ECDSA and first connection; bug?

Damien Miller djm at mindrot.org
Fri Jan 28 14:04:19 EST 2011


On Thu, 27 Jan 2011, Dan Kaminsky wrote:

> True, but suppose I'm a malicious server w/ the valid DSA key, but not
> the ECC key.  I could advertise DSA exclusively, and the question is:
> Should the client accept the downgrade?

The client will accept the downgrade; this behaviour is unchanged from
OpenSSH < 5.7. I'm happy with this for now, because if there are problems
in the ECC code then users much be able to downgrade.

> Also, shouldn't we prefer *more* secure keys to less secure keys,
> client side?

Are you referring to the ordering of the key lengths within the ECDSA
types? These don't matter so much, since a host will only have at most one
ECDSA key.

-d


More information about the openssh-unix-dev mailing list