[Bug 1469] Should sshd detect and reject vulnerable SSH keys (re: Debian DSA-1571 and DSA-1576)

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Mon May 26 23:44:36 EST 2008


--- Comment #3 from Colin Watson <cjwatson at debian.org>  2008-05-26 23:44:30 ---
Created an attachment (id=1508)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1508)
blacklisting and ssh-vulnkey

Here's the current patch we're using for this in Debian. I've tried to
ensure that it can at least theoretically be acceptable on all systems,
but am more than happy to work on this as necessary; I think it's
important to deploy this as widely as possible.

I believe that the blacklisting feature itself is separate from the
distribution of the blacklist files. Those are, as observed, large,
unwieldy from the point of view of distribution with OpenSSH, and not
necessarily complete (although the published blacklists for each key
type and size are complete with respect to this particular
vulnerability). However, I can imagine other uses for the blacklisting
code itself. For instance, a sysadmin responding to a compromised
machine might want to use it as a quick way to lock out use of
particular keys.

Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list