Gentoo Archives: gentoo-dev

From:	Aaron Bauman <bman@g.o>
To:	gentoo-dev@l.g.o
Subject:	Re: [gentoo-dev] ssh keys setup for git.gentoo.org after ssh-dss deprecation
Date:	Sat, 26 Mar 2016 09:41:04
Message-Id:	`2370909.Xig60x6eOE@localhost`
In Reply to:	[gentoo-dev] ssh keys setup for git.gentoo.org after ssh-dss deprecation by "Paweł Hajdan

1	On Saturday, March 26, 2016 10:05:58 AM JST Paweł Hajdan, Jr. wrote:
2	> I recently hit ssh-dss key deprecation
3	> (<https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.htm
4	> l>), and PubkeyAcceptedKeyTypes=+ssh-dss on the client side allows me to
5	> keep access to Gentoo infrastructure I need.
6	>
7	> I generated a new RSA key using instructions from
8	> <https://wiki.gentoo.org/wiki/Project:Infrastructure/SSH_Key_Guide>, and
9	> added it to LDAP following
10	> <https://wiki.gentoo.org/wiki/Project:Infrastructure/LDAP_Guide>.
11	>
12	> I can now login to dev.gentoo.org with just the new RSA key.
13	>
14	> However, git.gentoo.org gives me access denied errors unless I use the
15	> DSA key.
16	>
17	> Is this expected?
18	>
19	> I'm just wondering if it's some error on my side or something else.
20	>
21	> Looking at
22	> <https://wiki.gentoo.org/wiki/Project:Infrastructure/SSH_Configuration>,
23	> I see things like:
24	> - "DSA keys are preferred over RSA keys"
25	> - "where possible users should be required to use DSA keys to authenticate"
26	>
27	> Should I actually rather look at generating a ed25519 key?
28	>
29	> Paweł
30
31	Git SSH key changes are done manually by the infra team. I just went through
32	the same issue when I updated my keys. Hope this helps.
33
34	--
35	Cheers,
36	Aaron Bauman
37	Gentoo Linux Developer
38	GnuPG FP: 1536 F4B3 72EB 9C54 11F5 5C43 246D 23A2 10FB 0F3E

File name	MIME type
signature.asc	application/pgp-signature

Subject	Author
Re: [gentoo-dev] ssh keys setup for git.gentoo.org after ssh-dss deprecation	"Michał Górny" <mgorny@g.o>