Openwall GNU/*/Linux 3.0 - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 27 May 2008 19:59:03 +0400
From: "Dmitry V. Levin" <ldv@...linux.org>
To: oss-security@...ts.openwall.com
Subject: Re: OpenSSH key blacklisting

On Tue, May 27, 2008 at 07:44:35PM +0400, Solar Designer wrote:
> On Sat, May 17, 2008 at 04:46:30PM +0200, Robert Buchholz wrote:
> > Do you have a patch to propose, implementing your idea?
> 
> Dmitry V. Levin and I have completed design of the encoding scheme, and
> Dmitry implemented it.  Now we have:
> 
> blacklist-encode.c - the encoder program;
> blacklist-check.c - the "checker" program, used for testing only;
> openssh-3.6.1p2-owl-blacklist.diff - the patch to sshd.
> 
> The patch is against an older version that we still have in Owl (with
> lots of other patches), but it is trivial to forward-port.  In fact, I
> expect that Dmitry will port it to the newer version in ALT Linux's
> distributions very soon (if not already).  Dmitry - please announce your
> forward-port in here when you have it.

These changes for ALT Linux's openssh package can be found at
http://git.altlinux.org/people/ldv/packages/?p=openssh.git
It should apply to vanilla openssh-5.0p1 with trivial modifications to
auth2-pubkey.c and servconf.c hunks.


-- 
ldv

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ