[python-committers] Weak SSH keys
Benjamin Peterson
benjamin at python.org
Wed Jun 3 16:59:07 CEST 2015
On Wed, Jun 3, 2015, at 08:31, Antoine Pitrou wrote:
>
>
> Le 03/06/2015 15:27, Benjamin Peterson a écrit :
> >
> >
> > On Wed, Jun 3, 2015, at 08:21, Antoine Pitrou wrote:
> >>
> >> Le 02/06/2015 18:42, Benjamin Peterson a écrit :
> >>>
> >>>
> >>> On Tue, Jun 2, 2015, at 12:37, Antoine Pitrou wrote:
> >>>> Le 02/06/2015 18:28, Benjamin Peterson a écrit :
> >>>>>
> >>>>> Also, everyone should use ed25519 keys now. :)
> >>>>
> >>>> Depends if the servers you connect to have all been migrated to a recent
> >>>> enough OpenSSH.
> >>>
> >>> SSH can use your older keys if you don't delete them.
> >>
> >> Is there a way of debugging which key is actually used? "ssh -v" isn't
> >> very useful.
> >
> > Really? I see output from ssh -v like this:
> >
> > debug1: Offering ED25519 public key: /home/benjamin/.ssh/id_ed25519
> > debug1: Authentications that can continue: publickey
> > debug1: Offering RSA public key: /home/benjamin/.ssh/id_rsa
> > debug1: Authentications that can continue: publickey
> > debug1: Offering DSA public key: /home/benjamin/.ssh/id_dsa
> > debug1: Server accepts key: pkalg ssh-dss blen 435
>
> Yes, but why does it try keys in that order? And why is a key accepted
> or not?
That's just how the SSH auth protocol works. The client offers keys
until the server finds one acceptable. I'm not sure how the order is
determined; it's probably arbitrary for OpenSSH.
See https://tools.ietf.org/html/rfc4252
More information about the python-committers
mailing list