[Bug 1469] New: Should sshd detect and reject vulnerable SSH keys (re: Debian DSA-1571 and DSA-1576)
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sun May 25 06:13:29 EST 2008
https://bugzilla.mindrot.org/show_bug.cgi?id=1469
Summary: Should sshd detect and reject vulnerable SSH keys (re:
Debian DSA-1571 and DSA-1576)
Classification: Unclassified
Product: Portable OpenSSH
Version: 5.0p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: davee at ceu.ox.ac.uk
Debian/Ubuntu have added additional components to their openssh-*
packages which detect (and, on the server side, reject) vulnerable SSH
keys as a result of the broken random number generatation.
http://www.debian.org/security/2008/dsa-1571
http://www.debian.org/security/2008/dsa-1576
Given that such vulnerable keys might have been uploaded to *any*
ssh-running OS, should similar detection be built into openssh
directly? It would seem odd that as a result of this vulnerability
becoming public that Debian and Ubuntu sshd servers are (once updated)
*more* secure than those running on other OSes, because the Debian and
Ubuntu servers now reject attempts to connect with those vulnerable
keys.
I've done some searching around this bugtracker and mailing list
archives, but can't even find *discussion* of this issue.
Alternatively, please tell me why such a modification to openssh would
be a really bad idea - I can then refer to this bug in other contexts
explaining why it isn't going to be done :-)
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list