oss-sec mailing list archives
Re: OpenSSH key blacklisting
From: "Craig Edwards (Brain)" <brain () chatspike net>
Date: Fri, 16 May 2008 18:24:51 +0100
Hi,I havent been following this debacle too closely as i dont have much to do with debian, however, wouldnt such a system be vulnerable to false positives if you are just going to hash partial fingerprints rather than whole fingerprints?
-- Brain Solar Designer wrote:
Hi, Are any other distros, besides Debian, Ubuntu, and derived ones, going to implement key blacklisting in OpenSSH - or are considering it? We are considering it for Openwall GNU/*/Linux, and if our effort would be reused by others, or if others join us in developing and/or testing the patch, this would be a reason for us to go for it. I don't think we'll take the Debian/Ubuntu patch as-is. Rather, we are likely to use a trivial binary encoding/compression method for the partial fingerprints. We'd also use smaller partial fingerprints. With the approach I have in mind, it'd take around 4.55 bytes per key to store 48-bit partial fingerprints, bringing the installed file size for 3 arch types and 2 key types/sizes in under 1 MB (or just over 1 MB for 3 key types/sizes). Please comment. Thanks, Alexander
Current thread:
- OpenSSH key blacklisting Solar Designer (May 16)
- Re: OpenSSH key blacklisting Craig Edwards (Brain) (May 16)
- Re: OpenSSH key blacklisting Solar Designer (May 16)
- Re: OpenSSH key blacklisting Vincent Danen (May 16)
- Re: OpenSSH key blacklisting Robert Buchholz (May 16)
- Re: OpenSSH key blacklisting Solar Designer (May 16)
- Re: OpenSSH key blacklisting Robert Buchholz (May 17)
- Re: OpenSSH key blacklisting Solar Designer (May 17)
- Re: OpenSSH key blacklisting Robert Buchholz (May 17)
- Re: OpenSSH key blacklisting Solar Designer (May 17)
- Re: OpenSSH key blacklisting Kees Cook (May 18)
- Re: OpenSSH key blacklisting Solar Designer (May 18)
- Re: OpenSSH key blacklisting Solar Designer (May 16)
- Re: OpenSSH key blacklisting Craig Edwards (Brain) (May 16)