blacklisting the bad ssh keys?
Abe Singer
abe at sdsc.edu
Thu May 22 16:10:23 EDT 2008
Ahh the irony, apparently Debian has implement just such a feature,
but as patch to ssh within their distro:
http://www.mail-archive.com/debian-devel-changes@lists.debian.org/msg214853.html
On Thu, May 22, 2008 at 11:19:05AM -0700, Abe Singer wrote:
>
> On Wed, May 14, 2008 at 07:52:58PM -0400, Steven M. Bellovin wrote:
> >
> > Given the published list of bad ssh keys due to the Debian mistake (see
> > http://metasploit.com/users/hdm/tools/debian-openssl/), should sshd be
> > updated to contain a blacklist of those keys? I suspect that a Bloom
> > filter would be quite compact and efficient.
>
> As someone who is dealing with this operationally, we (SDSC) had already
> identified what Steve suggests as the desireable long-term solution.
> I would reword the requirement slightly to say that the capability of
> sshd should be to block use of any key specified by the adminstrator,
> not necessarily just the published blacklist. I think that's what Steve
> may have actually meant, but clarity is helpful.
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list