[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Please restore ssh-dsa (was: cvs: Permission denied (publickey).)



> On Sat, Aug 23, 2008 at 04:37:13PM -0500, Jeffrey Ollie wrote:
> > The primary reason is that it's nearly impossible to tell if the key
> > was generated on a Debian system with the compromised OpenSSL
> > versions.

OK, I checked and it is far from impossible. After all the bug was
that there are only 32k possible keys per arch/size/type - Debian has
even issued blacklists for all keys of typical und some untypical
sizes like 1024/2048/1023/2047/4096/8192 and for some sizes they even
packaged it up, see

http://packages.debian.org/unstable/main/openssh-blacklist
http://packages.debian.org/unstable/main/openssh-blacklist-extra

If there is paranoia floating around, then why not use that blacklist
in Fedora/RHEL as well instead of nuking all DSA keys and still
allowing the bad RSA keys?

And if your are really paranoic then one can package up these
blacklists for general use by Fedora/RHEL's openssh. I don't know if
openssh has a blacklist-reject ability already coded in, though.
-- 
Axel.Thimm at ATrpms.net

Attachment: pgprQpBGGOHQF.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]