On Sunday 22 October 2006 15:48, Girish Venkatachalam wrote: > On Sat, Oct 21, 2006 at 10:04:19PM +0200, Per-Olov Sj??holm wrote: > > Here is a post with info that solves and explain the case if someone else > > get stuck in the problem. > > > > This problem was actually caused by an updated OpenSSL. I have had 2048 > > and 4096 SSH keys that have worked perfect until my last complete 3-9 > > -stable update. > > > > In OpenSSL the limit is 3kbit for DSA keys and 16k for RSA keys. These > > days ssh-keygen won't let you generate DSA keys other than 1024 bit ones > > (which is all the FIPS-186-2 spec allows) so if you want larger keys then > > you should use RSA. The thing that actually caused the problem was an > > openssl update earlier (013_openssl2.patch or its equivalent in -stable), > > but it didn't become apparent until sshd was rebuilt with the new > > openssl. > > > > > > Thanks you *very* much for the help Darren Tucker! > > This is excellent news for me since I was investigating an ssh breakage > problem in FreeBSD and I could point my finger at OpenSSL but not proceed > further since I had other things to do in life. :-) > > But there are some things not clear to me from what you are saying. It will > be great if you can help. > > You mean to say that newer versions of OpenSSL do not allow you to create > DSA keys longer than 1024 bits, but then isn't there an export and a non > export version? > > I am assuming that all this FIPS/export etc. are some political crap that > gets in the way of people wanting to use strong crypto. > > Now, the problem with RSA is that it used to be patent encumbered (well) > and even now I prefer DSA over RSA for whatever reason. > > Now what? > > Looks to me there are some holes in your analysis. > > Thanks. > > regards, > Girish
Well... I solved it thanks to Darren Tucker. So positive feedback should go to him... I haven't done any deeper analysis of it as it solved my problem. And I don't have the time to dig... Then you say Darren Tucker maybe has a hole in the analysis.... Well, ask him! maybe he read this post and can answer directly. Regards Per-Olov
