[aur-general] [AUR4] Support of multiple ssh public keys

Remi Gacogne rgacogne at archlinux.org
Fri Jun 12 08:15:53 UTC 2015

On 06/11/2015 11:59 PM, Giancarlo Razzolini wrote:
> In the case of stolen/lost, it buy you a lot of time. Or you are aware
> of some cryptanalisys development I'm not aware of.

I am not, but everything depends on your threat model. If you are
targeted via an "evil-maid", or a cold-boot attack, FDE may be doomed.

In addition to that, passphrase-protection on SSH keys has been weak for
a long time, because a single MD5(IV || passphrase) is applied to
generate the AES key used to encrypt the SSH key [1].

OpenSSL 6.5 introduced a new KDF [2] using bcrypt, enabled by default
for ed25519 keys but not for RSA keys, so you may want to upgrade your
keys to use the new KDF manually.

> Now, if your machine is compromised, then I think that you might have
> bigger worries than the keys used to publish some packages on AUR.

Agreed :)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20150612/fae8b541/attachment-0001.asc>

More information about the aur-general mailing list