blacklisting the bad ssh keys?

Abe Singer abe at sdsc.edu
Thu May 22 14:19:05 EDT 2008


On Wed, May 14, 2008 at 07:52:58PM -0400, Steven M. Bellovin wrote:
> 
> Given the published list of bad ssh keys due to the Debian mistake (see
> http://metasploit.com/users/hdm/tools/debian-openssl/), should sshd be
> updated to contain a blacklist of those keys?  I suspect that a Bloom
> filter would be quite compact and efficient.

As someone who is dealing with this operationally, we (SDSC) had already
identified what Steve suggests as the desireable long-term solution.
I would reword the requirement slightly to say that the capability of
sshd should be to block use of any key specified by the adminstrator,
not necessarily just the published blacklist.  I think that's what Steve
may have actually meant, but clarity is helpful.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list