On 2/8/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: ...
For some reason, three (two OpenBSD/i386 and one OpenBSD/sparc64) of my four identically-configured SSH daemons cough up the above error when I try to authenticate using a big (4096-bit) DSA key from the same OpenSSH 4.2 client.
There's your problem right there: according to this post from last October, newer versions of OpenSSL reject DSA keys longer than 3kbits: http://marc.theaimsgroup.com/?l=openbsd-misc&m=116146116610721&w=2 Indeed, if you follow that thread you'll find Damien Miller saying this in response to a question:
No, longer DSA keys do not offer extra cryptographic strength unless you make other modifications to the algorithm.
...and that "longer" was in regard to keys longer than 1024bits!
Note that I said three out of four - strangely one works, and this would ordinarily make me suspect my own incompetence, but I haven't done anything funny and all of them have default, vanilla configuration files.
My guess is that the one that accepts them is behind on its patches to OpenSSL. So, get rid of that bogus 4096bit DSA key and put a normal 1024bit DSA key or some RSA key in its place. Philip Guenther
