[cfarm-users] short RSA host keys on the cfarm (was: Automated deployment across multiple cfarm hosts)

Jacob Bachmeyer jcb62281 at gmail.com
Wed Sep 18 06:01:57 CEST 2024 

Peter Gutmann wrote:
> Jacob Bachmeyer via cfarm-users <cfarm-users at lists.tetaneutral.net> writes:
>
>   
>> 512-bit RSA is definitely breakable and should not be used for a long-term
>> key.  768 bits is also too short; 1024 is currently marginal and definitely
>> not suitable for a high-value target, but impersonating a cfarm host will not
>> get an attacker much other than (eventually) caught.
>>     
>
> In this case it's really just a nuisance (in terms of getting warnings about
> 512-bit keys), they're public machines that anyone can request an account on,
> used to test open-source software that anyone can get a copy of.

I agree that there is unlikely to be anything confidential on the cfarm 
(maybe a patch in progress for an exploitable bug?), but that still 
leaves integrity---an attacker could theoretically impersonate a cfarm 
node in order to mislead a developer, but (again) I am unsure how the 
attacker would profit from that.

Maybe attack the client by exploiting terminal emulator bugs?  Still 
pretty far-fetched.

Also, it seems to me that the host key on cfarm210 is 1024-bit, not 512-bit.

> [...]
>
> Same with the use of SHA-1, the attacks are chosen-prefix offline attacks
> which means the attacker gets to select the initial state and then spend as
> much time as they like on getting a collision, neither of which apply to SSH,
> TLS, IPsec, etc.
>   

The one place I know of where SHA-1 is an actual current problem is 
X.509 certificates---note well:  the certificates, not the TLS 
connections that they are used to secure.  Of course, since TLS /uses/ 
X.509 certificates for authentication, the distinction has a nasty 
tendency to get overlooked.

> So apart from the nuisance warnings there's not much need to do anything,
> particularly if they're older systems that would be problematic to move to
> newer SSH versions.

I am not asking for the sshd to be replaced; only for a longer host key 
to be installed if the older sshd already has support for it but used a 
shorter key as a default.  It is not like these are embedded systems 
with tiny processors that can barely manage 512-bit RSA.


-- Jacob

More information about the cfarm-users mailing list