Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
This website is powered by Openwall GNU/*/Linux security-enhanced OS
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Fri, 16 May 2008 21:18:54 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: OpenSSH key blacklisting

Hi,

Are any other distros, besides Debian, Ubuntu, and derived ones, going
to implement key blacklisting in OpenSSH - or are considering it?

We are considering it for Openwall GNU/*/Linux, and if our effort would
be reused by others, or if others join us in developing and/or testing
the patch, this would be a reason for us to go for it.

I don't think we'll take the Debian/Ubuntu patch as-is.  Rather, we are
likely to use a trivial binary encoding/compression method for the
partial fingerprints.  We'd also use smaller partial fingerprints.  With
the approach I have in mind, it'd take around 4.55 bytes per key to
store 48-bit partial fingerprints, bringing the installed file size for
3 arch types and 2 key types/sizes in under 1 MB (or just over 1 MB for
3 key types/sizes).

Please comment.

Thanks,

Alexander

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux