Date: Tue, 20 May 2008 17:03:11 +0200 From: Matthias Andree <matthias.andree@....de> To: oss-security@...ts.openwall.com Subject: Re: OpenSSH key blacklisting Solar Designer wrote: > Not yet, but we (Openwall) are likely to have a patch within a few days, > and this: > On Sat, May 17, 2008 at 04:46:30PM +0200, Robert Buchholz wrote: >> There has been approval of your idea inside Gentoo's hardened team. > is one of the reasons for us to go for the effort. Thank you. For tossing in an end-users view, it is also likely of wider interest since keys generated once may travel (floppy, USB stick, scp/rsync/ssh-add -L, you name it), or systems being cross-"updated" to other operating systems (into/out of Debian/Ubuntu) for instance, so it likely wouldn't hurt to forward the whole blacklisting or at least check tools upstream once everyone is happy with it. It may take some convincing upstream maintainers to help with working around a b0rkup issue that happend by a downstream distro, but anyways, I'd like to do some sort of "ssh-vulnkey -a" on my SUSE boxen (perhaps after some sanity checks such as making sure the file being read by this tool is actually a regular file after opening it and things like that). -- Matthias Andree
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.