oss-sec mailing list archives
Re: OpenSSH key blacklisting
From: Kees Cook <kees () outflux net>
Date: Mon, 19 May 2008 13:26:36 -0700
On Sun, May 18, 2008 at 04:06:55AM +0400, Solar Designer wrote:
Also, aren't protocol 1 keys 1024-bit RSA only, even with the latest ssh-keygen? Then, is it just one set of vulnerable 1024-bit RSA keys for both protocols - or is it two sets?
Yes -- in the tests I did, RSA1 and RSA keys shared the same modulus, so RSA1 is covered by the same blacklists. RSA1024 is in the openssh-blacklist-extra binary package in debian. As for other corner-cases, DSA2048 weren't generate-able[1] with a broken version of ssh-keygen, so I've been considering publishing an _empty_ DSA2048 blacklist, just so that ssh-vulnkey will report DSA2048 as "safe" instead of "unknown". -Kees [1] dsa was forced to be 1024 for a while now: $ ssh-keygen -f /tmp/foo -t dsa -b 2048 DSA keys must be 1024 bits -- Kees Cook @outflux.net
Current thread:
- Re: OpenSSH key blacklisting, (continued)
- Re: OpenSSH key blacklisting Vincent Danen (May 16)
- Re: OpenSSH key blacklisting Robert Buchholz (May 16)
- Re: OpenSSH key blacklisting Solar Designer (May 16)
- Re: OpenSSH key blacklisting Robert Buchholz (May 17)
- Re: OpenSSH key blacklisting Solar Designer (May 17)
- Re: OpenSSH key blacklisting Robert Buchholz (May 17)
- Re: OpenSSH key blacklisting Solar Designer (May 17)
- Re: OpenSSH key blacklisting Kees Cook (May 18)
- Re: OpenSSH key blacklisting Solar Designer (May 18)
- Re: OpenSSH key blacklisting Kees Cook (May 19)
- Re: OpenSSH key blacklisting Solar Designer (May 16)
- Re: OpenSSH key blacklisting Kees Cook (May 19)
- Re: OpenSSH key blacklisting Kees Cook (May 18)
- Re: OpenSSH key blacklisting Matthias Andree (May 20)
- Re: OpenSSH key blacklisting Solar Designer (May 27)
- Re: OpenSSH key blacklisting Dmitry V. Levin (May 27)
- Re: OpenSSH key blacklisting Tim Brown (May 28)
- Re: OpenSSH key blacklisting Sebastian Krahmer (May 28)
- Re: OpenSSH key blacklisting Tim Brown (Jun 02)
- Re: OpenSSH key blacklisting Sebastian Krahmer (Jun 02)
- Re: OpenSSH key blacklisting Nathanael Hoyle (Jun 04)
- Re: OpenSSH key blacklisting The Fungi (Jun 04)