[aur-general] [AUR4] Support of multiple ssh public keys
Remi Gacogne
rgacogne at archlinux.org
Fri Jun 12 08:15:53 UTC 2015
On 06/11/2015 11:59 PM, Giancarlo Razzolini wrote:
> In the case of stolen/lost, it buy you a lot of time. Or you are aware
> of some cryptanalisys development I'm not aware of.
I am not, but everything depends on your threat model. If you are
targeted via an "evil-maid", or a cold-boot attack, FDE may be doomed.
In addition to that, passphrase-protection on SSH keys has been weak for
a long time, because a single MD5(IV || passphrase) is applied to
generate the AES key used to encrypt the SSH key [1].
OpenSSL 6.5 introduced a new KDF [2] using bcrypt, enabled by default
for ed25519 keys but not for RSA keys, so you may want to upgrade your
keys to use the new KDF manually.
> Now, if your machine is compromised, then I think that you might have
> bigger worries than the keys used to publish some packages on AUR.
Agreed :)
[1]
https://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html
[2]
http://www.tedunangst.com/flak/post/new-openssh-key-format-and-bcrypt-pbkdf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20150612/fae8b541/attachment-0001.asc>
More information about the aur-general
mailing list