Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 20 May 2008 17:03:11 +0200
From: Matthias Andree <matthias.andree@....de>
To: oss-security@...ts.openwall.com
Subject: Re: OpenSSH key blacklisting

Solar Designer wrote:
> Not yet, but we (Openwall) are likely to have a patch within a few days,
> and this:

> On Sat, May 17, 2008 at 04:46:30PM +0200, Robert Buchholz wrote:

>> There has been approval of your idea inside Gentoo's hardened team.

> is one of the reasons for us to go for the effort.

Thank you.

For tossing in an end-users view, it is also likely of wider interest since
keys generated once may travel (floppy, USB stick, scp/rsync/ssh-add -L,
you name it), or systems being cross-"updated" to other operating systems
(into/out of Debian/Ubuntu) for instance, so it likely wouldn't hurt to
forward the whole blacklisting or at least check tools upstream once
everyone is happy with it.

It may take some convincing upstream maintainers to help with working
around a b0rkup issue that happend by a downstream distro, but anyways, I'd
like to do some sort of "ssh-vulnkey -a" on my SUSE boxen (perhaps after
some sanity checks such as making sure the file being read by this tool is
actually a regular file after opening it and things like that).

-- 
Matthias Andree

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.