[Bug 1469] Should sshd detect and reject vulnerable SSH keys (re: Debian DSA-1571 and DSA-1576)
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Mon Jun 16 16:32:12 EST 2008
https://bugzilla.mindrot.org/show_bug.cgi?id=1469
Solar Designer <solar at openwall.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |solar at openwall.com
--- Comment #8 from Solar Designer <solar at openwall.com> 2008-06-16 16:32:07 ---
I have attached the key blacklisting code from Openwall GNU/*/Linux
(also used at least by ALT Linux). We've been using this "in
production" on many systems for 2+ weeks with no issues (and have
detected some weak keys "in the wild"). I am posting this primarily to
have everything in one place. Also relevant are these URLs:
http://www.openwall.com/lists/oss-security/2008/05/27/3 - the original
announcement
http://www.openwall.com/lists/oss-security/2008/05/27/4 - on
forward-port to openssh-5.0p1
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/openssh/
http://git.altlinux.org/people/ldv/packages/?p=openssh.git -
repositories with these patches (and more)
Compared to the Debian patch, this uses much smaller files (less than
4.5 bytes per key for 48-bit partial fingerprints), it's very fast
(will work just fine on a VAX), it can be configured to be fail-close
(in case of errors), and the size of partial fingerprints is not
hardcoded anywhere (it's specified on "blacklist-encode" command-line,
with no need to recompile anything, so an existing build of sshd that
works with 48-bit fingerprints now will also work with, say, 64-bit
just fine).
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list