Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Fri, 16 May 2008 19:10:58 -0300
From: "Gustavo De Nardin (spuk)" <gustavodn@...driva.com>
To: oss-security@...ts.openwall.com
Subject: Re: OpenSSH key blacklisting

* Solar Designer <solar@...nwall.com> [2008-05-17 01:58 +0400]:
> On Fri, May 16, 2008 at 05:10:43PM -0300, Gustavo De Nardin (spuk) wrote:
> > If this is going to be accepted as a more general solution, it'd be good to
> > allow also for local, admin-maintened, blacklists, not just upstream
> > maintened (and automatically updated).
> 
> I agree that this might be desirable functionality, but unfortunately it
> has a price - we'd have to maintain two file parsers and lookup
> algorithms (perhaps binary and indexed, and text and sequential) or an
> additional program to update the binary file.  (If we only create the
> binary file ourselves, then that program can be a quick hack - maybe
> even a Perl script.)
> 
> Has there been any demand for such blacklists, prior to the Debian issue
> coming up?  If not, then this additional feature is probably not worth
> implementing right away.

Not that I know of. I just imagined somewhere could have a policy like "all
keys must have X bits" or ".. X or larger" X being a non-default size. So
even if the database would be customized to have the extra keys,
auto-upgrading it (which would be desirable) could be a problem. Not a big
deal to me, personally.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux