Date: Fri, 16 May 2008 21:18:54 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: OpenSSH key blacklisting Hi, Are any other distros, besides Debian, Ubuntu, and derived ones, going to implement key blacklisting in OpenSSH - or are considering it? We are considering it for Openwall GNU/*/Linux, and if our effort would be reused by others, or if others join us in developing and/or testing the patch, this would be a reason for us to go for it. I don't think we'll take the Debian/Ubuntu patch as-is. Rather, we are likely to use a trivial binary encoding/compression method for the partial fingerprints. We'd also use smaller partial fingerprints. With the approach I have in mind, it'd take around 4.55 bytes per key to store 48-bit partial fingerprints, bringing the installed file size for 3 arch types and 2 key types/sizes in under 1 MB (or just over 1 MB for 3 key types/sizes). Please comment. Thanks, Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.