptographic standards, I find the
continued campaign against RSA in favor of elliptic curve systems at
least mildly suspicious. While I do not have knowledge of an actual
viable attack on any of the elliptic curve schemes, I do find the
promise of equivalent security with vastly shorter keys uncomfortably
close to a "something for nothing" promise.
-- Jacob
More information about the cfarm-users
mailing list