Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 Apr 2012 17:16:43 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: owl and openssh

On Thu, Apr 19, 2012 at 07:05:55AM +0200, Pawe?? Hajdan, Jr. wrote:
> Isn't upstream interested in those owl patches? Have they been submitted
> and rejected?

I discussed the key blacklisting stuff with upstream while we were still
designing it (we'd consider their preferences if any).  They did not
want it.  Yet we wanted to have it, and we actually caught some weak
keys (from Debian systems) in the wild shortly after we deployed those
updated packages on clients' Owl-based systems that we manage (and where
their other contractors, etc. have accounts).  So those would be real
vulnerabilities in real systems if we did not include that code.

It is understandable that OpenBSD did not want to complicate their code
because of another project's fault, and OpenSSH portable did not want to
differ in this respect this time.  They would potentially include
generic user-configurable blacklisting, but implementation and user
interface wise it would need to be substantially different from the
efficient mass blacklisting of a fixed set of keys that we needed for
dealing with the Debian incident.

In general, OpenSSH patches that we have were considered for upstream
relevance.  Some were submitted, a subset of those were merged.

I started typing specific info here, but the list was quickly getting
long, so I felt that it's not productive use of my time.  Perhaps you
did not mean to spend much of my time on an elaborate answer with your
quick question.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ