anselmolsm has quit [Quit: Konversation terminated!]
justanotheruser has quit [Quit: WeeChat 2.7.1]
justanotheruser has joined #nixos-security
justanotheruser has quit [Ping timeout: 272 seconds]
justanotheruser has joined #nixos-security
hmpffff has joined #nixos-security
hmpffff has quit [Quit: nchrrrr…]
hmpffff has joined #nixos-security
hmpffff has quit [Client Quit]
hmpffff has joined #nixos-security
ckauhaus has joined #nixos-security
hmpffff has quit [Quit: nchrrrr…]
KeiraT has quit [Ping timeout: 240 seconds]
kalbasit_ has joined #nixos-security
infinisi1 has joined #nixos-security
thefloweringash has quit [*.net *.split]
Yakulu[m] has quit [*.net *.split]
infinisil has quit [*.net *.split]
kalbasit has quit [*.net *.split]
kalbasit_ is now known as kalbasit
KeiraT has joined #nixos-security
thefloweringash has joined #nixos-security
Yakulu[m] has joined #nixos-security
KeiraT has quit [Remote host closed the connection]
KeiraT has joined #nixos-security
KeiraT has quit [Remote host closed the connection]
KeiraT has joined #nixos-security
FRidh has joined #nixos-security
hmpffff has joined #nixos-security
hmpffff has quit [Quit: Bye…]
infinisi1 is now known as infinisil
hax404 has quit [Ping timeout: 260 seconds]
hax404 has joined #nixos-security
hax404 has quit [Ping timeout: 272 seconds]
hax404 has joined #nixos-security
anselmolsm has joined #nixos-security
justanotheruser has quit [Ping timeout: 260 seconds]
ckauhaus has quit [Quit: WeeChat 2.7.1]
justanotheruser has joined #nixos-security
KeiraT has quit [Remote host closed the connection]
KeiraT has joined #nixos-security
hmpffff has joined #nixos-security
tazjin is now known as benry
benry is now known as tazjin
FRidh has quit [Ping timeout: 260 seconds]
FRidh has joined #nixos-security
FRidh has quit [Client Quit]
hmpffff has quit [Quit: nchrrrr…]
hmpffff has joined #nixos-security
<gchristensen>
am I reading this right that SSH ssh-rsa keys are dangerous now?
<gchristensen>
like all of them, not just certs? I had understood it to be just cert-based auth
<hexa->
gchristensen: hostkeys that are using sha1 only
<gchristensen>
what's the scoop on user keys?
<hexa->
the changelog doesn't say
<gchristensen>
sigh
<MichaelRaskin>
Well, you should act as if everything sha1 is unsafe now…
<MichaelRaskin>
To migrate while it is $50K a collision and not ¢50 a second preimage.
<MichaelRaskin>
(although to be fair it looks like literal second preimage of MD5 is still not a «free action»)
<gchristensen>
should I, say, revoke access to the aarch64 community builder for ssh-rsa users?
<gchristensen>
I should probably delete the ssh-rsa host pubkey
<andi->
You should make sure there is something better than the rsa host key. If you just wipe the host key now users will loose a trust anchor.. In this case they don't have one since I guess it is just regenerated on reboot?
<gchristensen>
for the aarch64 box it is retained
<MichaelRaskin>
gchristensen: Hmmm, I wonder if putting a warning in /etc/profile triggered by the user not having a registered better key is a good idea
hmpffff has quit [Quit: nchrrrr…]
justanotheruser has quit [Ping timeout: 260 seconds]
justanotheruser has joined #nixos-security
justanotheruser has quit [Ping timeout: 272 seconds]