Re: [NSE] script to check for weak SSH hostkeys

[Sven Klemm <sven () c3d2 de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fyodor wrote:
> On Sat, Oct 18, 2008 at 03:48:27PM +0200, Sven Klemm wrote:
> > Any opinions about including this and whether it should be in the
> > default category?
>
> I think it is a great script and could be quite valuable to many
> users!  But it doesn't seem very suitable for inclusion within Nmap
> because it requires a huge data file (bigger than all the rest of Nmap
> combined when compressed, IIRC) and most people won't have that
> installed.  If people need to get this data file anyway, they might as
> well get the script at the same time.  So I suggest distributing the
> data files and NSE script separately from Nmap.  You could put it in a
> web page, or an nmap-exp directory.

Currently it's in nmap-exp/sven/nse_openssl but a general repository
for NSE scripts not part of nmap seems like a good idea.

> If this sort of thing proves to be required by a whole lot of scripts,
> maybe at some point we'll host a web CGI or read-only DB for this sort
> of thing (queryme.nmap.org ;).  Obviously that would bring up the same
> issues as our other "external" scripts.

I am currently working on a similar script for SSL certificates. I am
not sure about the web CGI idea though. On the one hand this is
certainly useful for users who only occasionally check the hostkey and
have no problem to submit these information but on the other hand it
might raise security concerns to submit these sensitive information to
a website.

Cheers,
Sven

- --
Sven Klemm
http://cthulhu.c3d2.de/~sven/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkj7NDYACgkQevlgTHEIT4ZF5QCghZnGQxxhh1MNadFfeYl0MjMb
AxYAn1/IhKBvX0yb1KLOhUA4fwDsva2Y
=w/I3
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org