Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Mon, 19 May 2008 13:26:36 -0700
From: Kees Cook <kees@...flux.net>
To: oss-security@...ts.openwall.com
Subject: Re: OpenSSH key blacklisting

On Sun, May 18, 2008 at 04:06:55AM +0400, Solar Designer wrote:
> Also, aren't protocol 1 keys 1024-bit RSA only, even with the latest
> ssh-keygen?
> 
> Then, is it just one set of vulnerable 1024-bit RSA keys for both
> protocols - or is it two sets?

Yes -- in the tests I did, RSA1 and RSA keys shared the same modulus,
so RSA1 is covered by the same blacklists.  RSA1024 is in the
openssh-blacklist-extra binary package in debian.

As for other corner-cases, DSA2048 weren't generate-able[1] with a broken
version of ssh-keygen, so I've been considering publishing an _empty_
DSA2048 blacklist, just so that ssh-vulnkey will report DSA2048 as "safe"
instead of "unknown".

-Kees

[1] dsa was forced to be 1024 for a while now:
$ ssh-keygen -f /tmp/foo -t dsa -b 2048
DSA keys must be 1024 bits


-- 
Kees Cook                                            @outflux.net

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux