In my previous blog post I wondered

I don’t know what the mathematical implications of having the last few bits of a private key are, but it can’t be good.

As it turns out, for DSA, quite bad.

In short, this pam_env symlink issue, in some cases, allows an attacker to lift enough private key data from a DSA key to make brute-forcing the rest feasible.

For all details, see my article.