Re: OpenSSH key blacklisting

["Craig Edwards (Brain)" <brain () chatspike net>]

Hi,

I havent been following this debacle too closely as i dont have much to 
do with debian, however, wouldnt such a system be vulnerable to false 
positives if you are just going to hash partial fingerprints rather than 
whole fingerprints?

-- Brain

Solar Designer wrote:
> Hi,
>
> Are any other distros, besides Debian, Ubuntu, and derived ones, going
> to implement key blacklisting in OpenSSH - or are considering it?
>
> We are considering it for Openwall GNU/*/Linux, and if our effort would
> be reused by others, or if others join us in developing and/or testing
> the patch, this would be a reason for us to go for it.
>
> I don't think we'll take the Debian/Ubuntu patch as-is.  Rather, we are
> likely to use a trivial binary encoding/compression method for the
> partial fingerprints.  We'd also use smaller partial fingerprints.  With
> the approach I have in mind, it'd take around 4.55 bytes per key to
> store 48-bit partial fingerprints, bringing the installed file size for
> 3 arch types and 2 key types/sizes in under 1 MB (or just over 1 MB for
> 3 key types/sizes).
>
> Please comment.
>
> Thanks,
>
> Alexander
>