Gentoo Archives: gentoo-dev

From:	"Michał Górny" <mgorny@g.o>
To:	Aaron Bauman <bman@g.o>
Cc:	gentoo-dev@l.g.o
Subject:	Re: [gentoo-dev] ssh keys setup for git.gentoo.org after ssh-dss deprecation
Date:	Sat, 26 Mar 2016 10:41:58
Message-Id:	`20160326114139.4ae5ed07.mgorny@gentoo.org`
In Reply to:	Re: [gentoo-dev] ssh keys setup for git.gentoo.org after ssh-dss deprecation by Aaron Bauman

1	On Sat, 26 Mar 2016 18:40:17 +0900
2	Aaron Bauman <bman@g.o> wrote:
3
4	> On Saturday, March 26, 2016 10:05:58 AM JST Paweł Hajdan, Jr. wrote:
5	> > I recently hit ssh-dss key deprecation
6	> > (<https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.htm
7	> > l>), and PubkeyAcceptedKeyTypes=+ssh-dss on the client side allows me to
8	> > keep access to Gentoo infrastructure I need.
9	> >
10	> > I generated a new RSA key using instructions from
11	> > <https://wiki.gentoo.org/wiki/Project:Infrastructure/SSH_Key_Guide>, and
12	> > added it to LDAP following
13	> > <https://wiki.gentoo.org/wiki/Project:Infrastructure/LDAP_Guide>.
14	> >
15	> > I can now login to dev.gentoo.org with just the new RSA key.
16	> >
17	> > However, git.gentoo.org gives me access denied errors unless I use the
18	> > DSA key.
19	> >
20	> > Is this expected?
21	> >
22	> > I'm just wondering if it's some error on my side or something else.
23	> >
24	> > Looking at
25	> > <https://wiki.gentoo.org/wiki/Project:Infrastructure/SSH_Configuration>,
26	> > I see things like:
27	> > - "DSA keys are preferred over RSA keys"
28	> > - "where possible users should be required to use DSA keys to authenticate"
29	> >
30	> > Should I actually rather look at generating a ed25519 key?
31	> >
32	> > Paweł
33	>
34	> Git SSH key changes are done manually by the infra team. I just went through
35	> the same issue when I updated my keys. Hope this helps.
36
37	Updated.
38
39	--
40	Best regards,
41	Michał Górny
42	<http://dev.gentoo.org/~mgorny/>

Subject	Author
Re: [gentoo-dev] ssh keys setup for git.gentoo.org after ssh-dss deprecation	"Paweł Hajdan